[Logcheck-devel] Bug#336265: logrotate detection, possible attack not checked by logcheck

Fri, 28 Oct 2005 18:18:17 -0700 

Package: logcheck
Version: 1.2.41

Problem: Logcheck try to detect if log file have been rotate or not by file 
size way.


Possible attack:

- current log file (sizeA)
- run logcheck, (logcheck/logtail put inode in offsetfile), offset=sizeA
- [attacker run attack 1]
- run logrotate
- [attacker run attack 2]
- run logcheck may don't detect the rotation and don't check the log for attack 
1 duration.

attack 1 : The real attack, this attack log will not be checked by logcheck if 
attack 2 run succesfully.
attack 2 Goal : Growing the log file more than possible, if his size become 
more than last checked offset.



The problem is here line 397

395:    offsetfile="$STATEDIR/offset$(echo $file | tr / .)"
396:    if [ -s "$offsetfile" -a -r "$offsetfile" ]; then
397:        if [[ $(wc -c < "$file") -lt $(tail -n 1  "$offsetfile") ]]; then
398:            # assume the log is rotated by savelog(8)
399:            # syslog-ng leaves old files here
400:            if [ -e "$file.0" -a "$file.0" -nt "$file.1.gz" ]; then
401:                debug "Running logtail on rotated: $file.0"
402:                $LOGTAIL -f "$file.0" -o "$offsetfile" $LOGTAIL_OPTS > \
403:                    $TMPDIR/logoutput/$(basename "$file") 2>&1 \
404:                    || error "Could not run logtail or save output"
405:                rm -f "$offsetfile" \
406:                    || error "Could not remove $offsetfile"
407:            # assume the log is rotated by logrotate(8)
408:            # should also probably check if file is still fresh
409:            elif [ -e "$file.1" ]; then
410:                debug "Running logtail on rotated: $file.1"
411:                $LOGTAIL -f "$file.1" -o "$offsetfile" $LOGTAIL_OPTS > \
412:                    $TMPDIR/logoutput/$(basename "$file") 2>&1 \
413:                    || error "Could not run logtail or save output"
414:                rm -f "$offsetfile" \
415:                    || error "Could not remove $offsetfile"
416:            fi
417:        fi


My proposed Fix:

-       if [[ $(wc -c < "$file") -lt $(tail -n 1  "$offsetfile") ]]; then

+       INODEOFFSET=$(head -n 1 < $offsetfile)
+       #INODEFILE=$(ls -id $file) ;# not run with symlink.
+       INODEFILE=$(find $file -follow -printf "%i")
+       if [[ $INODEFILE -eq $INODEOFFSET ]]; then


This problem seems like to bug #195935.

Best Regards,

TsT
-- 
www.letsgozik.com

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Logcheck-devel mailing list
[EMAIL PROTECTED]
http://lists.alioth.debian.org/mailman/listinfo/logcheck-devel

Reply via email to