On Mon, Feb 18, 2002 at 11:45:16AM -0900, mikemat_private wrote: > Another thing to consider would be to "pull" the logs from the machines to [...munch-munch...] > (Okay, so maybe the logserver being "the most secure box on your network" > is a bit extreme, but you get the point - if someone compromises a machine > on your network, you don't want them being able to gain access to your > logserver as well to erase what's left of the legitimate logs.) This scenario also has its own cons. If clients all push their data to the central server, using an ssh key w/o a pass phrase or otherwise, and a client machine gets compromised, chances are the client machine's account on the log server will also be compromised. Smallers chances are that the log server itself will get compromised as well. However, most likely all other production systems will not be automatically vulnerable. (Unless, of course, they could be compromised using the same method our first client was compromised.) In the case of the 'pull' scenario, there exists a possibility that the log server itself gets compromised somehow, and by gaining access to it, the attacker would automatically gain higher access to _all_ client servers, that allow the log server access. Basically, the log server would have all usernames and passwords needed to login to the client servers, at least to some extent. Of course it all depends on a particular implementation, on how much access client servers give to the log server in the pull scenario, on how much access the log server gives the clients in the push scenario, and so on. The point is (you probably wonder by now =), choosing between push and pull and picking an appropriate level of access rights for other machines on the network depends a lot on the security policy of the site. On what is more important, being able to collect log data precisely or trying to minimize potential susceptibility of production servers. After all the log server is just that, a log server. If it's broken, that's very bad, but life doesn't stop because of it. On the other hand, if a production server is broken, you start losing real money. For this reason, personally and generally, i like the push scenario better. But as i said, it all depends and there could be a zillion of reasons to use either approach. Just my $0.02. -- -- Yura Socolov <yuraat_private> FP: A7192ABD96E15F5 19AB21E60C34109 -- http://users.binary.net/yura/ -- -- Opinions and views in this message are my own and my own only. -- -- "BSD, Lunix, Debian and Mandrake are all versions of an illegal hacker -- operation system, invented by a Soviet computer hacker named Linyos -- Torovoltos, before the Russians lost the Cold War." -- T Reginald Gibbons // Is your son a computer hacker? -- http://adequacy.org/?op=displaystory;sid=2001/12/2/42056/2147 --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Mon Feb 18 2002 - 13:41:08 PST