[logs] Due Diligence for Admission in Court

• Previous message: Jason Haar: "Re: [logs] log analysis of netfilter entries?"
• Next in thread: Devdas Bhagat: "Re: [logs] Due Diligence for Admission in Court"
• Reply: Devdas Bhagat: "Re: [logs] Due Diligence for Admission in Court"
• Reply: Dan Rowles: "Re: [logs] Due Diligence for Admission in Court"
• Reply: Harris, John P: "Re: [logs] Due Diligence for Admission in Court"
• Reply: Joćo Pereira: "FW: [logs] Due Diligence for Admission in Court"
• Reply: Patrick Harbauer: "RE: [logs] Due Diligence for Admission in Court"
• Reply: Kohlenberg, Toby: "RE: [logs] Due Diligence for Admission in Court"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Pardon me for re-opening this can of worms.

Did we ever come to a consensus, or a pseudo-consensus,
on due diligence for computer logs as evidentiary
quality data?  

What makes a judge unlikely to admit my logs as evidence?
- unauthenticated data sources ("anyone can write to this 
datastream, therefore none of it is reliable")
- lack of time synchronization
- long term storage that is not tamper-proof
- no strategy for dealing with all the data once it's collected

I would propose -- for your non-existent
Joe Average corporate network (I expect there to be
heated discussion - please tell me where I'm totally
off base) (and of course bearing in mind that this 
isn't infallible, it's just as good as the "court" can
expect a "diligent" network or system administrator to
do):

1) can't enforce secure transmission protocols throughout
the network, because standards aren't sufficiently 
evolved -- so standard syslog, SNMP, SMTP are okay for
transport protocols.  (although see #3 below)
2) central loghost with NTP or other time synchronization 
throughout the network -- use ongoing record of process
IDs on logging machines to verify reasonable expectation
that a particular log message came from a given machine
(does that make sense?  I know what I mean...)
3) access control enforced at loghost that limits which
machines can log -- help reduce likelihood of spoofed
traffic -- or implement other transports altogether, like
the serial cable mechanism we've discussed
4) loghost is of course totally locked down, SSH only
access, or console only access, and dumps logs to
write-once archive format on regular basis
5) log review and reduction strategy -- anyone want to 
take a stab?  since presumably part of showing that the
data is reliable is showing that I've thought about how
I should process it.  
6) minimum list of machines on that non-existent typical
network that I should be required to monitor to be
credible?

Things have been awfully quiet out here lately...

cheers -- tbird

"I was being patient, but it took too long." - 
                                Anya, "Buffy the Vampire Slayer"

Log Analysis: http://www.counterpane.com/log-analysis.html
VPN:  http://kubarb.phsx.ukans.edu/~tbird/vpn.html



---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

• Next message: Steve Wray: "RE: [logs] log analysis of netfilter entries?"
• Previous message: Jason Haar: "Re: [logs] log analysis of netfilter entries?"
• Next in thread: Devdas Bhagat: "Re: [logs] Due Diligence for Admission in Court"
• Reply: Devdas Bhagat: "Re: [logs] Due Diligence for Admission in Court"
• Reply: Dan Rowles: "Re: [logs] Due Diligence for Admission in Court"
• Reply: Harris, John P: "Re: [logs] Due Diligence for Admission in Court"
• Reply: Joćo Pereira: "FW: [logs] Due Diligence for Admission in Court"
• Reply: Patrick Harbauer: "RE: [logs] Due Diligence for Admission in Court"
• Reply: Kohlenberg, Toby: "RE: [logs] Due Diligence for Admission in Court"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 03 2001 - 19:49:22 PST