|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: [RFC] environment sanitisation wrapper
From: Kurt Seifried (listuser
seifried.org)Date: Tue May 30 2000 - 19:12:19 CDT
- Next message: Crispin Cowan: "Re: Here's another glibc env. var."
- Previous message: Sean Hunter: "Re: [RFC] environment sanitisation wrapper"
- In reply to: Sean Hunter: "Re: [RFC] environment sanitisation wrapper"
- Next in thread: Sean Hunter: "Re: [RFC] environment sanitisation wrapper"
- Reply: Kurt Seifried: "Re: [RFC] environment sanitisation wrapper"
- Reply: Sean Hunter: "Re: [RFC] environment sanitisation wrapper"
- Reply: John Flux: "Re: [RFC] environment sanitisation wrapper"
- Reply: Francis A. Holop: "sysloggers (was: Re: [RFC] environment sanitisation wrapper)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> I don't like syslog at all, and want to replace it with something
> sensible. (although the syslogd man page is good for a laugh[1]) I
> would rather use stdout and stderr and let the user pipe the output to
> syslog, a log file or wherever else they want to.
secure-syslog
The major problem with syslog however is that tampering with log files is
trivial (setting the log files append only with "chattr +a" helps, but if an
attacker gains root, they can unset the attribute). There is however a
secure version of syslogd, available at
http://www.core-sdi.com/english/freesoft.htm (these guys generally make good
tools and have a good reputation, in any case it is open source software for
those of you who are truly paranoid). This allows you to cryptographically
sign logs to ensure they haven't been tampered with. Ultimately, however, an
attacker can still delete the log files so it is a good idea to send them to
another host, especially in the case of a firewall to prevent the hard drive
being filled up.
next generation syslog
Another alternative is "syslog-ng" (Next Generation Syslog), which seems
much more customizable then either syslog or secure-syslog, it supports
digital signatures to prevent log tampering, and can filter based on content
of the message, not just the facility it comes from or priority (something
that is very useful for cutting down on volume). Syslog-ng is available at:
http://www.balabit.hu/products/syslog-ng/.
Nsyslogd
Nsyslogd supports tcp, and SSL for logging to remote systems. It runs on a
variety of UNIX platforms and you can download it from:
http://coombs.anu.edu.au/~avalon/nsyslog.html.
from http://www.securityportal.com/lasg/logging/index.html which is
officially obsolete and replaced by http://www.securityportal.com/lskb/
> Sean
-Kurt Seifried
- Next message: Crispin Cowan: "Re: Here's another glibc env. var."
- Previous message: Sean Hunter: "Re: [RFC] environment sanitisation wrapper"
- In reply to: Sean Hunter: "Re: [RFC] environment sanitisation wrapper"
- Next in thread: Sean Hunter: "Re: [RFC] environment sanitisation wrapper"
- Reply: Kurt Seifried: "Re: [RFC] environment sanitisation wrapper"
- Reply: Sean Hunter: "Re: [RFC] environment sanitisation wrapper"
- Reply: John Flux: "Re: [RFC] environment sanitisation wrapper"
- Reply: Francis A. Holop: "sysloggers (was: Re: [RFC] environment sanitisation wrapper)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]