Hari Sekhon wrote: > One example in which it can be safely done is if you are limiting your > variable to the hostname for the log and you use keep_hostname(no) in > syslog-ng or equivalent logserver software, which should guarantee it is > a correct ip address or hostname (assuming your DNS isn't > compromised/intercepted if using that to resolve the hostname - another > potential threat).
The issue with this is that it is trivial to craft spoofed udp/514 packets. > Otherwise, pretty much the entire rest of the log is vulnerable to > tampering through manual network insertion of logs in to the logserver > since it has to accept logs from the network being a logserver. Also, Creating a more tamper-resistant logging environment may provide a little more safety. Enabling SSL based tunnels for syslog[1] or signing all syslog messages[2] can help with this goal. But that only protects from network attacks. Malicious local users or poorly written programs can still inject syslog messages via logger or other local mechanisms. Which brings us back to trying to solve the problem by limiting what we do with the information we are provided or sanitizing it (and possibly diminishing the usefulness of the original information). [1] SSL Encrypting Syslog via Stunnel: http://librenix.com/?inode=7126 [2] Signed syslog Messages: http://www.ietf.org/internet-drafts/draft-ietf-syslog-sign-23.txt -- | David Vasil <[EMAIL PROTECTED]> | Oak Ridge National Laboratory NCCS Division | High Performance Computing Systems Administrator | Bldg: 5600-D219 Phone: (865)241-5562 ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Simple-evcorr-users mailing list Simple-evcorr-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/simple-evcorr-users