Not quite answering your question...... Digital signatures are fine of you're trying to prove who signed the file, or if you have total control of the logs and you want to make sure someone else doesn't change them on you. It doesn't do a whole lot to prove that what you've signed is 'real' or 'accurate'. For your own peace of mind its a reasonable thing to sign the files, or hash them and preserve the hashes, or whatever. Writing them to write-once media handles that just as well - doesn't it? But it doesn't prove anything except that they haven't been changed since they were signed. I would suggest that what is needed is some proof of who/when/where. There is a standard for electronic timestamping of signatures which can prove that a signature was written to a file or object at a given time - doing the same thing that PKI achieves for encyption and nonrepudiation. Dates and times are such malleable things you need a trusted third party to ensure that something really did happen at a given time - your local timestamps may be worthless. Then you can prove that you (or someone with your private keys) signed a file at a given time and it hasn't been changed since then. That would achieve your aim for the common or reasonable person in a forensic sense, since we assume you've written your logs sometime before there is a reason that you might want to change them. It still doesn't prove that they're accurate, just that they haven't changed since they were signed. What almost needs to be created is a logfile format such that each line is somehow stamped in a manner such that it is hashed or otherwise 'fixed', you can verify that it was created by a certain box at a certain time, in the specific format, but that it is non-trivial to create new lines to change the reality. A pipedream probably. And overkill for your needs. ----- Original Message ----- From: "David Douthitt" <ssratat_private> To: "Forensics List" <FORENSICSat_private> Sent: Friday, July 20, 2001 6:57 AM Subject: Putting a signature on logs > I've gone to using syslog-ng to keeping logs separated out, and to > preserve logs for a long time for record purposes. > > Now it occurs to me that someone could say, "Gee, how do we know that > these logs haven't been altered?" > > What about a digital signature for each log? How would you go about > this? I was thinking of using gpg (GNU Privacy Guard) but haven't > gotten far enough to know how - and my reference book is the PGP book > from O'Reilly and Associates. > > ----------------------------------------------------------------- > > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: > > http://aris.securityfocus.com > > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 12:56:36 PDT