LaCoursiere J. D. writes:
> That's not the only danger, though. By filling *whatever* partition syslog
> is pointed at, the attacker can break in without being logged (at least by
> syslogd :-> )
I had to think about this one for a second.
You mean to say that the attacker can break in without being detected,
if he fills the partition, but not that the attacker can break in by
virtue of the fact that he's filled the partition, i.e., filling the
partition becoming the access enabler, right?
I suppose it would be trivial to cobble something together to monitor
the logfile, and if the size hit a certain threshold, or the partition
free space fell below a certain threshold, then perhaps one could
automatically do something, e.g., zip an email off to the
administrator, page someone, whatever.
Jim Carroll -- jimc @
e-Commerce, Inc., 1030 Kamato Road, Suite 201
Mississauga, Ontario, Canada L4W 4B6
Tel: +1 905 602 0863 Fax: +1 905 602 8402
From: z056716 @
com (LaCoursiere J. D. (Jeff))