Date: Sun, 21 Jan 2001 11:51:22 +0100 From: Andrea Campi <andrea@webcom.it> To: Dag-Erling Smorgrav <des@ofug.org> Cc: cjclark@alum.mit.edu, FreeBSD-gnats-submit@FreeBSD.ORG, current@FreeBSD.ORG Subject: Re: bin/24444: syslogd(8) does not update hostname Message-ID: <20010121115121.A402@webcom.it> In-Reply-To: <xzpofx1h966.fsf@flood.ping.uio.no>; from des@ofug.org on Sun, Jan 21, 2001 at 04:32:33AM %2B0100 References: <200101190330.f0J3UPa75677@rfx-216-196-73-168.users.reflexcom.com> <xzphf2v22vu.fsf@flood.ping.uio.no> <20010119110341.A7958@rfx-216-196-73-168.users.reflex> <xzp4ryvtcrv.fsf@flood.ping.uio.no> <20010120170155.K10761@rfx-216-196-73-168.users.reflex> <xzpofx1h966.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
> the hostname, one being a syscall and the other being a sysctl. One
> could of course have the kernel print a message to the console about
> it, syslogd(8) would pick that up.
Yes, I was about to propose this, but then I thought: why? If we go this way,
then we should definitely also log an IP address change, maybe even our default
router change MAC address... why not even hardware changes since last reboot?
Working in a security job, I can understand worries about important events
going unnoticed. But doing this in kernel is IMHO overkill, maybe it could be
interesting for TrustetBSD, but not in the normal kernel; at least, it should
be configurable at both compile time and runtime (high securelevel and/or a
sysctl).
The Right Way (tm) to do this is to use (or write) an host intrusion detection
system.
Having said this, the proposed patch looks fine to me and I think it should be
committed.
Bye,
Andrea
--
Speak softly and carry a cellular phone.
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010121115121.A402>