Bootable CD w/OS for firewall

[jkinz at kinz.org (Jeff Kinz)]

On Wed, Sep 15, 2004 at 10:54:45AM -0400, Don Levey wrote:
	DM:
> > A potentially better solution is to log remotely to a different
> > machine connected to your side of the firewall.  Then if the machine
> > is compromised, it''s much less likely (if you've taken apropriate
> > measures) that the system's logs will be modified at the time of the
> > compromise.  They'll be on a different machine entirely, which may
> > (should) not have easy attack vectors from the firewall box.
> 
> Good points, both.  I'd need to have the machine up so that I can figure out
> what I need to fix, so hopefully after a reboot I'd have at least a little
> time.  How would I go about logging remotely?  It's not as if I could
> NFS-mount another drive, that'd be subject to the same problem.
>  -Don

Example line - used in /etc/syslog.conf:

    *.emerg????@my.central.logserver.com 

This sends all emergency messages to the machine with the hostname
my.central.logserver.com. Important note about this: Using the remote
logging feature opens up a possible problem - if the /var/ directory is
part of the root (/) filesystem, it would be easy to flood the logging
server and possible bring it to a halt! One way to circumvent this is to
have a seperate partition for /var (if you're logging to /var that is),
or to use logrotation.

logrotation is already set up on many distro's

-- 
Linux/Open Source.  Now all your base belongs to you, for free.
============================================================
Idealism:  "Realism applied over a longer time period"

Jeff Kinz, Emergent Research, Hudson, MA.