Unfortunately, it is trivial for end-users and scripts run by end-users to
spoof log lines that appear identical to any log line reported in logs
maintained by syslog/rsyslog. You can identify these logs by looking in
/etc/rsyslog.conf This means that anyone on the server
can maliciously trigger applications that monitor these logs, such as LFD does for the following options:
LF_SSHD LF_FTPD LF_IMAPD LF_POP3D LF_BIND LF_SUHOSIN LF_SSH_EMAIL_ALERT LF_SU_EMAIL_ALERT LF_CONSOLE_EMAIL_ALERT LF_DISTATTACK LF_DISTFTP LT_POP3D LT_IMAPD PS_INTERVAL UID_INTERVAL WEBMIN_LOG LF_WEBMIN_EMAIL_ALERT PORTKNOCKING_ALERT ST_ENABLE SYSLOG_CHECK LOGSCANNER CUSTOM*_LOG
A malicious user could use this issue to trigger confusing emails regarding both successful and failed login attempts, kernel log lines (including iptables log lines) etc. Unfortunately, there is very little that can be done about this as syslog/rsyslog has no security framework. Some attempt was made in newer versions of rsyslog, but this version is not available in the current versions used by RedHat/CentOS v6. It also has to be enabled and can will have adverse effects on utilities that expect a certain format for the log lines.
To mitigate spoofing attempts we recommend the following, if you are willing to accept the consequences of spoofed log lines:
RESTRICT_SYSLOGto "3" for use with option
RESTRICT_SYSLOG_GROUPto restrict access to the syslog/rsyslog unix socket(s)
DENY_TEMP_IP_LIMITare set reasonably low. This will limit attempts to block large numbers of IP addresses.
/etc/csf/csf.ignore. This will prevent malicious blocking from denying you access to the server.
/etc/rsyslog.d/schroot.confOr remove this line from that file:
$AddUnixListenSocket /usr/share/cagefs-skeleton/dev/logThat will prevent end user's access to /dev/log, preventing them from spoofing. However, this does also break cron job logging.