-Original Message-
From: Daniel Ruggeri Sent: Freitag, 8. Juni 2012 00:16
To: dev@httpd.apache.org
Subject: Re: [PATCH] mod_log_forensic security considerations
On 6/7/2012 3:11 PM, Stefan Fritsch wrote:
On Thursday 07 June 2012, Eric Covener wrote:
On Wed, Jun 6, 2012 at 9
On 06/08/2012 12:13 PM, Graham Leggett wrote:
On 08 Jun 2012, at 12:16 AM, Daniel Ruggeri wrote:
I share Williams concern that this makes mod_forensic potentially less
useful.
Maybe making the forensic log mode 600 by default would be a better
idea?
Agreed as well. This module isn't
- Original Message -
From: Daniel Gruno rum...@cord.dk
To: dev@httpd.apache.org
Cc:
Sent: Friday, June 8, 2012 6:24 AM
Subject: Re: [PATCH] mod_log_forensic security considerations
On 06/08/2012 12:13 PM, Graham Leggett wrote:
On 08 Jun 2012, at 12:16 AM, Daniel Ruggeri wrote
On 06/08/2012 05:45 PM, Joe Schaefer wrote:
Well not quite, we'd still have had a problem with storing and
archiving those logs even if we hadn't made them available to
committers, because they violate our password retention policies.
My point was, that it should fall upon us to add a filter
On 08 Jun 2012, at 5:45 PM, Joe Schaefer wrote:
Well not quite, we'd still have had a problem with storing and archiving
those logs even if we hadn't made them available to committers, because
they violate our password retention policies.
Can you clarify if possible what purpose you were
:
Sent: Friday, June 8, 2012 12:51 PM
Subject: Re: [PATCH] mod_log_forensic security considerations
On 08 Jun 2012, at 5:45 PM, Joe Schaefer wrote:
Well not quite, we'd still have had a problem with storing and
archiving
those logs even if we hadn't made them available to committers
On Jun 8, 2012, at 11:51 AM, Graham Leggett wrote:
On 08 Jun 2012, at 5:45 PM, Joe Schaefer wrote:
Well not quite, we'd still have had a problem with storing and archiving
those logs even if we hadn't made them available to committers, because
they violate our password retention policies.
On 6/8/2012 12:52 PM, Jim Riggs wrote:
Having the forensic logs available has proven extremely helpful in this
scenario. Might the full, unfiltered forensic data be valuable? Yes, but I
don't believe the security risk is worth it in my situation. The rare case
where an Authorization header
On 08 Jun 2012, at 7:22 PM, Joe Schaefer wrote:
For several years Graham those logs were rather valuable
in tracking down segfaulting svn requests. Security releases
were made as a result of some of those reports to the
Subversion project.
I'm sure they were, that's exactly what the
On 6/8/2012 10:55 AM, Daniel Gruno wrote:
On 06/08/2012 05:45 PM, Joe Schaefer wrote:
Well not quite, we'd still have had a problem with storing and
archiving those logs even if we hadn't made them available to
committers, because they violate our password retention policies.
My point was,
On Thu, Jun 7, 2012 at 2:18 PM, William A. Rowe Jr. wr...@rowe-clan.net wrote:
On 6/6/2012 2:46 PM, Jeff Trawick wrote:
On Tue, May 29, 2012 at 1:36 PM, Daniel Shahaf d...@daniel.shahaf.name
wrote:
Perhaps it would be a useful feature to allow excluding those headers
from being logged, too.
On 6/7/2012 1:56 PM, Jeff Trawick wrote:
On Thu, Jun 7, 2012 at 2:18 PM, William A. Rowe Jr. wr...@rowe-clan.net
wrote:
On 6/6/2012 2:46 PM, Jeff Trawick wrote:
On Tue, May 29, 2012 at 1:36 PM, Daniel Shahaf d...@daniel.shahaf.name
wrote:
Perhaps it would be a useful feature to allow
On Thursday 07 June 2012, Eric Covener wrote:
On Wed, Jun 6, 2012 at 9:15 PM, Jeff Trawick traw...@gmail.com
wrote:
On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer
joe_schae...@yahoo.com wrote:
Session cookies sometimes pose a security risk as well.
Yeah. That could be any cookie though
On Thu, Jun 7, 2012 at 4:11 PM, Stefan Fritsch s...@sfritsch.de wrote:
On Thursday 07 June 2012, Eric Covener wrote:
On Wed, Jun 6, 2012 at 9:15 PM, Jeff Trawick traw...@gmail.com
wrote:
On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer
joe_schae...@yahoo.com wrote:
Session cookies sometimes
On Jun 7, 2012, at 3:11 PM, Stefan Fritsch wrote:
I share Williams concern that this makes mod_forensic potentially less
useful.
Maybe making the forensic log mode 600 by default would be a better
idea?
I have to agree with Jeff. I would rather have a more difficult or even
impossible
On 6/7/2012 3:11 PM, Stefan Fritsch wrote:
On Thursday 07 June 2012, Eric Covener wrote:
On Wed, Jun 6, 2012 at 9:15 PM, Jeff Trawick traw...@gmail.com
wrote:
On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer
joe_schae...@yahoo.com wrote:
Session cookies sometimes pose a security risk as well.
On Tue, May 29, 2012 at 1:36 PM, Daniel Shahaf d...@daniel.shahaf.name wrote:
https://blogs.apache.org/infra/entry/apache_org_incident_report_for
Infra got bit by mod_log_forensic logs including Authorization headers
and being world-readable, so in an effort to save someone else from
Session cookies sometimes pose a security risk as well.
- Original Message -
From: Jeff Trawick traw...@gmail.com
To: d...@httpd.apache.org; dev@httpd.apache.org
Cc:
Sent: Wednesday, June 6, 2012 3:46 PM
Subject: Re: [PATCH] mod_log_forensic security considerations
On Tue, May
Authorization headers, but that it should still
be opt-in.
Thoughts, anyone?
- Original Message -
From: Jeff Trawick traw...@gmail.com
To: d...@httpd.apache.org; dev@httpd.apache.org
Cc:
Sent: Wednesday, June 6, 2012 3:46 PM
Subject: Re: [PATCH] mod_log_forensic security
On Wed, Jun 6, 2012 at 9:15 PM, Jeff Trawick traw...@gmail.com wrote:
On Wed, Jun 6, 2012 at 3:49 PM, Joe Schaefer joe_schae...@yahoo.com wrote:
Session cookies sometimes pose a security risk as well.
Yeah. That could be any cookie though although there are a few very
common defaults :( My
20 matches
Mail list logo
