To: Firewalls @
Subj: Re: Syslogd vulnerability...again
Is it just me or have others considered the following:
If you're worried that the log disk could be filled and need a "gigabyte
plus" solution, there are at least two possibilites:
1. You could log the messages to the tape device when its not
required for backups. You could even use a second drive if
needed to perform the logging function. I'd keep the block
sizes short -- maybe 2K or so. There are a couple of details
that need to be worked out for this, but the basics are
2. You could set up a cron controlled process to periodically
move the current log file and begin fresh. This idea could
be used to keep several revisions of the "historical" data.
If desireable, this data could be tar'ed or dumped to tape.
The idea here is to maske it more difficult to overload the
disk because the file should never get larger than a few
It would take a fairly determined effort to defeat these relatively
simple solutions. Anybody trying to fill a typicel 2.5GB tape (8mm)
would be leaving a trail a deadman could follow. That much activity
would be noticed quickly. (I hope.) Surely there are more/better
ideas than this..
Not an official statement of the