Re: [logs] log review policies

From: Sweth Chandramouli (svcat_private)
Date: Wed Oct 17 2001 - 14:16:44 PDT

Next message: Jay D. Dyson: "Re: [logs] HEAD requests"

Previous message: Hal Snyder: "Re: [logs] log review policies"
In reply to: William D. Colburn (aka Schlake): "Re: [logs] log review policies"
Next in thread: peff-loganalat_private: "Re: [logs] log review policies"
Next in thread: Hal Snyder: "Re: [logs] log review policies"
Reply: peff-loganalat_private: "Re: [logs] log review policies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

	Just to clarify, since it seems like people are getting
a little confused here--Robert was originally suggesting having the
loghost send the email reports directly to the admin workstations,
rather than having it store them locally and require admins to log in
to the machine in some way to view them, so as to remove the need for
whatever login service would be used by those admins (which would,
presumably be another potential point of compromise), and Jeff was
responding that he didn't think that it made sense to require an
SMTP server on every machine.  Note that, in the scenario being
described, something listening on port 25 of every workstation _is_
necessary; that's the entire point of the suggestion.
	So, getting back to the original discussion, and away
from discussions of which MTA is better and whether or not various
MTAs can be run in local-delivery-only mode: I, personally, would
probably opt for a single login mechanism on a secure server, rather
than a push mechanism to get the files to the admin workstations.  It's
much easier to keep track of a single such install than multiple ones;
an admin workstation to which all of this data was being pushed would,
moreover, be a far more valuable prize for a hacker, since it would
probably also have lots of other useful things like PGP private keys on
it, and should thus, ideally, be serving as few network services as
possible.  A well-designed push mechanism--perhaps a lean,
well-understood process on each workstation that could only read data
from a serial line connected to the loghost, and write that data out
to a file--could change that picture; any in-band listener, however,
and especially an in-band SMTP listener, would (IMHO) be more risk than
it was worth.

	-- Sweth.

-- 
Sweth Chandramouli ; <svcat_private>
President, Idiopathic Systems Consulting

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Jay D. Dyson: "Re: [logs] HEAD requests"
Previous message: Hal Snyder: "Re: [logs] log review policies"
In reply to: William D. Colburn (aka Schlake): "Re: [logs] log review policies"
Next in thread: peff-loganalat_private: "Re: [logs] log review policies"
Next in thread: Hal Snyder: "Re: [logs] log review policies"
Reply: peff-loganalat_private: "Re: [logs] log review policies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 17 2001 - 14:27:26 PDT