It is possible
to configure syslogd to record varying levels of detail in the log files. It can be told to ignore all
but the most critical messages, or it can record every detail.
The syslogd daemon can even accept messages from other computers on your network. This is particularly
handy because it enables you to centralize the management and reviewing of the log files
from many systems on your network. There is also a major security benefit to this practice.
If a system on your network is broken into, the cracker cannot delete or modify the log files because
those files are stored on a separate computer. It is important to remember, however, that those log
messages are not, by default, encrypted. Anyone tapping into your local network can eavesdrop on
those messages as they pass from one machine to another. Also, although the cracker may not be
able to change old log entries, he can affect the system such that any new log messages should not
be trusted.
It is not uncommon to run a dedicated loghost, a computer that serves no other purpose than to
record log messages from other computers on the network. Because this system runs no other services,
it is unlikely that it will be broken into. This makes it nearly impossible for a cracker to erase
his or her tracks, but it does not mean that all of the log entries are accurate after a cracker has
broken into a machine on your network.
Pages:
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471