Author: Benjamin D. Thomas
tcpdump, openvpn, up-imapproxy, ethereal, weex, py2play, graphviz, xloadimage,
xli, xine-lib, hylafax, Ruby, SVG, hexlix player, uw-imap, openssl, thunderbird,
binutils, and libuser. The distributors include Debian, Gentoo, and Red Hat.System Accounting
Dave Wreski
It is very important that the information that comes from syslog not be compromised.
Making the files in /var/log readable and writable by only a limited number of
users is a good start.
Be sure to keep an eye on what gets written there, especially under
the auth facility. Multiple login failures, for example, can indicate
an attempted break-in.
Where to look for your log file will depend on your distribution. In a
Linux system that conforms to the “Linux Filesystem Standard”, such as
Red Hat, you will want to look in /var/log and check messages, mail.log,
and others.
You can find out where your distribution is logging to by looking at
your /etc/syslog.conf file. This is the file that tells syslogd (the
system logging daemon) where to log various messages.
You might also want to configure your log-rotating script or daemon
to keep logs around longer so you have time to examine them. Take a
look at the logrotate package on recent Red Hat distributions. Other
distributions likely have a similar process.
If your log files have been tampered with, see if you can determine
when the tampering started, and what sort of things appeared to be
tampered with. Are there large periods of time that cannot be accounted
for? Checking backup tapes (if you have any) for untampered log files
is a good idea.
Intruders typically modify log files in order to cover their tracks,
but they should still be checked for strange happenings. You may
notice the intruder attempting to gain entrance, or exploit a program
in order to obtain the root account. You might see log entries before
the intruder has time to modify them.
You should also be sure to separate the auth facility from other log
data, including attempts to switch users using su, login attempts, and
other user accounting information.
If possible, configure syslog to send a copy of the most important data
to a secure system. This will prevent an intruder from covering his
tracks by deleting his login/su/ftp/etc attempts. See the syslog.conf
man page, and refer to the @ option.
Finally, log files are much less useful when no one is reading them. Take
some time out every once in a while to look over your log files, and get a feeling
for what they look like on a normal day. Knowing this can help make unusual
things stand out.
Read more from the Linux Security Howto:
http://www.linuxsecurity.com/docs/LDP/Security-HOWTO/
| Debian | ||
| Debian: New mason packages fix missing init script |
||
6th, October, 2005
|
||
| Debian: New cpio packages fix several vulnerabilities |
||
7th, October, 2005
|
||
| Debian: New dia packages fix arbitrary code execution |
||
8th, October, 2005
|
||
| Debian: New masqmail packages fix several vulnerabilities |
||
8th, October, 2005
|
||
| Debian: New shorewall packages fix firewall bypass |
||
8th, October, 2005
|
||
| Debian: New tcpdump packages fix denial of service |
||
9th, October, 2005
|
||
| Debian: New openvpn packages fix denial of service |
||
9th, October, 2005
|
||
| Debian: New up-imapproxy packages fix arbitrary code execution |
||
9th, October, 2005
|
||
| Debian: New ethereal packages fix several vulnerabilities |
||
9th, October, 2005
|
||
| Debian: New tcpdump packages fix denial of service |
||
9th, October, 2005
|
||
| Debian: New weex packages fix arbitrary code execution |
||
10th, October, 2005
|
||
| Debian: New py2play packages fix arbitrary code execution |
||
10th, October, 2005
|
||
| Debian: New graphviz packages fix insecure temporary file |
||
10th, October, 2005
|
||
| Debian: New xloadimage packages fix arbitrary code execution |
||
10th, October, 2005
|
||
| Debian: New xli packages fix arbitrary code execution |
||
10th, October, 2005
|
||
| Debian: New Ruby packages fix safety bypass |
||
11th, October, 2005
|
||
| Debian: New uw-imap packages fix arbitrary code execution |
||
11th, October, 2005
|
||
| Debian: New Ruby 1.6 packages fix safety bypass |
||
11th, October, 2005
|
||
| Debian: New xine-lib packages fix arbitrary code execution |
||
12th, October, 2005
|
||
| Debian: New Ruby 1.8 packages fix safety bypass |
||
13th, October, 2005
|
||
| Debian: New hylafax packages fix insecure temporary files |
||
13th, October, 2005
|
||
| Gentoo | ||
| Gentoo: Ruby Security bypass vulnerability | ||
6th, October, 2005
|
||
| Gentoo: Dia Arbitrary code execution through SVG import |
||
6th, October, 2005
|
||
| Gentoo: RealPlayer, Helix Player Format string vulnerability |
||
7th, October, 2005
|
||
| Gentoo: xine-lib Format string vulnerability | ||
8th, October, 2005
|
||
| Gentoo: Weex Format string vulnerability | ||
8th, October, 2005
|
||
| Gentoo: uw-imap Remote buffer overflow | ||
11th, October, 2005
|
||
| Gentoo: OpenSSL SSL 2.0 protocol rollback | ||
12th, October, 2005
|
||
| Red Hat |
||
| RedHat: Important: thunderbird security update |
||
6th, October, 2005
|
||
| RedHat: Low: binutils security update | ||
11th, October, 2005
|
||
| RedHat: Low: libuser security update | ||
11th, October, 2005
|
||
| RedHat: Moderate: util-linux and mount security update |
||
11th, October, 2005
|
||
| RedHat: Moderate: ruby security update | ||
11th, October, 2005
|
||
| RedHat: Moderate: openssl security update | ||
11th, October, 2005
|
||
