On 07.12.2011 19:21, Cristian Rodríguez wrote:
On 07/12/11 14:08, Ruediger Meier wrote:
On Wednesday 07 December 2011, Cristian Rodríguez wrote:
On 07/12/11 13:13, Peter Nikolic wrote:
Well should not be so wide open to them then simple
That's not possible... any process can claim to be $yourfavoritesoftware. there is no authentication nor access control, by design.
? They were talking about reading log files.
No, stefan replied saying that logs files can be manipulated by attackers, particulary writting fake syslog messages.
If you have an idea on how to make the messages authenticated, have access control, metadata, a single structure, all of that suitable for servers that log lots of stuff per second in a plain text file, without breaking already existent syslog implementations and tools ..bring it on.
I remember having played with setting some log files "append only" to protect them. long ago. That way they can not be modified, just writing to the end of file is permitted. I also then remember using lcap to remove the ability to change the append-only flag, CAP_LINUX_IMMUTABLE and ability to do raw I/O. I faintly remember having some problems that made me stop the experiment. I thing at least logrotate didn't work and there may have been some other stuff. Anyways, the intention was to make it impossible for the intruder to change logs. I'm sure it can be done... Vahis -- http://waxborg.servepics.com openSUSE 11.4 (x86_64) 2.6.37.6-0.9-default main host openSUSE 12.1 (x86_64) 3.1.1-48-desktop Tumbleweed in VirtualBox openSUSE 12.1 (i586) 3.1.0-1.2-desktop in EeePC 900 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org