NEVERMIND! (was: Local Denial of Service: logger(1))
Jason Hellenthal
jhellenthal at dataix.net
Mon May 26 03:51:18 UTC 2014
That and/or you could just disallow the use of logger to that of just a special group say staff and modify the mtree(8) files to keep the changes.
These are just medial tasks into hardening a system for its specific needs. security/logcheck should pick up these events pretty quickly and shoot out an email to your admin group to alert them of the miscreant :-)
--
Jason Hellenthal
Voice: 95.30.17.6/616
JJH48-ARIN
> On May 25, 2014, at 23:37, "Ronald F. Guilmette" <rfg at tristatelogic.com> wrote:
>
>
> In message <2091.1401074804 at server1.tristatelogic.com>, I wrote:
>
>> ==========================================================================
>> #!/bin/sh
>>
>> while (1)
>> dd if=/dev/random bs=15 count=1 | od -c | xargs logger
>> end
>> ==========================================================================
>
> DUH!
>
> I forgot that newsyslog(8) should limit the size of /var/log/messages, and
> that as long as you limit the size of that to a reasnable value, and as
> long as you have newsyslog(8) only keeping a finite & reasonable number
> of "rotated out" copies, then /var won't fill up.
>
> My apologies to everyone for the distraction.
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6118 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20140525/e410eb8d/attachment.bin>
More information about the freebsd-security
mailing list