From owner-freebsd-security  Thu Aug 28 18:51:02 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id SAA04201
          for security-outgoing; Thu, 28 Aug 1997 18:51:02 -0700 (PDT)
Received: from cyrus.watson.org (robert@AMALTHEA.RES.CMU.EDU [128.2.91.57])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id SAA04196
          for <freebsd-security@FreeBSD.ORG>; Thu, 28 Aug 1997 18:51:00 -0700 (PDT)
Received: from localhost (robert@localhost)
	by cyrus.watson.org (8.8.5/8.8.5) with SMTP id VAA15157
	for <freebsd-security@FreeBSD.ORG>; Thu, 28 Aug 1997 21:53:56 -0400 (EDT)
Date: Thu, 28 Aug 1997 21:53:56 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
Reply-To: Robert Watson <robert@cyrus.watson.org>
To: freebsd-security@FreeBSD.ORG
Subject: Re: FW: syslogd fun (fwd)
In-Reply-To: <199708290014.RAA28531@hub.freebsd.org>
Message-ID: <Pine.BSF.3.96.970828215138.14986C-100000@cyrus.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Thu, 28 Aug 1997, Jonathan M. Bresler wrote:

> John-Mark Gurney wrote:
> > 
> > Simon Shapiro scribbled this message on Aug 28:
> > > Is this something we have to worry about in FreeBSD?  I think it may, but
> > > do not know...
> > 
> > nope...  freebsd's syslog in -current has the ability to turn on reception
> > of such messages from specific hosts... and when you specify "secure"
> > mode (which doesn't accept messages) you can still send messages to
> > remote hosts for logging...
> 
> 	hmm....the loghost, the computer running syslogd and accepting
> 	messages from other computers, remains vunerable, as is noted
> 	in the BUGS section of the man page
> 
> "The ability to log messages received in UDP packets is equivalent to an
>  unauthenticated remote disk-filling service, and should probably be dis-
>  abled by default.  Some sort of inter-syslogd authentication mechanism
>  ought to be worked out.  To prevent the worst abuse, use of the -a option
>  is therefore highly recommended."
> 
> 
> 	filter syslog at your firewall.  falls under teh general rule:
> 	"unless you need it, filter it out"

I've been working intermittently on a secure syslog protocol allowing for
both authentication and protection of syslog messages.  I'm still in a
design phase, but was thinking of starting up a mailing list for
discussing the issues involved (there are many.)  One feature I'd like to
see is authenticity against original log generator -- even if the message
is forwarded multiple times and then logged, it can be verified against an
original signer.  Some authentication log data should remain private, and
such a feature would also be offered..  This is all weighed against excess
processor use, of course :).


  Robert N Watson 

Junior, Logic+Computation, Carnegie Mellon University  http://www.cmu.edu/
Network Administrator, SafePort Network Services  http://www.safeport.com/
robert@fledge.watson.org rwatson@safeport.com http://www.watson.org/~robert/