While the packages mentioned seem to have methods for detecting log tampering, does anything out there prevent log forging? I.E. , sending bogus messages to the syslog port, users calling syslog() to make it look like someone is breaking in, etc? Seems like we need the syslog command to identify the UID of the person sending the message, and then the message needs to be cryptographically signed before it gets sent to the central logging facility. The loghost would drop any messages not signed. In the event of a root compromise, it would be useful if the set*[ug]id system logged each change of uid as well, both effective and real. I gyess for kernel logging, this means crypto in the kernel. Would changes like this aid in considering the system logs "proof" of activities, at least until after a root compromise? ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | jfhat_private http://www.cise.ufl.edu/~jfh | ---------------------------------------------------------------------- --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Thu Dec 06 2001 - 14:06:24 PST