Secure Logging ....!!!
Martin Paré
My problem is simple I need to have secure logs. When I say "secure", I
means that even root will not be able to alter them of remove them. Also
I would like these logs to rotate over some period of time (ajustable
period of course).
Read access to these logs should be authenticated and authorised through
some sords of security standards (RADIUS/IPSec???).
Last but not least, my operating system should allow these logs to be
written in a secure manner (say through a tunnel).
This is a huge wish list I realize, but I have some tought on the
subject and I am wondering if the major vendors (Sun, IBM, HP) have been
adressing the subject....
Thanks,
Martin
Bruno Wolff III
> My problem is simple I need to have secure logs. When I say "secure", I
> means that even root will not be able to alter them of remove them. Also
> I would like these logs to rotate over some period of time (ajustable
> period of course).
There is a paper on this that you can get at:
http://www.counterpane.com/auditlog2.html
shadows
>Here is a fairly generic question for this newsgroup but here it is.
>
>means that even root will not be able to alter them of remove them. Also
>I would like these logs to rotate over some period of time (ajustable
>period of course).
BSD has the notion of the append-only permission, this would prevent
modifying anything that's already in the file.
>Read access to these logs should be authenticated and authorised through
>some sords of security standards (RADIUS/IPSec???).
>
>Last but not least, my operating system should allow these logs to be
>written in a secure manner (say through a tunnel).
>
>This is a huge wish list I realize, but I have some tought on the
>subject and I am wondering if the major vendors (Sun, IBM, HP) have been
>adressing the subject....
Yep your other requirements make things a little more complicated.
Something you can do at home may be syslogd + tcpwrappers + ssh
tunnel.
I used to know an admin who just printed everything on the fly as it
was logged. Seems like the safest way to me :)
--
Thamer Al-Herbish <URL http://www.whitefang.com/>
sha...@whitefang.com
Jerry Bell
case. The way I have handled this in the past is to have all logs dumped to
a hardened syslog server on a separate network segment, behind a firewall.
Since the syslog server is not a production box, access to it can be very
tight. As far a encrypting the logs in transit (assuming you are sticking
with the normal syslog, I am not familiar with anything commercial that does
this), you could either use a firewall with encrypted vpn capability in
front of the servers sending the logs and in front of the syslog server.
The second way is to use syslogng, which uses TCP rather than UDP for
transporting logs. Using TCP allows you to put stunnel (an openssl based
encrypted tunnel program), and also has the added benefit not being
susceptible to 'spoofed log stuffing'.
A much more difficult to deal with problem if you don't trust the root users
of a UNIX box, you really can't trust the logs that come from that box. As
root, I could kill syslogd (or any equivalent), modify the configuration
file, install a 'custom logger' that happily generates normal looking logs,
or anything else my heart desires.
Jerry
http://www.bellnetworks.net/cs
Martin Paré <mp...@nortelnetworks.com> wrote in message
news:38318C8F...@nortelnetworks.com...
> Here is a fairly generic question for this newsgroup but here it is.
>
> My problem is simple I need to have secure logs. When I say "secure", I
> means that even root will not be able to alter them of remove them. Also
> I would like these logs to rotate over some period of time (ajustable
> period of course).
>
> Read access to these logs should be authenticated and authorised through
> some sords of security standards (RADIUS/IPSec???).
>
> Last but not least, my operating system should allow these logs to be
> written in a secure manner (say through a tunnel).
>
> This is a huge wish list I realize, but I have some tought on the
> subject and I am wondering if the major vendors (Sun, IBM, HP) have been
> adressing the subject....
>
>
> Thanks,
>
> Martin
Johan De Wit
Just an idea
Connect another simple machine to your system where you want secure
logging over a dedicated serial line, only allowing output to the
logslave. This should make it harder to change logfiles.
Jo
Jeff Plum
tape, etc.
Jeff Plum
Thomas H. Ptacek
>BSD has the notion of the append-only permission, this would prevent
>modifying anything that's already in the file.
I think it's unwise to rely on BSD-style "securelevel" mechanisms. They
have been repeatedly broken, because the system is conceptually frail; to
assume that securelevels are secure, you must also assume that the kernel
and its userland interfaces are all secure from attack against the
superuser. This is a very large assumption, and not one I'd stake my
business on.
>>Read access to these logs should be authenticated and authorised through
>>some sords of security standards (RADIUS/IPSec???).
