[GLLUG] Trickle logs to a DVD-R disk?
Thomas Hruska
thruska at cubiclesoft.com
Fri Aug 24 09:59:50 EDT 2007
Lachniet, Mark wrote:
> Right, I do the same thing for Windows boxes and firewalls and such (Kiwi and Sawmill will go a long way) but I was hoping for something self-contained. Thanks!
>
> Mark Lachniet
> Solutions Architect - Security
> 3101 Technology Blvd. Suite A
> Lansing, MI 48910
> (517) 336-1004 (voice)
> mailto:mlachniet at analysts.com
>
>
> ________________________________
>
> From: Ed Thomson [mailto:ethomson at edwardthomson.com]
> Sent: Fri 8/24/2007 9:29 AM
> To: Lachniet, Mark
> Cc: linux-user at egr.msu.edu
> Subject: Re: [GLLUG] Trickle logs to a DVD-R disk?
>
>
>
> Mark-
>
> I've never streamed logs to removable media. Real-time streaming to
> CD/DVD or tape sounds like it might be difficult, as you'd probably
> have write buffer underruns (and probably coasters) or tape hitching,
> respectively.
>
> You could have a cron job copy the syslogs every few minutes to a
> safe location and put them on a media that you could append to.
> Presumably this is DVDs due to their large storage capacity, you can
> keep appending logs for quite a while. My concerns with this would
> be that one bad session could compromise your logs, and that a good
> attacker would notice this and may be able to disable it before logs
> of his activity got written. But those are pretty minor concerns,
> this doesn't sound like a bad solution.
>
> To offer an alternative, we use a dedicated loghost for this sort of
> thing. We have a machine which is firewalled such that it only
> allows (authenticated, encrypted) inbound connections on the syslog
> port, and allows no outbound connections. (We log in on the console
> only.) We firewall it at the kernel level via iptables as well as on
> our core router. It dumps logs to tape nightly. We feel that this
> is appropriately secure for our needs: it's unlikely that anybody
> could get in to the loghost, unless there's a major remote-
> exploitable vulnerability in syslog.
>
> Cheers-
>
> -Ed
>
> On Aug 24, 2007, at 7:09 AM, Lachniet, Mark wrote:
>
>> Anyone know of a good way to set up a Linux box so that you can
>> copy your logs in real-time (or near to it) to a DVD-R that is
>> inserted in the box? I'd like to have a more permanent form of
>> logging so that if the HD dies or gets hacked, there is a backup
>> that went to the DVD burner in a more permanent form.
>>
>> Thanks,
>>
>> Mark Lachniet
Mark,
You are essentially looking for "read and append-only" media. Hard
drives are much more reliable interim storage mediums (in terms of
physical reliability). So, essentially, you are after a hard drive that
can't overwrite existing data (perhaps a DIP/jumper switch setting) and
can act in a streaming fashion - a sort of "write-once/read-many" type
of thing.
AFAIK, such a hard drive doesn't exist and I also am pretty sure there
isn't an appropriate filesystem either (although there might be
something in the "tape system" genre - treat the hard drive like a tape
drive). But it is something to think about.
--
Thomas Hruska
CubicleSoft President
Ph: 517-803-4197
*NEW* MyTaskFocus 1.1
Get on task. Stay on task.
http://www.CubicleSoft.com/MyTaskFocus/
More information about the linux-user
mailing list