[CentOS] CentOS and typical usage

Sun Dec 13 21:47:57 UTC 2015
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Sun, December 13, 2015 3:19 pm, Alice Wonder wrote:
>
>
> On 12/13/2015 12:45 PM, Valeri Galtsev wrote:
>> On Sun, December 13, 2015 11:36 am, Alice Wonder wrote:
>>>
>>>
>>> On 12/13/2015 08:39 AM, Timothy Murphy wrote:
>>>> Alice Wonder wrote:
>>>>> One of the benefits of systemd is the dependency based parallel
>> startup.
>>>>> The same speed can often be achieved with system V init by fine
>>>>> tuning
>> when the services start but systemd does that automatically.
>>>> If it's no faster then why is it a benefit?
>>>
>>> Binary logs with checksums is one benefit, much harder for a hacker or
>> malware to hide its tracks.
>>
>> Without intent to be a pain in a... just respectfully disagreeing.
>>
>> Harder only from the point of view current tools script kiddies use will
>> not deal with then. Fundamentally better security/forensics wise would
>> be
>> to keep logs on remote secure server. Like in the very first computer
>> security lesson: you can not trust anything on compromised machine.
>
>
> It's a matter of knowing your machine has been compromised.

Yes and no. If you are lucky this may be the way you learn about
compromise. If you are not, see below.
>
> Modifying the binary logs to hide that you are there will result in
> checksum inconsistencies, removing a few lines from text logs will not.

Checksums are created and stored on the same machine. So, checksums can be
"doctored" as well as logs can.

>
> Yes, you can use text log to a remote machine to avoid that, but binary
> logs let you on the local machine.

But yes, there is nothing ultimate, so even remote logs I mentioned
earlier can be trusted only up to the moment the compromise had happened,
further logs sent by compromised machine can be garbage. Luckily one (bad
guy) can not do everything simultaneously, so there will be some clues in
remote logs about compromise. But I agree, anything making the job of bad
guy more difficult helps, as we are just competing with them for time.
Only having logs in binary form brings more disadvantages for _me_ than it
offers advantages. But it's just me, so who cares ;-)

Valeri

>
> --
> -=-
> Sent my from my laptop, may not be able to respond timely
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>


++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++