> Section 5.1:
>
> Worse than malicious attacks, it's impossible to effectively use a syslog
> collator.
>
> Here at Counterpane, we provide a security monitoring service. Among the
> things we watch is syslog. Some of our customers already send syslog
> messages to a central collator, and it's trivial for that collator to send
> them on to us. However, when this happens, the messages lose source
> information. When we learn of a problem, we know that the problem comes
> from the collator, but not the system that is actually having the problem.
> This is far more serious a lack than the possibility of malicious exploit
> -- even in a network where everyone is a friend we can't tell where a
> problem is coming from!
Yes, it's a real problem, and let me suggest the solution that syslog-ng
currently uses. The hostname part is not a single hostname, but a chain of
hostnames, containing each hop. When a message is received, the host which
it was received from is added to the chain:
Jul 21 10:17:53 src@tudor/tudor sendmail[17147]: KAA17146: \
[EMAIL PROTECTED], delay=00:00:00, xdelay=00:00:00, mailer=esmtp, \
relay=balabit.balabit. [XXX.XXX.XXX.XXX], stat=Sent (KAA11977 Message \
accepted for delivery)
The hostname part is:
src@tudor/tudor
^^^^^^^^^ - originating host (and source name)
^^^^^ - received from this host
If this host sent this message on, the name (balabit) is added like:
src@tudor/tudor/balabit
and so on.
> Section 5.5
>
> It's not clear that your objection is that syslog messages are unencrypted,
> or that they're human-readable. I'm not worried about human-readable. If
> they were binary but of a well-defined format (like SNMP traps), they'd
> still be observable. On the other hand, there's a large can of worms with
> encryption, too.
What about auth.* or authpriv.* on Unices? These may also contain valid
passwords (in case someone types her password at the login prompt) Would you
trust syslog to carry these messages through the internet to a central
loghost? On a VPN maybe. But deploying a VPN is not always feasible.
--
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1
url: http://www.balabit.hu/pgpkey.txt