I don't understand what you mean by this. A fairly good way to protect
logs is with cryptography. RADIUS is not a cryptographic algorithm, but
rather a means by which authentication requests can be forwarded
"securely" across a network. IPsec is simply a secure network transport.
What either of these have to do with reading logs escapes me.
>>Last but not least, my operating system should allow these logs to be
>>written in a secure manner (say through a tunnel).
Again, I think you need to define your terms more clearly and explain the
context in which you're discussing them. I don't see what a tunnel has to
do with writing logs.
Perhaps you're discussing the details involved in forwarding logs across
an insecure network, a la the syslog protocol? If so, the solution to that
problem is fairly obvious; use a cryptographic network protocol that
authenticates each log message and optionally provides confidentiality.
The problem of secure storage and updating of logs in hostile operating
system environments has been a topic of much research lately; see CORE's
PEO-1 protocol and Schneier's Counterpane work on the subject of updatable
logs that provide integrity assurance.
>I used to know an admin who just printed everything on the fly as it
>was logged. Seems like the safest way to me :)
Not really. Attackers generate log events and have some control over their
contents. This gives them a means by which they can influence your
printing system and the printing hardware itself. Your logging capability
isn't very useful if I can disable it trivially by soaking all your paper
in toner.
--
----------------------------------------------------------------
Thomas H. Ptacek http://www.pobox.com/~tqbf
----------------------------------------------------------------
"If you're so special, why aren't you dead?"
James H. Moore (Jim)
server off the segment on the 2nd ethernet interface if you don't want
the traffic seen on the net.
>As far a encrypting the logs in transit (assuming you are sticking
> with the normal syslog, I am not familiar with anything commercial that does
> this), you could either use a firewall with encrypted vpn capability in
> front of the servers sending the logs and in front of the syslog server.
> > My problem is simple I need to have secure logs. When I say "secure", I
> > means that even root will not be able to alter them of remove them.
Very tough to do. Because as noted earlier, anything can be substituted
by root, syslogd, tripwire that checks syslogd to make sure that it
hasn't been substituted. You might try Memco. I have no experience, so
I don't know if their OS would meet your needs.
--
Jim Moore Eastman Kodak Company
Systems Support Consultant 1700 Dewey Avenue
(716) 588-2006 6/69/RL Mailstop: 01925
jmo...@image.kodak.com Rochester, NY 14650-1925
Rich Teer
> > > My problem is simple I need to have secure logs. When I say "secure", I
> > > means that even root will not be able to alter them of remove them.
> Very tough to do. Because as noted earlier, anything can be substituted
> by root, syslogd, tripwire that checks syslogd to make sure that it
> hasn't been substituted. You might try Memco. I have no experience, so
> I don't know if their OS would meet your needs.
You could always log to a WORM device...
--
Rich Teer
NT tries to do almost everything UNIX does, but fails - miserably.
The use of Windoze cripples the mind; its use should, therefore, be
regarded as a criminal offence. (With apologies to Edsger W. Dijkstra)
If it ain't analogue, it ain't music.
Voice: +1 (250) 763-6205
WWW: www.rite-group.com
Stefan Berglund
> Here is a fairly generic question for this newsgroup but here it is.
>
> I would like these logs to rotate over some period of time (ajustable
> period of course).
You might benefit from secure syslog, a syslog replacement that uses
cryptography to make sure that the logs are not tampered with.
The URL I got is:
http://www.core-sdi.com/ssyslog
I have not used it myself, only taken a quick look and I think that it
seems promising.
If it holds what it promises you get the logs somewhat tamper proof,
but you won't get protection against someone altering your encryption
keys or removing the logs altogether.
As far as I know there is no way to protect yourself from root in
unix, you will have to build a "secure" loghost that does nothing
except logging, preferably on a local network that isn't accessible
from outside. Read the different FAQ:s and papers about armoring and
securing solaris if that is what your using.
http://www.deter.com/unix/ and http://www.securityfocus.com has a lot
of what you need.
--
/Stefan
sbl+...@dd.chalmers.se
Life - the ultimate practical joke
Darren Spiteri
> You can have 2 ethernet interfaces on the unix box, and hang the syslog
> server off the segment on the 2nd ethernet interface if you don't want
> the traffic seen on the net.
Serial port works quite well, a printer is best of all.
--
+-\___ ___ ______ /=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\-+
: / __)| _ \||_ _| NOTE: Above email address is fictitious :
|:__ \: _:: :: : use rot13 to see email address below. |
`(____/|_|--|_||_|-------------...@vagrenpg.arg.nh-----------'