RE: [loganalysis] Re: Central syslog server best practices?

From: Jeff King (peff-loganalat_private)
Date: Thu Aug 16 2001 - 12:00:44 PDT

Next message: Marget, Chris: "[loganalysis] determining faciliy.level (was Logging standards and such)"

Previous message: dtmat_private: "Re: [loganalysis] Logging standards and such"
In reply to: Ogle Ron (Rennes): "RE: [loganalysis] Re: Central syslog server best practices?"
Next in thread: Matthew Jonkman: "Re: Central syslog server best practices?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 16 Aug 2001, Ogle Ron (Rennes) wrote:

> If you are only copying the syslog on a periodic basis from the log server
> to the client machine than this may work.  However this isn't the case in
> most situations.  Normally you would create a tunnel.  The problem with a
> tunnel is that SSH nor IPsec was meant to protect the actual machine once it
> has been compromised.
I don't understand your argument. I'm creating a tunnel over which log
messages go. The tunnel is a data-only passage. Compromising the logging
client means that you can send data through the tunnel (i.e., write new log
messages).

> In your example, I could easily rename a shell program /usr/bin/cat.  The
> other machine has not control over that.
How? cat is running on the logging server, over which you have no access.
Even if you compromise the key of the logging client, you have gained only a
key which the server trusts for one action and one action only: append data
to the log files.

> I agree with other emails, that the encryption must be built into the
> service like syslog over SSL for the specific purpose of syslogs.
I don't see how this is any different. In the model you propose, this
happens:

1) syslog is running
2) client connects
3) syslog forks
4) syslog checks client cert for SSL
5) syslog verifies cert and decides which destination to send log entries
   to based on cert identity
6) syslog reads data over tunnel and puts it into log destination

With SSH, the scenario is:

1) sshd is running
2) client connects
3) sshd forks
4) sshd checks client DSA key
5) sshd verifies key and runs command specified in authorized_keys2 file
   (ignoring any command sent by client)
6) cat reads data from tunnel and puts it into log destination

Except in the case of SSH, ssh already does 1-5, so I don't have to write any
code. This is exactly the sort of thing that authorization specifications in
the authorized_keys2 file were designed for.

-Peff


---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Marget, Chris: "[loganalysis] determining faciliy.level (was Logging standards and such)"
Previous message: dtmat_private: "Re: [loganalysis] Logging standards and such"
In reply to: Ogle Ron (Rennes): "RE: [loganalysis] Re: Central syslog server best practices?"
Next in thread: Matthew Jonkman: "Re: Central syslog server best practices?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 16 2001 - 12:29:59 PDT