What are reasonable blockers for making journald the default logger in F19?
Andrew Schultz
ajschult at verizon.net
Wed Oct 17 20:01:29 UTC 2012
Matthew Miller wrote:
> On Wed, Oct 17, 2012 at 03:07:19PM -0400, Andrew Schultz wrote:
>> and if you log all attempts to login, then they'll end up in the
>> logs. I'd suggest that not logging unknown users by default is a
>> much better solution than having a special log; no admin wants to
>> see passwords (even if they're root) and unknown usernames (either
>> typos or passwords) are rarely helpful.
>
> I don't think that's true. "You're typing the wrong username" happened to me
> on multiple occasions when I was doing that kind of support.
I don't have a problem with logging the fact that a user attempted to
log in with an unknown username, and that would be sufficient for the
your diagnosis (if you can correlate times). If you can't correlate
times, then you get to scrape the logs looking for similar but invalid
usernames. A simple "what user name are you trying to log in as?" would
go much faster.
> Additionally, it maybe useful to log this information for intrusion
> detection and correlation.
Again, you don't need to know that the attacker guessed a username of
"bob". You simply need to recognize that N attempts were made to log in
with unknown usernames during some time period.
> And, in general, authpriv exists as a mechanism for logging any sort of
> potentially private data. It would be a security regression to ignore that.
Not seeing useless (typos) and confidential (passwords) information is
not a security regression. And I'm having trouble thinking of other
information that is super-private (should only be seen by root) and useful.
--
Andrew Schultz
ajs42 at buffalo.edu
http://www.sens.buffalo.edu/~ajs42/
More information about the devel
mailing list