Re: [SAGE] Re: Official sudosh announcement

[Peter Van Epp <vanepp@sfu.ca>]

<snip>
> 
> I know that local syslogs are UDP via /dev/log.  I know that on paper
> UDP is async and is not guaranteed to be delivered.  But honestly I've
> been using UNIX for nearly 10 years and I never seen /dev/log fail or
> just randomly drop syslogs.
> 
> With the above example it is very easy to show to an auditor and have
> supporting documentation regarding changes and such to a server.
> 
<snip>
	Wouldn't fly with our audit team. They would have the good sense to 
ask me how I would defeat this and listen to and evaluate the answer (consulting
outside expertise if required). If you have auditors that don't, be sure and
keep them happy, because they are unusual, and you don't want to lose them.
	That answer would be (although as many people have pointed out there 
are ways to get around this, just generic syslog isn't it) I create a DOS 
attack against the network connection to your central syslog server (that will 
kill both UDP and unless TCP has gotten a lot better lately even a TCP 
connection to syslog). Or I forge messages in to your central syslog host and 
fill the disk before I start doing the bad things as root (bet your syslog 
server doesn't shut down your applications if its disk fills. although it 
probably should until someone determines why syslog filled :-)).
	Because you have never seen UDP/syslog fail in a non hostile 
environment doesn't mean that you shouldn't be considering the worst case 
possible under active attack. This is what most everyone that has posted is 
trying to get across to you not that your logging idea isn't a good and useful
step along the road to accountablility, it just isn't sufficient when combined
with syslog.

Peter Van Epp / Operations and Technical Support 
Simon Fraser University, Burnaby, B.C. Canada