Re: [logs] SDSC Secure Syslog

From: Darren Reed (avalonat_private)
Date: Wed Dec 11 2002 - 17:26:24 PST

  • Next message: Kyle R. Hofmann: "Re: [logs] SDSC Secure Syslog"

    In some mail from Balazs Scheidler, sie said:
    > 
    > On Wed, Dec 11, 2002 at 11:00:37AM +1100, Darren Reed wrote:
    > > In some mail from Balazs Scheidler, sie said:
    > > > 
    > > > On Fri, Dec 06, 2002 at 10:33:15AM +1100, Darren Reed wrote:
    > > > > In some mail from Tom Perrine, sie said:
    > > > * My opinion about BEEP that it is an overkill. BEEP is simply too
    > > >   complicated, that's why it is not yet supported by syslog-ng. TCP transport
    > > >   solves most problems we had with UDP, and using BEEP doesn't give us
    > > >   anything new or exciting. Encryption can simply be carried out by wrapping
    > > >   the TCP stream into SSL.
    > > 
    > > I have issues with just using syslog over TCP vs UDP due to the record
    > > boundryless nature of sending data over TCP.  Plain text protocols are
    > > just too open an invitation for bad programming to introduce security
    > > problems.
    > 
    > I don't fully agree here. The same stream like behaviour is used (or was
    > used) on Linux where SOCK_STREAM unix domain sockets were used. In latest
    > distros they changed this to SOCK_DGRAM though.
    > 
    > Using '\n' as a record terminator is used for instance in Linux kernel
    > logging, when you tail a file (syslog-ng 2 is able to follow files like tail
    > -f does), when you receive packets on a TCP session. Record termination
    > defined by UDP packets boundaries is the exception and not the rule.
    
    Well, you won't find me saying this was a good design choice, although
    I'm sure they have their "reasons".
    
    > Using TCP provides additional benefits:
    [...]
    
    I'm not arguing that TCP is better, I'm arguing that just layering
    syslog over it is not a "winning situation" that buys you a whole lot.
    
    > I think depending on a complex library to support a protocol (beepcore for
    > example) might be a worse security decision than using '\n' terminated
    > lines.
    
    Personally, I like the idea that everything is a known and bounded size.
    You can allocate data for it, you know where it starts or stops, you
    know if you can handle it, etc.
    
    The "use \n" situation is not very comforting (how long is this message
    going to be ?) and means you cannot send messages with \n in them (easily).
    
    [...]
    > channel. The protocol used by syslog-ng (and nsyslogd if it wasn't changed)
    > is sending data one way only, in fact it could also be shut down for writing
    > only.
    
    Except for connection establishment where there's bidirectional
    authentication.
    
    > Some of my users deployed syslog-ng where sender hosts were located in
    > different time zones, they told me that they wanted timezones. And as I
    > don't have installations like those myself, I believe them.
    
    Sure!  But do you send GMT + TZ name or send localtime + TZ name ?
    
    Oh, my other goal with nsyslogd was not to disrupt the file format
    of the "standard" logfile because there's just too much guff out
    there, today that expects it, to justify creating a new, arbitrary,
    one (IMHO).
    
    Darren
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Wed Dec 11 2002 - 20:30:33 PST