Another option I've employed at one point is to direct security logs to /dev/lp0 and throw a dot matrix printer with a continuous feed of paper on the parallel port (I did this on Linux, I'm sure it works on other OSs). Once they get into the machine, there's no way they can delete the logs. I mean, they can move the paper back a line or two with the epson control sequences and try to print over it, but combined with a remote logging server, you have evidence that is likely alot easier to prove wasn't tampered with (IANAL). My $0.02. -Paul On Wed, 2002-10-30 at 11:02, msconzoat_private wrote: > Here is my $0.02. > > I agree with the comments about "it's better to log too much then too > little." With that being said, I usually wind up logging everything to a > remote machine and dealing with the placement/management/auditing of logs > in a central place (seems to make my life easier). > > If you want to log to a certain directory on the remote host this is done > via the remote machines syslogd.conf file. > > A quick note from expierence on the logging a lot costs you litte, the > computer science dept at TAMU does a network security class each year. A > sandbox is setup, and there are number of black teams (bad guys) vs. a > gold team (good guys providing network services on about 8 boxes). Last > time I logged a semesters worth of port scanning (via iptables) as well as > other information from syslog to a remote machine. I mangaged to get > about 400MB of logs in 3 months. *moral* logging is cheap...do it > > you just have to be careful about attacks against the remote logging > machine...but thats why you back it up :) > > -mike > > > > I was wondering what kind of information people used to log on a remote > > syslog server. > > > > I mean, for every Linux machine I have, I use to log those facilities and > > priorities: > > > > authpriv.* @remote_machine > > kern.info @remote_machine > > syslog.info @remote_machine > > *.emerg @remote_machine > > > > If there is too much information, I use higher priority level then .info for > > kern and syslog facilities. > > > > Is that a good practice or am I logging garbage ? > > > > Another point is if someone know if I can log in a certain directory in a > > remote host. Seens that I canīt. Is that possible ? > > > > Thanks in advance > > > > Ricardo Pires > > > > > > ----------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > > For more information on this free incident handling, management > > and tracking system please see: http://aris.securityfocus.com > > > > -- > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Nov 01 2002 - 04:57:46 PST