On Thu, 6 Dec 2001, James F. Hranicky wrote: > Seems like we need the syslog command to identify the UID of the > person sending the message, and then the message needs to be > cryptographically signed before it gets sent to the central logging > facility. The loghost would drop any messages not signed. network syslog is based on UDP, which itself is inherently unreliable. the link from earlier today about the signed and hashed log messages (from the always amazing corest guys) looks useful here. > In the event of a root compromise, it would be useful if the > set*[ug]id system logged each change of uid as well, both effective > and real. > Would changes like this aid in considering the system logs "proof" of > activities, at least until after a root compromise? most OSs out there can do audit trails by hook or crook, which it sounds like you want. a simple libc hook on your favorite open source operating system would also be easy to install, logging the uid of the called when a suid/sgid app is called. in short, hooks are there. no one's using them on a wide scale. ____________________________ jose nazario joseat_private PGP: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 PGP key ID 0xFD37F4E5 (pgp.mit.edu) --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Thu Dec 06 2001 - 14:13:40 PST