Here is a fairly generic question for this newsgroup but here it is.
My problem is simple I need to have secure logs. When I say "secure", I means that even root will not be able to alter them of remove them. Also I would like these logs to rotate over some period of time (ajustable period of course).
Read access to these logs should be authenticated and authorised through some sords of security standards (RADIUS/IPSec???).
Last but not least, my operating system should allow these logs to be written in a secure manner (say through a tunnel).
This is a huge wish list I realize, but I have some tought on the subject and I am wondering if the major vendors (Sun, IBM, HP) have been adressing the subject....
From article <38318C8F.16384...@nortelnetworks.com>, by "Martin =?iso-8859-1?Q?Par=E9?=" <mp...@nortelnetworks.com>:
> My problem is simple I need to have secure logs. When I say "secure", I > means that even root will not be able to alter them of remove them. Also > I would like these logs to rotate over some period of time (ajustable > period of course).
Martin Paré mp...@nortelnetworks.com wrote: >Here is a fairly generic question for this newsgroup but here it is.
>My problem is simple I need to have secure logs. When I say "secure", I >means that even root will not be able to alter them of remove them. Also >I would like these logs to rotate over some period of time (ajustable >period of course).
BSD has the notion of the append-only permission, this would prevent modifying anything that's already in the file.
>Read access to these logs should be authenticated and authorised through >some sords of security standards (RADIUS/IPSec???).
>Last but not least, my operating system should allow these logs to be >written in a secure manner (say through a tunnel).
>This is a huge wish list I realize, but I have some tought on the >subject and I am wondering if the major vendors (Sun, IBM, HP) have been >adressing the subject....
Yep your other requirements make things a little more complicated. Something you can do at home may be syslogd + tcpwrappers + ssh tunnel.
I used to know an admin who just printed everything on the fly as it was logged. Seems like the safest way to me :)
As you know, root being omnipotent on a unix box will be a problem in this case. The way I have handled this in the past is to have all logs dumped to a hardened syslog server on a separate network segment, behind a firewall. Since the syslog server is not a production box, access to it can be very tight. As far a encrypting the logs in transit (assuming you are sticking with the normal syslog, I am not familiar with anything commercial that does this), you could either use a firewall with encrypted vpn capability in front of the servers sending the logs and in front of the syslog server. The second way is to use syslogng, which uses TCP rather than UDP for transporting logs. Using TCP allows you to put stunnel (an openssl based encrypted tunnel program), and also has the added benefit not being susceptible to 'spoofed log stuffing'. A much more difficult to deal with problem if you don't trust the root users of a UNIX box, you really can't trust the logs that come from that box. As root, I could kill syslogd (or any equivalent), modify the configuration file, install a 'custom logger' that happily generates normal looking logs, or anything else my heart desires.
> Here is a fairly generic question for this newsgroup but here it is.
> My problem is simple I need to have secure logs. When I say "secure", I > means that even root will not be able to alter them of remove them. Also > I would like these logs to rotate over some period of time (ajustable > period of course).
> Read access to these logs should be authenticated and authorised through > some sords of security standards (RADIUS/IPSec???).
> Last but not least, my operating system should allow these logs to be > written in a secure manner (say through a tunnel).
> This is a huge wish list I realize, but I have some tought on the > subject and I am wondering if the major vendors (Sun, IBM, HP) have been > adressing the subject....
Connect another simple machine to your system where you want secure logging over a dedicated serial line, only allowing output to the logslave. This should make it harder to change logfiles.
Martin Paré wrote: > Here is a fairly generic question for this newsgroup but here it is.
> My problem is simple I need to have secure logs. When I say "secure", I > means that even root will not be able to alter them of remove them. Also > I would like these logs to rotate over some period of time (ajustable > period of course).
> Read access to these logs should be authenticated and authorised through > some sords of security standards (RADIUS/IPSec???).
> Last but not least, my operating system should allow these logs to be > written in a secure manner (say through a tunnel).
> This is a huge wish list I realize, but I have some tought on the > subject and I am wondering if the major vendors (Sun, IBM, HP) have been > adressing the subject....
Tue, 16 Nov 1999 21:35:29 GMT shad...@whitefang.com:
>BSD has the notion of the append-only permission, this would prevent >modifying anything that's already in the file.
I think it's unwise to rely on BSD-style "securelevel" mechanisms. They have been repeatedly broken, because the system is conceptually frail; to assume that securelevels are secure, you must also assume that the kernel and its userland interfaces are all secure from attack against the superuser. This is a very large assumption, and not one I'd stake my business on.
>>Read access to these logs should be authenticated and authorised through >>some sords of security standards (RADIUS/IPSec???).
