Re: solaris 251 & syslogd

Dave Kinchlea (security@KINCH.ARK.COM)
Wed, 12 Nov 1997 11:12:35 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Randal Schwartz: "Re: Safe /tmp cleanup"
Previous message: J. Sean Connell: "Re: Cisco IOS password encryption facts"
Maybe in reply to: Michael Helm: "solaris 251 & syslogd"
Next in thread: Dave Kinchlea: "Re: solaris 251 & syslogd"

A small point but, with use of the `mark' facility in syslog, and proper
monitoring for it, you can and should be able to detect syslogd either
dying or refusing to write to files (amounts to the same thing). No news
is NOT good news, but knowing that we can key on it.

This is not intended to say that what you found is not a bug, just that
there is a way to detect it.

cheers, kinch

On Wed, 12 Nov 1997, Michael Helm wrote:

> I'm not having very good luck with the patch mentioned here
> (among other places) for syslogd on solaris. Patch 103738-05
> may solve the immediate security problem, but at least for me,
> as soon as you attempt to restart it (SIGHUP), it stops writing
> messages to any of its files. This is usually done automatically
> by scripts that close old log files & open new (empty) ones;
> they stay empty. Unless you go looking for this, you will not
> notice it for a while (swatch or your other monitors will be
> happy &c). No news is not good news in this case ; I see this
> as a pretty big security problem in its own right.
>

Next message: Randal Schwartz: "Re: Safe /tmp cleanup"
Previous message: J. Sean Connell: "Re: Cisco IOS password encryption facts"
Maybe in reply to: Michael Helm: "solaris 251 & syslogd"
Next in thread: Dave Kinchlea: "Re: solaris 251 & syslogd"