More on Red Hat 6.1 sysklogd

[dfs () ROARINGPENGUIN COM (David F. Skoll)]

Red Hat has a security advisory at
http://www.redhat.com/support/errata/RHSA1999055-01.html detailing a
DoS attack against syslogd.

There is an even more compelling reason to upgrade:  After my logs were
rotated, I noticed that the background chatter of script kiddies probing
my firewall ceased.  It turns out that when syslogd is sent a HUP
signal, it closes and recreates the /dev/log socket.  If this is a
stream socket, then klogd (the daemon responsible for forwaring kernel
log messages) fails.

Basically, after your logs are rotated, all kernel log messages are
lost.  Update your syslogd now.

This is an strace of the problem:

$ strace -p 22240   # I'm tracing the "klogd" process

# A kernel log message is generated
read(0, "<6>Packet log: forward DENY ppp0"..., 4095) = 118

# klogd gets a time stamp
time([945571294])        = 945571294

# klogd writes it to syslog
write(1, "<6>Dec 18 21:41:34 kernel: Packe"..., 143) = 143

# Now send syslogd a HUP signal

$ kill -1 19141

# And continue with the strace

# A kernel log message is generated
read(0, "<6>Packet log: forward DENY ppp0"..., 4095) = 118

# klogd gets a time stamp
time([945571432])       = 945571432

# But the write fails and the log message is lost!
write(1, "<6>Dec 18 21:43:52 kernel: Packe"..., 143) = -1 ECONNRESET
(Connection reset by peer)

The new syslogd uses a datagram socket, I think, so doesn't suffer from
this problem.

--
David F. Skoll                 | Roaring Penguin Software Inc.
http://www.roaringpenguin.com  | Linux and UNIX Specialists