Date: Wed, 14 Feb 2001 09:53:07 -0600 (CST) From: Guy Helmer <ghelmer@palisadesys.com> To: cjclark@alum.mit.edu Cc: dmp@pantherdragon.org, Dag-Erling Smorgrav <des@ofug.org>, Adam Laurie <adam@algroup.co.uk>, security@FreeBSD.ORG Subject: Re: syslogd -ss not part of extreme security option? Message-ID: <Pine.LNX.4.21.0102140945560.3713-100000@magellan.palisadesys.com> In-Reply-To: <20010214012206.P62368@rfx-216-196-73-168.users.reflex>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 14 Feb 2001, Crist J. Clark wrote: > On Tue, Feb 13, 2001 at 08:38:50PM -0800, dmp@pantherdragon.org wrote: > > Dag-Erling Smorgrav wrote: > > > Adam Laurie <adam@algroup.co.uk> writes: > > > > eh? no security bug is "known" until it's found & exploited. just > > > > because it hasn't been found doesn't mean it doesn't exist. switching > > > > off a network listener for syslog when you are not doing network logging > > > > is much more than a warm fuzzy feeling, it's closing a potential > > > > security hole. i do it on standard installs, let alone "extreme > > > > security". > > > > > > It's not a listener. If you specify -s, the socket is half-closed so > > > you can use it to send log messages to other hosts, but can't receive. > > > If you specify -ss, the socket isn't opened at all so you can neither > > > send nor receive. > > > > Why not add it, though? Anyone who's going to do remote syslogging > > will know to set the appropriate option. > > No they won't. Do you promise to answer all of the people who come to > -questions asking why they can't log to another machine? "I could > always do it before!" You can take over answering all the people > asking why they can't install a new kernel (who's idea was it to have > people set securelevel(8) in sysinstall(8), oops I remember...). > > > For everyone else, it's just > > one more thing that doesn't need to be enabled by default. > > The only purpose the second '-s' serves is to make the line from > syslogd(8) disappear from netstat(8) output. It has no real security > use. There is perhaps another use. There is no way to specify the listening address to syslogd, so for jails on a machine that could have listeners on the syslog port for their jail IP address, I have to give syslogd two '-s' options. It would be useful to modify syslogd to be able to bind an IP address to its socket so I don't have to keep syslog from opening a socket. I haven't actually traced through the kernel code to determine whether a UDP packet would do the right thing when syslogd has an open UDP listener but isn't receiving packets from the socket. To avoid ambiguity, I just tell syslogd not to open the socket. Guy -- Guy Helmer, Ph.D. http://www.palisadesys.com/~ghelmer Sr. Software Engineer, Palisade Systems ghelmer@palisadesys.com "In this place it takes all the running you can do, to keep in the same place." -- Lewis Carroll's "Through the Looking Glass" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.21.0102140945560.3713-100000>