| |||||||||||||
The Journal - a proposed syslog replacementThe Journal - a proposed syslog replacementPosted Nov 20, 2011 0:23 UTC (Sun) by endecotp (guest, #36428)In reply to: The Journal - a proposed syslog replacement by alankila Parent article: The Journal - a proposed syslog replacement
> periodically log the latest log entry's hash (and id) to a
> location which does not permit updates afterwards.
Such locations don't exist, apart from printers and optical drives.
> I'm going to guess we are talking about logging it once per
That's nothing like fast enough if the attacker has some sort of automatic tool (and I don't believe I've ever seen non-automated attacks). To be useful it must save every single new hash value.
(Log in to post comments)
The Journal - a proposed syslog replacement Posted Nov 20, 2011 4:39 UTC (Sun) by alankila (subscriber, #47141) [Link]
Such locations can be constructed. Many people here seem to think that a dedicated syslog server is secure, and that would have no other function and no other visible ports except one which accepts data in syslog protocol. Logging every hash sounds like a solution whose overhead is comparable to just doing remote logging directly. There might be value in having some kind of middle ground.
Not every attack succeeds immediately, and it may take several tries to successfully exploit some race condition in a daemon. Once attacker breaks in through some local daemon, it still takes some time to download or build the relevant exploit utility, and to launch the secondary attack which finally gives root compromise.
The Journal - a proposed syslog replacement Posted Nov 20, 2011 20:19 UTC (Sun) by jackb (subscriber, #41909) [Link] Such locations don't exist, apart from printers and optical drives.So they don't exist except when they do exist?
|
|||||||||||||