From owner-freebsd-security Wed Feb 14 7:53:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from magellan.palisadesys.com (magellan.palisadesys.com [192.188.162.211]) by hub.freebsd.org (Postfix) with ESMTP id 15F6737B491 for ; Wed, 14 Feb 2001 07:53:28 -0800 (PST) Received: from localhost (ghelmer@localhost) by magellan.palisadesys.com (8.11.2/8.11.2) with ESMTP id f1EFr8R04600; Wed, 14 Feb 2001 09:53:08 -0600 Date: Wed, 14 Feb 2001 09:53:07 -0600 (CST) From: Guy Helmer To: cjclark@alum.mit.edu Cc: dmp@pantherdragon.org, Dag-Erling Smorgrav , Adam Laurie , security@FreeBSD.ORG Subject: Re: syslogd -ss not part of extreme security option? In-Reply-To: <20010214012206.P62368@rfx-216-196-73-168.users.reflex> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 14 Feb 2001, Crist J. Clark wrote: > On Tue, Feb 13, 2001 at 08:38:50PM -0800, dmp@pantherdragon.org wrote: > > Dag-Erling Smorgrav wrote: > > > Adam Laurie writes: > > > > eh? no security bug is "known" until it's found & exploited. just > > > > because it hasn't been found doesn't mean it doesn't exist. switching > > > > off a network listener for syslog when you are not doing network logging > > > > is much more than a warm fuzzy feeling, it's closing a potential > > > > security hole. i do it on standard installs, let alone "extreme > > > > security". > > > > > > It's not a listener. If you specify -s, the socket is half-closed so > > > you can use it to send log messages to other hosts, but can't receive. > > > If you specify -ss, the socket isn't opened at all so you can neither > > > send nor receive. > > > > Why not add it, though? Anyone who's going to do remote syslogging > > will know to set the appropriate option. > > No they won't. Do you promise to answer all of the people who come to > -questions asking why they can't log to another machine? "I could > always do it before!" You can take over answering all the people > asking why they can't install a new kernel (who's idea was it to have > people set securelevel(8) in sysinstall(8), oops I remember...). > > > For everyone else, it's just > > one more thing that doesn't need to be enabled by default. > > The only purpose the second '-s' serves is to make the line from > syslogd(8) disappear from netstat(8) output. It has no real security > use. There is perhaps another use. There is no way to specify the listening address to syslogd, so for jails on a machine that could have listeners on the syslog port for their jail IP address, I have to give syslogd two '-s' options. It would be useful to modify syslogd to be able to bind an IP address to its socket so I don't have to keep syslog from opening a socket. I haven't actually traced through the kernel code to determine whether a UDP packet would do the right thing when syslogd has an open UDP listener but isn't receiving packets from the socket. To avoid ambiguity, I just tell syslogd not to open the socket. Guy -- Guy Helmer, Ph.D. http://www.palisadesys.com/~ghelmer Sr. Software Engineer, Palisade Systems ghelmer@palisadesys.com "In this place it takes all the running you can do, to keep in the same place." -- Lewis Carroll's "Through the Looking Glass" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message