My problem is simple I need to have secure logs. When I say "secure", I
means that even root will not be able to alter them of remove them. Also
I would like these logs to rotate over some period of time (ajustable
period of course).
Read access to these logs should be authenticated and authorised through
some sords of security standards (RADIUS/IPSec???).
Last but not least, my operating system should allow these logs to be
written in a secure manner (say through a tunnel).
This is a huge wish list I realize, but I have some tought on the
subject and I am wondering if the major vendors (Sun, IBM, HP) have been
adressing the subject....
Thanks,
Martin
There is a paper on this that you can get at:
http://www.counterpane.com/auditlog2.html
BSD has the notion of the append-only permission, this would prevent
modifying anything that's already in the file.
>Read access to these logs should be authenticated and authorised through
>some sords of security standards (RADIUS/IPSec???).
>
>Last but not least, my operating system should allow these logs to be
>written in a secure manner (say through a tunnel).
>
>This is a huge wish list I realize, but I have some tought on the
>subject and I am wondering if the major vendors (Sun, IBM, HP) have been
>adressing the subject....
Yep your other requirements make things a little more complicated.
Something you can do at home may be syslogd + tcpwrappers + ssh
tunnel.
I used to know an admin who just printed everything on the fly as it
was logged. Seems like the safest way to me :)
--
Thamer Al-Herbish <URL http://www.whitefang.com/>
sha...@whitefang.com
Jerry
http://www.bellnetworks.net/cs
Martin Paré <mp...@nortelnetworks.com> wrote in message
news:38318C8F...@nortelnetworks.com...
> Here is a fairly generic question for this newsgroup but here it is.
>
> My problem is simple I need to have secure logs. When I say "secure", I
> means that even root will not be able to alter them of remove them. Also
> I would like these logs to rotate over some period of time (ajustable
> period of course).
>
> Read access to these logs should be authenticated and authorised through
> some sords of security standards (RADIUS/IPSec???).
>
> Last but not least, my operating system should allow these logs to be
> written in a secure manner (say through a tunnel).
>
> This is a huge wish list I realize, but I have some tought on the
> subject and I am wondering if the major vendors (Sun, IBM, HP) have been
> adressing the subject....
>
>
> Thanks,
>
> Martin
Just an idea
Connect another simple machine to your system where you want secure
logging over a dedicated serial line, only allowing output to the
logslave. This should make it harder to change logfiles.
Jo
Jeff Plum
I think it's unwise to rely on BSD-style "securelevel" mechanisms. They
have been repeatedly broken, because the system is conceptually frail; to
assume that securelevels are secure, you must also assume that the kernel
and its userland interfaces are all secure from attack against the
superuser. This is a very large assumption, and not one I'd stake my
business on.
>>Read access to these logs should be authenticated and authorised through
>>some sords of security standards (RADIUS/IPSec???).
I don't understand what you mean by this. A fairly good way to protect
logs is with cryptography. RADIUS is not a cryptographic algorithm, but
rather a means by which authentication requests can be forwarded
"securely" across a network. IPsec is simply a secure network transport.
What either of these have to do with reading logs escapes me.
>>Last but not least, my operating system should allow these logs to be
>>written in a secure manner (say through a tunnel).
Again, I think you need to define your terms more clearly and explain the
context in which you're discussing them. I don't see what a tunnel has to
do with writing logs.
Perhaps you're discussing the details involved in forwarding logs across
an insecure network, a la the syslog protocol? If so, the solution to that
problem is fairly obvious; use a cryptographic network protocol that
authenticates each log message and optionally provides confidentiality.
The problem of secure storage and updating of logs in hostile operating
system environments has been a topic of much research lately; see CORE's
PEO-1 protocol and Schneier's Counterpane work on the subject of updatable
logs that provide integrity assurance.
>I used to know an admin who just printed everything on the fly as it
>was logged. Seems like the safest way to me :)
Not really. Attackers generate log events and have some control over their
contents. This gives them a means by which they can influence your
printing system and the printing hardware itself. Your logging capability
isn't very useful if I can disable it trivially by soaking all your paper
in toner.
--
----------------------------------------------------------------
Thomas H. Ptacek http://www.pobox.com/~tqbf
----------------------------------------------------------------
"If you're so special, why aren't you dead?"
>As far a encrypting the logs in transit (assuming you are sticking
> with the normal syslog, I am not familiar with anything commercial that does
> this), you could either use a firewall with encrypted vpn capability in
> front of the servers sending the logs and in front of the syslog server.
> > My problem is simple I need to have secure logs. When I say "secure", I
> > means that even root will not be able to alter them of remove them.
Very tough to do. Because as noted earlier, anything can be substituted
by root, syslogd, tripwire that checks syslogd to make sure that it
hasn't been substituted. You might try Memco. I have no experience, so
I don't know if their OS would meet your needs.
--
Jim Moore Eastman Kodak Company
Systems Support Consultant 1700 Dewey Avenue
(716) 588-2006 6/69/RL Mailstop: 01925
jmo...@image.kodak.com Rochester, NY 14650-1925
> > > My problem is simple I need to have secure logs. When I say "secure", I
> > > means that even root will not be able to alter them of remove them.
> Very tough to do. Because as noted earlier, anything can be substituted
> by root, syslogd, tripwire that checks syslogd to make sure that it
> hasn't been substituted. You might try Memco. I have no experience, so
> I don't know if their OS would meet your needs.
You could always log to a WORM device...
--
Rich Teer
NT tries to do almost everything UNIX does, but fails - miserably.
The use of Windoze cripples the mind; its use should, therefore, be
regarded as a criminal offence. (With apologies to Edsger W. Dijkstra)
If it ain't analogue, it ain't music.
Voice: +1 (250) 763-6205
WWW: www.rite-group.com
You might benefit from secure syslog, a syslog replacement that uses
cryptography to make sure that the logs are not tampered with.
The URL I got is:
http://www.core-sdi.com/ssyslog
I have not used it myself, only taken a quick look and I think that it
seems promising.
If it holds what it promises you get the logs somewhat tamper proof,
but you won't get protection against someone altering your encryption
keys or removing the logs altogether.
As far as I know there is no way to protect yourself from root in
unix, you will have to build a "secure" loghost that does nothing
except logging, preferably on a local network that isn't accessible
from outside. Read the different FAQ:s and papers about armoring and
securing solaris if that is what your using.
http://www.deter.com/unix/ and http://www.securityfocus.com has a lot
of what you need.
--
/Stefan
sbl+...@dd.chalmers.se
Life - the ultimate practical joke
Serial port works quite well, a printer is best of all.
--
+-\___ ___ ______ /=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\=/=\-+
: / __)| _ \||_ _| NOTE: Above email address is fictitious :
|:__ \: _:: :: : use rot13 to see email address below. |
`(____/|_|--|_||_|-------------...@vagrenpg.arg.nh-----------'