Re: End of hypocrisy ?

[Jerry Stuckle <jstuckle@attglobal.net>]

On 8/8/2014 9:53 PM, AW wrote:
> On Fri, 8 Aug 2014 20:50:14 -0400
> Steve Litt <slitt@troubleshooters.com> wrote:
> 
>  > Seventh, there's 40 years of experience with text logs. Are they
>  > perfect? No.
> 
> The thread that doesn't die --- misinformation all over the place, and some it
> that my misinformation -- sorry 'bout that.
> 
> Anyway, I feel prodded, so rebuttal...
> 
> Perfect? I should definitely say not...
> a decade or so of remote exploits in no particular order:
> 
> http://www.securityfocus.com/bid/10684/discuss
> http://xforce.iss.net/xforce/xfdb/43518
> http://cxsecurity.com/issue/WLB-2011020121
> http://www.securiteam.com/securitynews/5XP0K0U9GK.html
> http://www.juniper.net/security/auto/vulnerabilities/vuln3498.html
> http://www.linuxtoday.com/security/2000091801204SCRH
> http://www.cvedetails.com/cve/CVE-2000-0917/
> http://securitytracker.com/id/1019105
> http://www.redhat.com/archives/linux-security/1999-November/msg00013.html
> 
> systemd with its binary file format and buffered line to and from a service
> daemon will [or should] nearly automatically take care of some very nasty
> security problems that crop up from time to time... Now, imagine if the the log
> was kept in an sql database secured with a public key or password or something
> dependent on the local machine, and the queries were properly escaped to
> prevent sql injection - something that would only need to be done once...
> 
> Of course all software is broken when it comes to security.  However, that's no
> reason to lay down the welcome mat.
>

Pushed the wrong button and sent too early.

And by completely changing the system, you are doing exactly that.  Just
because it's a service daemon does not mean there will not be security
problems.  And storing them in a SQL database may cure SOME security
problems - but won't cure them all.  And will add more problems (beyond
hundreds of lines of new code).  And now you're depending on the
security of the SQL engine.  Are you sure they are secure?  Just the
engine has many more LOC than the current logging facility.  Which gives
the potential for many more problems - both security and others.

> BTW: To those complaining of Firefox's use of sqlite...
> 
> https://en.wikipedia.org/wiki/SQLlite
> 
> The browsers Google Chrome, Opera, Safari and the Android Browser all allow
> for storing information in, and retrieving it from, a SQLite database within
> the browser, using the Web SQL Database technology. Mozilla Firefox and Mozilla
> Thunderbird store a variety of configuration data (bookmarks, cookies, contacts
> etc.) in internally managed SQLite databases, and even offer an add-on to
> manage SQLite databases.
> 
> So, all major browsers except IE use sqlite.
> 
> --Andrew
> 
> 


So browsers use SQLite?  They are applications, not system logging.
Storing configuration data which will only be read by the application is
much different than logging system messages.  You are talking apples and
oranges here.