On any production system you don't want to have the logs go to the users. (and
face it, that's just about every multi-user system in use nowadays)
There are two reasons for this.
1. Because of the type of problem you are describing.
2. The vast majority of the time you don't have anyone logged into the system,
so nobody would see the alerts anyway
What you really need to do is to send all your logs to a central system, and
have that system do your correlation, alerting, etc.
This gives you better protections because you can detect events across multiple
systems, not just what happens to hit a single system. It also lets you put all
your alerting and reporting configuration in one place.
David Lang
On Tue, 6 May 2014, Thomas D. wrote:
Hi,
in most configurations you will find a directive like
*.emerg action(
type="omusrmsg"
Users="*"
)
or
*.alert action(
type="omusrmsg"
Users="root"
Users="operator"
)
Now I wanted to see if it is possible to disturb the administrator
(root) from doing its job as user. So I run
$ logger -p local0.alert -t flood-test I am flooding root
as user in loop.
The messages appeared as expected in root's terminal, so root was unable
to do something. The messages appeared from "syslogd".
Also, "# mesg n" as root didn't stop that.
Like I have learned today, "$RepeatedMsgReduction = on" just before the
omusrmsg actions wouldn't help when the "attacker" uses logger.
How to react on this issue when this will happen? Stopping (r)syslog is
not an option, because this will stop logging (this is what an attacker
would want... doing something which won't be logged).
And this doesn't need to be an attack at all. Think about a RAID
monitoring tool which goes crazy when your RAID degraded...
I have the feeling that I am missing something. If not, the usage of
"omusrmsg" shouldn't be recommended, is it?
-Thomas
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
