TsT
2005-Oct-29 01:10 UTC
[Logcheck-devel] Bug#336265: logrotate detection, possible attack not checked by logcheck
Package: logcheck Version: 1.2.41 Problem: Logcheck try to detect if log file have been rotate or not by file size way. Possible attack: - current log file (sizeA) - run logcheck, (logcheck/logtail put inode in offsetfile), offset=sizeA - [attacker run attack 1] - run logrotate - [attacker run attack 2] - run logcheck may don't detect the rotation and don't check the log for attack 1 duration. attack 1 : The real attack, this attack log will not be checked by logcheck if attack 2 run succesfully. attack 2 Goal : Growing the log file more than possible, if his size become more than last checked offset. The problem is here line 397 395: offsetfile="$STATEDIR/offset$(echo $file | tr / .)" 396: if [ -s "$offsetfile" -a -r "$offsetfile" ]; then 397: if [[ $(wc -c < "$file") -lt $(tail -n 1 "$offsetfile") ]]; then 398: # assume the log is rotated by savelog(8) 399: # syslog-ng leaves old files here 400: if [ -e "$file.0" -a "$file.0" -nt "$file.1.gz" ]; then 401: debug "Running logtail on rotated: $file.0" 402: $LOGTAIL -f "$file.0" -o "$offsetfile" $LOGTAIL_OPTS > \ 403: $TMPDIR/logoutput/$(basename "$file") 2>&1 \ 404: || error "Could not run logtail or save output" 405: rm -f "$offsetfile" \ 406: || error "Could not remove $offsetfile" 407: # assume the log is rotated by logrotate(8) 408: # should also probably check if file is still fresh 409: elif [ -e "$file.1" ]; then 410: debug "Running logtail on rotated: $file.1" 411: $LOGTAIL -f "$file.1" -o "$offsetfile" $LOGTAIL_OPTS > \ 412: $TMPDIR/logoutput/$(basename "$file") 2>&1 \ 413: || error "Could not run logtail or save output" 414: rm -f "$offsetfile" \ 415: || error "Could not remove $offsetfile" 416: fi 417: fi My proposed Fix: - if [[ $(wc -c < "$file") -lt $(tail -n 1 "$offsetfile") ]]; then + INODEOFFSET=$(head -n 1 < $offsetfile) + #INODEFILE=$(ls -id $file) ;# not run with symlink. + INODEFILE=$(find $file -follow -printf "%i") + if [[ $INODEFILE -eq $INODEOFFSET ]]; then This problem seems like to bug #195935. Best Regards, TsT -- www.letsgozik.com -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: OpenPGP digital signature Url : http://lists.alioth.debian.org/pipermail/logcheck-devel/attachments/20051029/495b01be/attachment.pgp
Todd Troxell
2005-Oct-29 09:38 UTC
Bug#336265: [Logcheck-devel] Bug#336265: logrotate detection, possible attack not checked by logcheck
On Sat, Oct 29, 2005 at 03:10:51AM +0200, TsT wrote:> My proposed Fix: > > - if [[ $(wc -c < "$file") -lt $(tail -n 1 "$offsetfile") ]]; then > > + INODEOFFSET=$(head -n 1 < $offsetfile) > + #INODEFILE=$(ls -id $file) ;# not run with symlink. > + INODEFILE=$(find $file -follow -printf "%i") > + if [[ $INODEFILE -eq $INODEOFFSET ]]; then >This is looking like a potentially good solution. The thing is, even our rotation code will only look at file.0, so one could attack and then spam syslog for 2 files and be in the clear. I think what we really need is something to handle multiple rotated files, and in that case, it might be better to extend logtail instead. Cheers, -- Todd Troxell http://rapidpacket.com/~xtat
Apparently Analagous Threads
- logtail ignoring information in rotated logs
- Bug#406973: logtail misses lines in rotated file
- Bug#289801: Logtail should output error messages to stderr, not stdout
- [patch] logtail recheck permissions of offset files
- Bug#509885: does not cleanly update from logtail2