Date: Sat, 18 Sep 1999 22:45:55 -0600 (MDT) From: Jobe <jobe@attrition.org> To: security@freebsd.org Subject: Re: Real-time alarms Message-ID: <Pine.LNX.3.96.990918224450.9848B-100000@forced.attrition.org>
next in thread | raw e-mail | index | archive | help
On Sat, 18 Sep 1999, Brett Glass wrote: > At 10:20 PM 9/18/99 -0600, Wes Peters wrote: > > >Too clumsy, it pretty much has to be a stream-oriented protocol. > > Or something like syslogd? > > >Can you > >image trying to generate an email message for ever open(2) call that > >failed? > > No, but how about a compilation? Or a warning saying, "Looky here, > there's something going on; check the logs for details"? > > >OTOH, it probably has to be a multicast protocol, because you may want > >notifications to go to multiple targets. This was one of the major problems > >with SYS$AUDIT in VMS, all it did was append to the audit logs. Of course, > >many vendors, including my former employer, made a good living developing > >audit log watchers that could make some intelligent decisions about what > >was appearing in the logs and generate mail messages, page people, etc. > > I think that some combination of local logging, remote logging, and mail > notification would work. Again, these should be universal facilities. > People have many complaints about syslogd -- in particular, that it can > be a wonderful remote disk filler. Maybe fixing syslogd would go hand in > hand with creating such a facility. > > --Brett Bah, using any current software for alert relay/distribution is a _bad_ idea. When designing new security policies is it not customary to build the supporting applications from the ground up? Any compromise of security in your alert relay system completely defeats the purpose of having the alarms generated in the first place. Syslog was written to be multifunctional and dynamic, the application we need has a single, lone, extremely specific purpose. Taking this into account I feel that the only way to adequetlly attack this problem is, as mentioned above, to design and build the policy's supporting applications from the ground up. --Jobe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.96.990918224450.9848B-100000>