> LaCoursiere J. D. writes:
> >
> > That's not the only danger, though. By filling *whatever* partition syslog
> > is pointed at, the attacker can break in without being logged (at least by
> > syslogd :-> )
>
> I had to think about this one for a second.
>
> You mean to say that the attacker can break in without being detected,
> if he fills the partition, but not that the attacker can break in by
> virtue of the fact that he's filled the partition, i.e., filling the
> partition becoming the access enabler, right?
>
Ah yes, sorry - bad choice of words... Of course, syslogd is probably
not your only logging mechanism - at least it isn't for me. Probably a
good idea to keep your different logs on different partitions for this
reason :-> .
> I suppose it would be trivial to cobble something together to monitor
> the logfile, and if the size hit a certain threshold, or the partition
> free space fell below a certain threshold, then perhaps one could
> automatically do something, e.g., zip an email off to the
> administrator, page someone, whatever.
>
But could you catch/fix in time? I suppose you could make your threshold
some outrageously low percentage of available space, so you could rectify
the situation long before there was danger of losing info. It is a good
idea!
Jeff LaCoursiere
Network Admin
UPRC
Ft. Worth, TX
/**********************************************************************
THE MAGIC WORDS ARE SQUEAMISH OSSIFRAGE
**********************************************************************/
|
|
