From owner-freebsd-security@FreeBSD.ORG Tue May 27 08:05:26 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E0340AE2 for ; Tue, 27 May 2014 08:05:26 +0000 (UTC) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 35C192ABF for ; Tue, 27 May 2014 08:05:25 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id s4R85DrT098778; Tue, 27 May 2014 18:05:16 +1000 (EST) (envelope-from smithi@nimnet.asn.au) Date: Tue, 27 May 2014 18:05:13 +1000 (EST) From: Ian Smith To: "Ronald F. Guilmette" Subject: Re: NEVERMIND! In-Reply-To: <9187.1401158774@server1.tristatelogic.com> Message-ID: <20140527172016.J5669@sola.nimnet.asn.au> References: <9187.1401158774@server1.tristatelogic.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: des@des.no, freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 May 2014 08:05:26 -0000 On Mon, 26 May 2014 19:46:14 -0700, Ronald F. Guilmette wrote: > Ian Smith wrote: > > >... might syslog trigger adhoc rotations by > >newsyslog - of a particular log, not all - after learning how to measure > >'stress', perhaps by rates of delta filesize, diskspace consumption etc? > > (Not that anyone has any reason to care what _I_ think, but...) I must > say that I like that idea. > > The specific thing (i.e. "measurment") that should trigger such an > event/action seems altogether obvious. If syslogd is writing a file > and it sees that the file in question has just exceeded its allowed > maximum (according to /etc/newsyslog.conf) then it is clearly time to > do something about it. I was more thinking that syslogd might use its own criteria, based on preservation of functionality in the face of DoS (or pilot error) in regard to its diskspace requirements. I used delta filesize (rate of file growth) in a script against a certain DNS mini-DoS some years ago and found it effective for both reporting and blacklisting offenders. And don't forget remote logging, where syslogd has no clue re filesize. > >Then newsyslog would only need to learn how to be so invoked? > > How about "kill -HUP" ? > > That seems to be the pro-forma thing that pretty much everything > else already uses as a way to tell any given daemon that it should > wake up and smell the coffee (again). Except that newsyslog isn't a daemon; it's a userland program, usually invoked hourly by cron, which usually itself sends a HUP signal to the daemon associated with a rotated log. It already has ability to work on single file/s and to avoid signalling its caller, and in fact may need no modification at all .. but I've never played with its many options. > Of course, *if* one were in fact going to endow syslogd with all of > the intelligence necessary to read, understand, check, and act on the > various max filesize specifications contained within /etc/newsyslog.conf > then that would certainly prompt the question: Why not just merge the > two programs into one? (Obviously, that would eliminate the need for > interprocess signaling of any kind.) Which is more or less what des@ suggested, rather to my surprise. To me it doesn't smell quite right, unix-philosophically, merging two distinct processes that each perform related but really very separate functions, near doubling the size and complicating the functionality of the daemon. But I'm no more likely than you are to be able to do anything about it, so I'll leave it there. cheers, Ian