LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-28-2003, 01:25 PM   #1
OlRoy
Member
 
Registered: Dec 2002
Posts: 306

Rep: Reputation: 86
Burn syslog messages in real time?


I was thinking last night that it might be a good idea to burn syslog, snort, etc messages to a cd in real time so you can be sure no messages were deleted by a hacker/skiddie. Is it possible to read a CD while having data burned to it? Are there any problems this would create?
 
Old 05-28-2003, 01:48 PM   #2
tcaptain
LQ Addict
 
Registered: Jul 2002
Location: Montreal
Distribution: Gentoo 2004 from stage 1 baby!
Posts: 1,403

Rep: Reputation: 45
well I know on my CDR you couldn't do it...if data comes in too slow the CD's wasted...but its not a CD-RW.

Maybe you could do it with a diff command or some sort of script that saves an offset...ie: You burn every say...10 mins (or less) and burn only the difference between your last burn and the current one?
 
Old 05-28-2003, 05:04 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Even tho the core idea to guard against it is definately a good one I agree using a CDR(W) isn't the best option, too many chances the session can be broken by interrupting the dataflow to the recorder.
If you've got good reasons to need it, remote logging to a separate syslog box would be good, if you haven't then setting the "append-only" attribute would be a good start (chattr +a). Just make sure you unset the bit before logrotation kicks in and set afterwards.
 
Old 05-28-2003, 07:06 PM   #4
OlRoy
Member
 
Registered: Dec 2002
Posts: 306

Original Poster
Rep: Reputation: 86
If it is a remote syslog server, would that decrease the chances the session being interrupted since it only has one task to do (excluding cron tasks like tripwire)? How would i be able to tell if a burner supports burning small amounts of data in real time slowly?

Logging remotely would increase my trust of the logs but only slightly. I would have at least syslog and ssh services that could be exploited which would make it fairly vulnerable. I'd have a hard time trusting any logs unless it was impossible for the entries to be deleted. If i can't trust logs relating to security they seem to be useless... or maybe i'm just paranoid It might not be possbile now, but it should be. Its extremely important to have logs and its a common thing for hackers to edit them yet no ones working on creating a simple solution to prevent it. :/ I would but i don't know anything about how cdr's work

Last edited by OlRoy; 05-28-2003 at 07:09 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Syslog messages... stevemad Slackware 4 10-15-2005 03:45 PM
syslog messages on SLES9 console MrHPUX Linux - Software 0 10-13-2005 01:44 PM
Can you send syslog messages to different file plythgam Linux - Networking 1 07-01-2004 06:21 PM
syslog and firestarter - log messages to another file than messages mule Linux - Newbie 0 08-07-2003 03:35 AM
Help me with these strange error messages in my syslog, please. yuzuohong Linux - General 4 04-23-2003 03:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:05 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration