Bugtraq mailing list archives

Re: syslog idea

From: jmb () kryten Atinc COM (Jonathan M. Bresler)
Date: Fri, 7 Oct 1994 09:33:07 -0400 (EDT)


On Thu, 6 Oct 1994, *Hobbit* wrote:

If you don't have a secure logging host, there's also a possibility of
someone breaking in and then trashing the logfile to hide their tracks.

This brought to mind the idea of a "syslog monitor", or a process that would
just hang out someplace and stat the various log files periodically,
using some mechanism to warn of excessive size, mysterious shrinkage, and
maybe some other warning signs.

        
        take a look at tripwire from gene spafford and gene kim at purdue.
version 1.2 was released just last month.  it will monitor any files you 
want for changes in any of the fields returned by the lstat() syscall.  
this includes size, modification time, owner etc.   it  will also 
checksum those files using the checksum you specify, from simple 32bit 
crc to cryptographically strong signature algorithms.   you can run it 
out of cron as often as desired.

jmb

Jonathan M. Bresler  jmb () kryten atinc com    | Analysis & Technology, Inc.  
                                                | 2341 Jeff Davis Hwy
play go.                                        | Arlington, VA 22202
ride bike. hack FreeBSD.--ah the good life      | 703-418-2800 x346

Current thread:

Segmentation Faults Michael Bresnahan (Oct 05)
- Re: Segmentation Faults Brett Lymn (Oct 06)
- thanks! Michael Bresnahan (Oct 06)
- SMAIL Aleph One (Oct 06)
  - Re: SMAIL joshua geller (Oct 06)
  - Re: SMAIL James Seng (Oct 07)
  - one smail bug dan (Oct 07)
- syslog idea *Hobbit* (Oct 06)
  - Re: syslog idea David Kovar (Oct 06)
  - Re: syslog idea Jonathan M. Bresler (Oct 07)
    - Re: syslog idea Fred Blonder (Oct 07)
    - Re: syslog idea Jonathan M. Bresler (Oct 07)
    - Re: syslog idea Fred Blonder (Oct 07)
    - Re: syslog idea Jonathan M. Bresler (Oct 08)