From owner-freebsd-security  Sat Aug 22 00:05:12 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id AAA06621
          for freebsd-security-outgoing; Sat, 22 Aug 1998 00:05:12 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from Tyr.office.EFN.org ([204.214.99.45])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA06616
          for <security@FreeBSD.ORG>; Sat, 22 Aug 1998 00:05:10 -0700 (PDT)
          (envelope-from spy@tyr.office.efn.org)
Received: from Tyr.office.EFN.org (IDENT:spy@Tyr.office.EFN.org [204.214.99.45])
	by Tyr.office.EFN.org (8.9.1/8.9.1) with SMTP id AAA05621;
	Sat, 22 Aug 1998 00:03:38 -0700 (PDT)
Date: Sat, 22 Aug 1998 00:03:38 -0700 (PDT)
From: Ben <spy@tyr.office.efn.org>
Reply-To: ben@efn.org
To: Andrew McNaughton <andrew@squiz.co.nz>
cc: "Jan B. Koum " <jkb@best.com>, ben@efn.org,
        Jon Hamilton <hamilton@pobox.com>,
        Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, dima@best.net,
        jkh@time.cdrom.com, security@FreeBSD.ORG
Subject: Re: Shipping syslogd with "-s" (Was: Re: Scaring the bezeesus ..)
In-Reply-To: <Pine.BSF.3.96.980822175255.12678A-100000@aniwa.sky>
Message-ID: <Pine.BSF.3.96.980821234910.26762F-100000@Tyr.office.EFN.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, 22 Aug 1998, Andrew McNaughton wrote:
> Subject: Re: Shipping syslogd with "-s" (Was: Re: Scaring the bezeesus ..)
> 
> On Fri, 21 Aug 1998, Jan B. Koum  wrote:
> 
> >From the syslogd man page I'm not entirely clear on how these options
> interact.
> 
> >   -a allowed_peer
> >         Allow allowed_peer to log to this syslogd using UDP datagrams.
> >         Multiple -a options may be specified.
> 
> If one has to specify that a host is allowed to log packets to this host,
> then it seems reasonable to assume that this is not allowed unless so
> specified ... or perhaps that's only the case if -s is used?

>From syslogd.c:
                case 'a':               /* allow specific network addresses only */
                        if (allowaddr(optarg) == -1)
                                usage();
                        break;
So, deny all, except these host's you specify with -a host.org -a ip.ip.ip.ip

> 
> >   -s      Operate in secure mode.  Do not listen for log message from
> >           remote machines.
> 
> I'd have thought that meant syslogd didn't even look at incoming packets
> if this was set, which I suppose reduces the chance of some bug turning up
> in it ... or perhaps the default is that packets are accepted? 

>From syslogd.c:
                case 's':               /* no network mode */
                        SecureMode++;
                        break;
Specifying both -s and -a is like fueling up your car and taking out the engine.

> 
> 
> Could someone clarify this?  Preferably the man page should be clarified. 

The man page does need a bit of clarification, adding the fact that 'a' and 's'
are mutually exclusive, that -s kills all network activity, and that 'a's 
policy is default DENY would be very helpful.

> 
> Is there a way to send log entries to a remote machine from the command
> line so I can more easily test how this works?

No just add a @host in syslogd.conf and HUP it.

> Andrew McNaughton

	-ben@efn.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message