[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Common security checks for a base installation - packages reviewed.

On Mon, Dec 30, 2002 at 08:02:53PM +0000, Steve Kemp wrote:
> On Mon, Dec 30, 2002 at 03:33:35PM +0100, Javier Fern?ndez-Sanguino Pe?a wrote:
> > 	I would say my preference in this are mail, syslog and snmp (only). 
> > Note that pages could be programmed through any of these. Syslog has the
> > advantaged of being logged (mail can get lost) and can also be sent to a
> > remote system which cannot be tampered with easily. Snmp provides
> > integration with Network Management tools which could provide more
> > effective alarm mechanisms (ticket integration, automatic response, or
> > whatever)
>   That sounds reasonable, however I'm suprised that you consider syslog
>  more reliable than mail.  Mail has well defined queuing and timeout
>  behaviour before a message is dropped/bounced.
>   Several of the more common syslog implementations make no guarantees
>  about actually recording a message they're passed - and either way
>  their is no notification to the invocing process whether the message
>  was handled, dropped, or even recieved.
	However, there is an advantage of syslog versus (local) mail. You
can have a separate machine for doing syslog reception and analysis. Of
course you could do the same with mail (having another server to receive
incoming mails). There are probably replacements (such as syslog-ng) 
which do a better job at guaranteeing there is no tampering of the
	In any case, it's better to just leave several possibilities open
to sysadmins so they can choose whatever they like (or need to have). I
think that mail|syslog|snmp covers pretty much all the needs of all the

> > 	The other one I have is system load. The perl interpreter is way
> > more overhead than a shell script. This might not be an issue with big
> > tests (going through all the filesystem) but probably is with small tests
> > (just running nestat and looking the output).
>   True, but for most of the tests other factors will probably come into
>  play anyway.  Making fingerprints of files to do hash comparisions is
>  going involve lots of IO, during which the additional overhead of loading
>  perl compared to /bin/sh is probably minimal - for example.

	Yes. Probably right. In any case Perl scripts could also be
precompiled I guess.



Attachment: pgpakXUZmUvQs.pgp
Description: PGP signature

Reply to: