linux security - Jan 1997 - Re: libc bugs (was Re: Distributions...)

Marek Michalkiewicz <marekm@I17LINUXB.ISTS.PWR.WROC.PL> wrote:
: It seems that most of the RedHat 5.3.12 security patches are in the
: standard 5.4.17, except for the patch below.  Also, there are more
: (different) fixes in 5.4.18 (check h_length against sizeof(sin_addr)
: in inet/rcmd.c and inet/rexec.c).
: +                               {
: +                                       syslog(LOG_NOTICE|LOG_AUTH,
: +                                               "Attempt to feed me an
overlong A record. Probably a breakin attempt.");
: +                                       host.h_length=4;
: +                               }

This came from the linux-server list.  But reminded me of a something I
wanted to know about.  Is there a standard for people to syslog possible
security violations?  This would make it easier to find them in huge log
files with swatch or other monitoring tools.

[mod: Except for the LOG_AUTH "priority" field, probably not.... --
REW]

--
 -Matt (panzer@dhp.com)  --  DataHaven Project - http://www.dhp.com/
  "That which can never be enforced should not be prohibited."

Matt wrote:
> This came from the linux-server list.  But reminded me of a something I
> wanted to know about.  Is there a standard for people to syslog possible
> security violations?  This would make it easier to find them in huge log
> files with swatch or other monitoring tools.
>
> [mod: Except for the LOG_AUTH "priority" field, probably not....
-- REW]
This is something that would interest me. For Linux-PAM there are some
comments in the programming notes of the Linux-PAM Module writers''
guide.
They are not very complete (ammendments welcome), but they are a start.

The various Linux-PAM guides are available from the addresses in my .sig
file.

Regards

Andrew
--
               Linux-PAM, libpwdb, Orange-Linux and Linux-GSS
                  http://parc.power.net/morgan/index.html
       [ For those that prefer FTP  ---  ftp://ftp.lalug.org/morgan ]

> This came from the linux-server list.  But reminded me of a something I
 > wanted to know about.  Is there a standard for people to syslog possible
 > security violations?  This would make it easier to find them in huge log
 > files with swatch or other monitoring tools.
 >
 > [mod: Except for the LOG_AUTH "priority" field, probably not....
-- REW]

Far as I know there isn''t. What I did on one system where I cared
about this was write a set of postprocessing scripts that sorted log
messages via regexp. Anything unusual, of course, ended up in a place
where it got particular attention...

Has anyone considered dropping this LOG_* stuff (which, under the best
of circumstances, doesn''t work that well) and added regexp matching to
syslogd?

--
   - David A. Holland             |    VINO project home page:
     dholland@eecs.harvard.edu    | http://www.eecs.harvard.edu/vino