"fooler" <[EMAIL PROTECTED]> wrote: >Kid Pogi wrote: > >> "fooler" <[EMAIL PROTECTED]> wrote: >> >> >Fritz Mesedilla wrote: >> > >> >> Greetings! >> >> >> >> I hope someone can help me. I wish to know how to configure a SECURE REMOTE >> >> LOGGING host. >> >> >> >> I'm currently using Red Hat LInux 7.0 and Apache 1.3.19. Please advice on >> >> what things are needed and what i have to do. >> >> >> > >> >the most important thing on your syslog server is your log files. its up to you >how you protect your log files even if >> >your syslog server is being compromise. >> >> Nope. If your log server is compromised (rooted), game over ka na. No amount of >"log files protection" will help you. The best approach, AFAIK, is to _prevent_ your >loghost from being compromised. Easier said than done, I know. > >are you sure about that kid pogi? i didnt say what specific OS to use... Yup, I'm sure. You didn't mention a specific OS but the original poster did. Red Hat Linux 7.0. Suggestions which would be unimplementable on that OS would be pretty much useless to him, right? > did you tried openbsd or freebsd *SECURELEVEL* feature? even the *ROOT* No, I haven't tried *BSD. I've been looking for installation CDs for it, but so far no luck. Do you have any suggestions? > cannot delete nor modify the files if you change the file flags into SCHG > or SAPPND only. let me cut and paste what the man page tells about the > securelevel: Not sure for a BSD system but on a Linux system, if root can set the immutable or append only flags, he can, _necessarily_, _unset_ it. <snipped, probably OT and not applicable to a _loghost_> > take note that even the ip firewall cannot be modify aside from file if > your securelevel is 3. take note also the word IMMUTABLE and APPEND ONLY. Your point being? > linux has a third party to patch and supports what freebsd or openbsd > feature had but everytime there is a new kernel you have to wait from > them to release their new patch unlike freebsd or openbsd, its already > integrated in their kernel. > > as i said, its depends how you protect your log files. there are lots of > ways to protect your logs files even if your syslog server is being > compromise and its OS has no features what freebsd or openbsd had. one > of the best way to approach is to implement WORM (write once read many). > one of the example for worm which your logs will be recorded is the CD-R, > printer, etc. but this is too expensive to implement and you notice that i > used freebsd and not linux to secure my syslog server simply because thats > the cheapest way to do it. Protecting the log files and protecting the _printout_ or _copy_ of the log files are totally different matters to my understanding. If you were referring to both as being the same, then this discussion is probably pointless. > is it game over? Why do I have this feeling that it's not? Regards, abramos __________________________________ www.edsamail.com _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
