Flaws in "syslog"

Kevin Darcy kcd at daimlerchrysler.com
Wed Aug 29 00:32:08 UTC 2001 

Tell it to Sun and all of the major Unix OS vendors. BIND just uses what comes on
the box.


- Kevin

Jonathan de Boyne Pollard wrote:

> KD> Is that a net improvement in "ease of use"? Syslog comes standard
> KD> with most if not all Unix OS'es, and most Unix admins already know
> KD> how to configure it.
>
> Ease of use may be important (although how redirecting standard error though a
> pipe to wherever one desires it to go might be considered hard to use, I don't
> know), but so too is security.  Most implementations of "syslogd" have some
> major security flaws.
>
> It is coincidental that you mentioned Solaris 8 earlier in that paragraph,
> because it is a good example of an implementation with such security flaws.
> On Solaris, "syslogd" doesn't rotate logfiles itself, as it is writing them.
> Instead, it relies on a "cron" job that runs "newsyslog", which is what
> rotates the log files.  There is nothing, therefore, stopping an attacker from
> writing large amounts of data to the system log in between invocations of
> "newsyslog" and causing unbounded growth of the log files.  (The Solaris 8
> default is for "newsyslog" to be run once per day.  An attacker can probably
> create a disc's worth of log data in a day.  (-:)  One can increase the
> frequency of the "cron" job, of course, but then one loses logging
> information.  This is because "newsyslog" rotates log files
> *unconditionally*.  It doesn't check log file sizes.  It simply performs one
> rotation every time that it is invoked.  More frequent rotations, in order to
> reduce the window of opportunity for an attacker to fill up the volume holding
> the log files, result in log data being expired more quickly.
>
> In a properly designed system, logfile rotation would be triggered when each
> log file was about to exceed the specified maximum filesize.  Of course, this
> means that it would have to be performed by the same entity that was writing
> to the logfiles, since only that entity can know when the log file is about to
> exceed its size limit and thus when the logfiles should be rotated.  A
> properly implemented "syslogd", therefore, would have log file rotation built
> in, and not rely on having something else regularly polling the log files at
> intervals to check whether they might have grown too big.
>
> "multilog" rotates log files itself in exactly this manner.

More information about the bind-users mailing list