Hi, in most configurations you will find a directive like
> *.emerg action( > type="omusrmsg" > Users="*" > ) or > *.alert action( > type="omusrmsg" > Users="root" > Users="operator" > ) Now I wanted to see if it is possible to disturb the administrator (root) from doing its job as user. So I run $ logger -p local0.alert -t flood-test I am flooding root as user in loop. The messages appeared as expected in root's terminal, so root was unable to do something. The messages appeared from "syslogd". Also, "# mesg n" as root didn't stop that. Like I have learned today, "$RepeatedMsgReduction = on" just before the omusrmsg actions wouldn't help when the "attacker" uses logger. How to react on this issue when this will happen? Stopping (r)syslog is not an option, because this will stop logging (this is what an attacker would want... doing something which won't be logged). And this doesn't need to be an attack at all. Think about a RAID monitoring tool which goes crazy when your RAID degraded... I have the feeling that I am missing something. If not, the usage of "omusrmsg" shouldn't be recommended, is it? -Thomas _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
