Re: [fw-wiz] More Syslog Questions

• Previous message: Iņaki Arenaza: "Re: [fw-wiz] More Syslog Questions"
• In reply to: Nathaniel Hall: "[fw-wiz] More Syslog Questions"
• Next in thread: Marcus J. Ranum: "Re: [fw-wiz] More Syslog Questions"
• Reply: Marcus J. Ranum: "Re: [fw-wiz] More Syslog Questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: firewall-wizards@honor.icsalabs.com
Date: Fri, 16 Jul 2004 12:33:26 +0530

On 13/07/04 15:10 -0500, Nathaniel Hall wrote:
> Since someone asked a question about syslog, I thought I would add a couple
> of my own.
> I am in the process of setting up a centralized syslog server running RedHat
> AS3. Currently, I am using syslog as our daemon, but have heard there are
> other, better solutions. What do you suggest?

I know of syslog-ng and metalog as alternatives.

> Mr. Ranum, you spoke to my co-worker at Usenix on this topic, would you mind
> posting your response to this:
>
> In an effort to make the log server as secure as possible, I would like to
> find a way to use an append only file system. Unfortunately, if this is
> done, logs cannot be rotated using logrotate so the server must be taken
> down to single user mode to rotate the logs, causing the loss of many log
> entries.
On Linux, the chattr command on ext2/3 filesystems is useful. From man
chattr
       A file with the `a' attribute set can only be open in
       append mode for writing. Only the superuser or a process
       pessessing the CAP_LINUX_IMMUTABLE capability can set or
       clear this attribute.

chattr +a file to set it
chattr -a to unset it

No reboots required. This is not really useful if the remote attacker
gains root privileges, but it might work in your case.

Devdas Bhagat
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Iņaki Arenaza: "Re: [fw-wiz] More Syslog Questions"
• In reply to: Nathaniel Hall: "[fw-wiz] More Syslog Questions"
• Next in thread: Marcus J. Ranum: "Re: [fw-wiz] More Syslog Questions"
• Reply: Marcus J. Ranum: "Re: [fw-wiz] More Syslog Questions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: [fw-wiz] More Syslog Questions ... > like to find a way to use an append only file system. ... logs cannot be rotated using logrotate so the server ... May I suggest you look at alternative syslog daemons? ... No need to rotate the logs as you have one file per day per log ... (Firewall-Wizards) [fw-wiz] More Syslog Questions ... I am in the process of setting up a centralized syslog server running RedHat ... down to single user mode to rotate the logs, causing the loss of many log ... Ozarks Technical Community College -- Office of Computer Networking ... (Firewall-Wizards) RE: FreeBSD 4.7 Syslogs ... # Purchasing database syslog ... The command ps ax displays all the tasks running on your system. ... manual documentation for the newsyslog command. ... rotate when the message file size is larger that 100k. ... (freebsd-questions) Re: Need to implemet Syslog server ... >On my network I need to implement a Syslog server ... Pretty much everything but Windows will ... likely talk to syslog if told to, ... A great many other managed network devices support syslogging, ... (Security-Basics) [HPADM] SUMMARY: syslog redirection ... server is down, entries will be lost. ... Syslog sends over UDP on a "broadcast and forget" concept. ... information that is subject to United States laws and regulations. ... I'm being asked to route syslog messages to a central server. ... (HP-UX-Admin)