I don't understand what you mean by this. A fairly good way to protect logs is with cryptography. RADIUS is not a cryptographic algorithm, but rather a means by which authentication requests can be forwarded "securely" across a network. IPsec is simply a secure network transport. What either of these have to do with reading logs escapes me.
>>Last but not least, my operating system should allow these logs to be >>written in a secure manner (say through a tunnel).
Again, I think you need to define your terms more clearly and explain the context in which you're discussing them. I don't see what a tunnel has to do with writing logs.
Perhaps you're discussing the details involved in forwarding logs across an insecure network, a la the syslog protocol? If so, the solution to that problem is fairly obvious; use a cryptographic network protocol that authenticates each log message and optionally provides confidentiality.
The problem of secure storage and updating of logs in hostile operating system environments has been a topic of much research lately; see CORE's PEO-1 protocol and Schneier's Counterpane work on the subject of updatable logs that provide integrity assurance.
>I used to know an admin who just printed everything on the fly as it >was logged. Seems like the safest way to me :)
Not really. Attackers generate log events and have some control over their contents. This gives them a means by which they can influence your printing system and the printing hardware itself. Your logging capability isn't very useful if I can disable it trivially by soaking all your paper in toner.
-- ---------------------------------------------------------------- Thomas H. Ptacek http://www.pobox.com/~tqbf ---------------------------------------------------------------- "If you're so special, why aren't you dead?"
You can have 2 ethernet interfaces on the unix box, and hang the syslog server off the segment on the 2nd ethernet interface if you don't want the traffic seen on the net.
>As far a encrypting the logs in transit (assuming you are sticking > with the normal syslog, I am not familiar with anything commercial that does > this), you could either use a firewall with encrypted vpn capability in > front of the servers sending the logs and in front of the syslog server. > > My problem is simple I need to have secure logs. When I say "secure", I > > means that even root will not be able to alter them of remove them.
Very tough to do. Because as noted earlier, anything can be substituted by root, syslogd, tripwire that checks syslogd to make sure that it hasn't been substituted. You might try Memco. I have no experience, so I don't know if their OS would meet your needs.
-- Jim Moore Eastman Kodak Company Systems Support Consultant 1700 Dewey Avenue (716) 588-2006 6/69/RL Mailstop: 01925 jmo...@image.kodak.com Rochester, NY 14650-1925
> > > My problem is simple I need to have secure logs. When I say "secure", I > > > means that even root will not be able to alter them of remove them. > Very tough to do. Because as noted earlier, anything can be substituted > by root, syslogd, tripwire that checks syslogd to make sure that it > hasn't been substituted. You might try Memco. I have no experience, so > I don't know if their OS would meet your needs.
You could always log to a WORM device...
-- Rich Teer
NT tries to do almost everything UNIX does, but fails - miserably.
The use of Windoze cripples the mind; its use should, therefore, be regarded as a criminal offence. (With apologies to Edsger W. Dijkstra)
On Tue, 16 Nov 1999 11:55:43 -0500, Martin =?iso-8859-1?Q?Par=E9?= wrote: > Here is a fairly generic question for this newsgroup but here it is.
> My problem is simple I need to have secure logs. When I say "secure", I > means that even root will not be able to alter them of remove them. Also > I would like these logs to rotate over some period of time (ajustable > period of course).
You might benefit from secure syslog, a syslog replacement that uses cryptography to make sure that the logs are not tampered with. The URL I got is: http://www.core-sdi.com/ssyslog I have not used it myself, only taken a quick look and I think that it seems promising. If it holds what it promises you get the logs somewhat tamper proof, but you won't get protection against someone altering your encryption keys or removing the logs altogether.
As far as I know there is no way to protect yourself from root in unix, you will have to build a "secure" loghost that does nothing except logging, preferably on a local network that isn't accessible from outside. Read the different FAQ:s and papers about armoring and securing solaris if that is what your using. http://www.deter.com/unix/ and http://www.securityfocus.com has a lot of what you need.
In comp.security.unix James H. Moore (Jim) <jmo...@image.kodak.com> wrote:
> You can have 2 ethernet interfaces on the unix box, and hang the syslog > server off the segment on the 2nd ethernet interface if you don't want > the traffic seen on the net.
Serial port works quite well, a printer is best of all. -- +-\___ ___ ______ /=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\-+ : / __)| _ \||_ _| NOTE: Above email address is fictitious : |:__ \: _:: :: : use rot13 to see email address below. | `(____/|_|--|_||_|-------------Qneera.Fcvg...@vagrenpg.arg.nh-----------'
|
