Kid Pogi wrote:
> "fooler" <[EMAIL PROTECTED]> wrote:
>
> >Fritz Mesedilla wrote:
> >
> >> Greetings!
> >>
> >> I hope someone can help me. I wish to know how to configure a SECURE REMOTE
> >> LOGGING host.
> >>
> >> I'm currently using Red Hat LInux 7.0 and Apache 1.3.19. Please advice on
> >> what things are needed and what i have to do.
> >>
> >
> >the most important thing on your syslog server is your log files. its up to you how
>you protect your log files even if
> >your syslog server is being compromise.
>
> Nope. If your log server is compromised (rooted), game over ka na. No amount of
>"log files protection" will help you. The best approach, AFAIK, is to _prevent_ your
>loghost from being compromised. Easier said than done, I know.
are you sure about that kid pogi? i didnt say what specific OS to use... did you
tried openbsd or freebsd *SECURELEVEL* feature? even the *ROOT* cannot delete nor
modify the files if you change the file flags into SCHG or SAPPND
only. let me cut and paste what the man page tells about the securelevel:
The kernel runs with four different levels of security. Any super-user
process can raise the security level, but no process can lower it. The
security levels are:
-1 Permanently insecure mode - always run the system in level 0 mode.
This is the default initial value.
0 Insecure mode - immutable and append-only flags may be turned off.
All devices may be read or written subject to their permissions.
1 Secure mode - the system immutable and system append-only flags may
not be turned off; disks for mounted filesystems, /dev/mem, and
/dev/kmem may not be opened for writing.
2 Highly secure mode - same as secure mode, plus disks may not be
opened for writing (except by mount(2)) whether mounted or not.
This level precludes tampering with filesystems by unmounting them,
but also inhibits running newfs(8) while the system is multi-user.
In addition, kernel time changes are restricted to less than or
equal to one second. Attempts to change the time by more than this
will log the message ``Time adjustment clamped to +1 second''.
3 Network secure mode - same as highly secure mode, plus IP packet
filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and
dummynet(4) configuration cannot be adjusted.
take note that even the ip firewall cannot be modify aside from file if your
securelevel is 3. take note also the word IMMUTABLE and APPEND ONLY.
linux has a third party to patch and supports what freebsd or openbsd feature had
but everytime there is a new kernel you have to wait from them to release their new
patch unlike freebsd or openbsd, its already integrated in their
kernel.
as i said, its depends how you protect your log files. there are lots of ways to
protect your logs files even if your syslog server is being compromise and its OS has
no features what freebsd or openbsd had. one of the best way to
approach is to implement WORM (write once read many). one of the example for worm
which your logs will be recorded is the CD-R, printer, etc. but this is too expensive
to implement and you notice that i used freebsd and not linux to
secure my syslog server simply because thats the cheapest way to do it.
is it game over?
fooler.
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
