On 07.12.2011 19:21, Cristian Rodríguez wrote:
On 07/12/11 14:08, Ruediger Meier wrote:
On Wednesday 07 December 2011, Cristian Rodríguez
On 07/12/11 13:13, Peter Nikolic wrote:
Well should not be so wide open to them then
That's not possible... any process can claim to be
$yourfavoritesoftware. there is no authentication nor access control,
They were talking about reading log files.
No, stefan replied saying that logs files can be manipulated by
attackers, particulary writting fake syslog messages.
If you have an idea on how to make the messages authenticated, have
access control, metadata, a single structure, all of that suitable for
servers that log lots of stuff per second in a plain text file, without
breaking already existent syslog implementations and tools ..bring it on.
I remember having played with setting some log files "append only" to
protect them. long ago.
That way they can not be modified, just writing to the end of file is
I also then remember using lcap to remove the ability to change the
append-only flag, CAP_LINUX_IMMUTABLE and ability to do raw I/O.
I faintly remember having some problems that made me stop the
experiment. I thing at least logrotate didn't work and there may have
been some other stuff.
Anyways, the intention was to make it impossible for the intruder to
I'm sure it can be done...
openSUSE 11.4 (x86_64) 220.127.116.11-0.9-default main host
openSUSE 12.1 (x86_64) 3.1.1-48-desktop Tumbleweed in VirtualBox
openSUSE 12.1 (i586) 3.1.0-1.2-desktop in EeePC 900
To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org