Why would anyone design a system like that ?!
The logging of every security system is prone to flooding. You may have
noticed that your syslog sometimes spits "Last message repeated N times"
so it won't repeat itself. A system that doesn't deal with this issue in
any way can't be secure. There are a lot of methods to deal with it but I
think we're going seriously off-topic here so if anyone wishes to continue
discussing this specific logging problem, I suggest we switch to non-lkml
mode.
> Yes, but now any unsuccessful attempts to change the name will be
> logged, where before there was basically no risk for the attacker
> trying over and over until success. Even a single failure could
> raise an alert on the target machine, something a cracker definitely
> does not want to happen.
>
Not necessarily - it depends on the case. If the file being unlinked is
the logfile itself, and its checked by an cron job every once in a while
(a common situation), an attacker won't mind making a lot of noise into
the soon-to-be-a-free-inode logfile. After-the-fact security systems are
usually not suitable for server protection, and the system you suggest,
being statistical, is after-the-fact by definition.
Yoav Weiss
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/