On Tue, 9 Apr 2013, Igor Sverkos wrote:
Josh Bitto wrote:
How do you deal with scenarios like someone's sensitive data you
are definitely not allowed to log and store become part of the
history? Are you prepared to remove these data?
What sensitive data are you inferring to? It logs command line
input.
Right. An application which supports logging will log prepared data
(=chances are high, that sensitive data are removed/masked). A command
line gets unfiltered raw input.
For example you can connect to your mysqld via
# mysql -h foo -u myuser -p
and you will be prompted for myuser's password. But you can also pass
the password to the command:
# mysql -h foo -u myuser -pmysecretpasswordisnowinthelogs
Now your mysql password for the user "myuser" is in the logs.
Maybe that's not a problem at first view, but people tend to keep there
logs unprotected, at least less protected. So when someone get access to
your logs (you compressed your log files, put the archive in your htdocs
folder to grab it from another machine and your forget to remove..., now
somebody found the file), you may have more problems like when you did
not have logged the command.
Please, don't get me wrong. I don't say you should not log shell
histories. You just asked for opinions and I want to share some issues I
think you should be aware of when you want to do that. That's all :)
This is a good point, but you are missing the fact that you are already logging
passwords.
You are logging failed login attempts, right?
I guarantee you that at some point a user will get out of sync with the login
prompt and type their password into the userid field, and therefor you will have
that user's password in the logs (usually followed almost immediatly by the
userid as the user realizes their mistake and logs in correctly)
So you really need to be protecting your log data and/or implement something
better than simple password authentication.
David Lang
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
