Bug#336265: [Logcheck-devel] Bug#336265: logrotate detection, possible attack not checked by logcheck
Todd Troxell
ttroxell at debian.org
Sat Oct 29 09:38:18 UTC 2005
On Sat, Oct 29, 2005 at 03:10:51AM +0200, TsT wrote:
> My proposed Fix:
>
> - if [[ $(wc -c < "$file") -lt $(tail -n 1 "$offsetfile") ]]; then
>
> + INODEOFFSET=$(head -n 1 < $offsetfile)
> + #INODEFILE=$(ls -id $file) ;# not run with symlink.
> + INODEFILE=$(find $file -follow -printf "%i")
> + if [[ $INODEFILE -eq $INODEOFFSET ]]; then
>
This is looking like a potentially good solution. The thing is, even our
rotation code will only look at file.0, so one could attack and then spam
syslog for 2 files and be in the clear.
I think what we really need is something to handle multiple rotated files,
and in that case, it might be better to extend logtail instead.
Cheers,
--
Todd Troxell
http://rapidpacket.com/~xtat
More information about the Logcheck-devel
mailing list