core-sdi's secure syslogd - ssylogd

[Mark Wilkie <mark exceptionmedia com>]

In response to my post regarding core-sdi's secure syslogd - ssyslogd.

Sorry it has taken me so long to post this...been super busy...

I didn't get a lot of responses back from the list regarding ssyslogd.
Just a couple of people who said they were using it, and it was working.

I grabbed the latest version (ssyslogd-1.22) from
http://www.core-sdi.com/ssyslog/.

I had a problem compiling it on Redhat 5.0, but a small modification
and it went. Their site says it complies on

- OpenBSD 2.1, 2.2 and 2.3
- Linux Slackware 2.0.x
- SunOs 4.1.4
- Solaris 2.5.1
- FreeBSD 2.2.5

I sent them a email, and they said they would be updating the dist to
compile with the new glibc as well...

Quote from core-sdi:
"Designed to replace the syslog daemon, ssyslog implements a cryptographic
protocol called PEO-1 that
allows the remote auditing of system logs. Auditing remains possible even
if an intruder gains
superuser privileges in the system, the protocol guarantees that the
information logged before
and during the intrusion process cannot be modified without the auditor
(on a remote, trusted host) noticing."

I grabbed the win32 auditing tool from their site, and it worked fine. You
can only audit logs from a remote machine, no auditing on the local
machine is allowed. They have a Unix auditor as well that comes with the
source dist.

Replaced syslogd with the new ssyslogd, and it ran fine with the
syslog.conf I had. Add [peo] to the
syslog.conf entry, and it implements PEO-1.

authpriv.*		[peo]		/var/log/secure

and so on...

It has been up for about a week without a hitch.

Mark