> It seems to me that (a) might be useful in some
> environments, though it seems kind of wasteful. I
> can't think of a situation where (b) would make much
> sense; why make the sysadmin go to two different
> machines in order to read a single log?
You're assuming there's only one person looking at
the logs. In our environment we may have very
sensitive data in some of our logs. Therefore we
keep the logs for different applications seperated
as well as seperating the applications logs from the
real "system" logs. Not necessarily on different
machines, but at least in different files with
different permissions.
>> o In 2.2.d (Key blob types), do you think PGP,
>> SSH1 and SSH2 types should be added? In theory
>> they can be covered by conversion to type 'F', but
>> they're awfully popular.
>
> I'm not sure what the best thing to do here is.
> It seems like the signing keys for each syslog
> device ought to be unique signing keys not used
> for anything else. And that the simplest,
> lowest-overhead implementation is for the
> sysadmin to keep track of the public keys
> for each device, and just use the certificate
> blocks sending key fingerprints to check for
> something that shouldn't ever happen. (If one
> of your devices changes keys without your
> knowledge, it's probably something you'd like
> to know about.)
I wasn't so much thinking of reusing your PGP key
or SSH key as reusing the tools that generate them.
I guess a simple PERL script that converts from
one of these formats to the native syslog-sign
format would work equally well, though.
>> o What does the stuff look like to specify
>> the session ID in a log message?
>
> I assumed the superincreasing session ID requirement
> here,
OK, so you're assuming this is on top of syslog-auth.
I have no problem with that, but just wanted to be
sure.
BTW, I just finished reading the syslog-auth tome,
and I'm very puzzled about one thing... Why have
both syslog-sign and the Storage-MAC block in
syslog-auth? Seems like the latter is pretty weak
compared to the former.
__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/
