Re: Good logging and real-t

Alexander O. Yuriev (alex@bach.cis.temple.edu)
Thu, 23 Nov 1995 19:17:42 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Benoit Dicaire: "Re: some thoughs"
Previous message: Information Warfare Mailing List: "Intro"
In reply to: Doug Hughes: "Re: Good logging and real-t"
Next in thread: Doug Hughes: "Re: Good logging and real-t"

On Tue, 21 Nov 1995, Doug Hughes wrote:

>  Bypasses are certainly possible. However, the intruder would have to gain
> access, become root, somehow login to the remote restricted access machine
> (which by the way has rlogin, telnet, rexec, and shell stuff turned off)
> kill the program watching the logs (which would certainly make it disappear
> off the screen) and then restart it, all without the user noticing, and within
> 5 seconds..

You have just assumed something that  you should not assume i.e. that in 
order to bypass your system intruder need to penetrate trusted host. If I 
am an intruder I am can attempt quite successfully perform attack against the 
syslog protocol instead of attempting to take over the trusted system.

Best wishes,
Alex

============================================================================
Alexander O. Yuriev                         Email: alex@bach.cis.temple.edu
CIS Labs, TEMPLE UNIVERSITY   WWW: http://bach.cis.temple.edu/personal/alex
Philadelphia, PA, USA           

 KeyID: 1024/D62D4489 Key Fingerprint: AE84534377CCC4E2  37B13C4D8CD3D501 

Unless otherwise stated, everything above is my personal opinion and not an
               opinion of any organisation affiliated with me.
=============================================================================

Next message: Benoit Dicaire: "Re: some thoughs"
Previous message: Information Warfare Mailing List: "Intro"
In reply to: Doug Hughes: "Re: Good logging and real-t"
Next in thread: Doug Hughes: "Re: Good logging and real-t"