From owner-freebsd-security  Sun Feb 18 10:39:18 2001
Delivered-To: freebsd-security@freebsd.org
Received: from cc762335-a.ebnsk1.nj.home.com (cc762335-a.ebnsk1.nj.home.com [24.3.219.36])
	by hub.freebsd.org (Postfix) with SMTP id B6DCC37B4EC
	for <freebsd-security@FreeBSD.ORG>; Sun, 18 Feb 2001 10:39:13 -0800 (PST)
Received: (qmail 38412 invoked from network); 18 Feb 2001 18:39:21 -0000
Received: from athena.faerunhome.com (HELO athena) (192.168.0.2)
  by cc762335-a.ebnsk1.nj.home.com with SMTP; 18 Feb 2001 18:39:21 -0000
Message-Id: <4.2.2.20010218133626.00c04f00@netmail.home.com>
X-Sender: damascus@netmail.home.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.2.2 
Date: Sun, 18 Feb 2001 13:40:21 -0500
To: Brian Reichert <reichert@numachi.com>
From: Carroll Kong <damascus@home.com>
Subject: Re: Remote logging
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <20010218132255.L91352@numachi.com>
References: <p04330104b6b573740812@[192.168.0.98]>
 <p04330104b6b573740812@[192.168.0.98]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 01:22 PM 2/18/01 -0500, you wrote:
>What?  Syslog?
>
>Set up a secured box, with syslogd:
>
>   loghost# syslogd -a 192.186/16
>
>Have this machine configured to write many machines' logs into
>whatever scheme you find useful for analysis.
>
>Have your other boxes have syslogd configured with something as
>simple as:
>
>   *.* @loghost
>
>There are additional steps you can take to keep syslogd immune from
>DNS outages; read the manpages.
>
>Make sure all fo your boxes are syncroninzed via NTP.
>
> >
> > Ragnar
>
>--
>Brian 'you Bastard' Reichert            <reichert@numachi.com>

That is a good idea, however, what is to stop the enemy from killing 
syslogd as his first option?  I do not think syslogd logs when it gets 
killed?  So, despite the secure log host, he might not get the valuable 
info he needs.  I suppose you could then start speculating a break in if 
there are no more MARKs since syslogd is dead.  Even that could be 
fabricated I suppose.  Ugh.  Security sure is tough to implement 
fully.  Not trying to say you are wrong, just that I am curious how does 
one stop this possible problem?  Have you found a way to avoid it?

-Carroll Kong



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message