On Tue, 21 Nov 1995, Doug Hughes wrote: > Bypasses are certainly possible. However, the intruder would have to gain > access, become root, somehow login to the remote restricted access machine > (which by the way has rlogin, telnet, rexec, and shell stuff turned off) > kill the program watching the logs (which would certainly make it disappear > off the screen) and then restart it, all without the user noticing, and within > 5 seconds.. You have just assumed something that you should not assume i.e. that in order to bypass your system intruder need to penetrate trusted host. If I am an intruder I am can attempt quite successfully perform attack against the syslog protocol instead of attempting to take over the trusted system. Best wishes, Alex ============================================================================ Alexander O. Yuriev Email: alex@bach.cis.temple.edu CIS Labs, TEMPLE UNIVERSITY WWW: http://bach.cis.temple.edu/personal/alex Philadelphia, PA, USA KeyID: 1024/D62D4489 Key Fingerprint: AE84534377CCC4E2 37B13C4D8CD3D501 Unless otherwise stated, everything above is my personal opinion and not an opinion of any organisation affiliated with me. =============================================================================