RE: [logs] Due Diligence for Admission in Court

From: Kohlenberg, Toby (toby.kohlenbergat_private)
Date: Wed Dec 05 2001 - 00:09:24 PST

Next message: todd glassey: "Re: [logs] Due Diligence for Admission in Court"

Previous message: Jason Murray: "[logs] "Do you Trust you System Logs?""
Maybe in reply to: Tina Bird: "[logs] Due Diligence for Admission in Court"
Next in thread: todd glassey: "Re: [logs] Due Diligence for Admission in Court"
Reply: todd glassey: "Re: [logs] Due Diligence for Admission in Court"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Simple question- regarding the issue below of validity/reliability
of logs and log sources, could this not be addressed by implementing
cryptographic signing of logs by the local logging facilities both on 
the servers creating the logs (e.g. application servers) and the 
central logging servers? It seems like that would provide additional
authentication of the source of logs as well as allowing better integrity
control of the logs....
Or am I completely missing something?

I do like the idea of sending to multiple central log hosts as a means of
providing validation but how does that stand up against an attacker who
has compromised the system sending the logs and can now manipulate it
directly?
I see this as where the signing by the sending server may work- if you use
a signing model where the log facility can only access its private key so
long as its integrity (or maybe the kernel's?) is sound (I am pretty sure 
this is possible using some programming techniques that would make most
developers neurotic). If an attack is successful, the private key would no
longer accessible or would be modified such that the signature is different.
Hrm... I need to go find references on this before I go any further with it.

toby

All opinions are my own and in no way reflect the views of my employer

> -----Original Message-----
> From: todd glassey [mailto:todd.glasseyat_private]
> Sent: Tuesday, December 04, 2001 1:33 PM
> To: Harris, John P; loganalysisat_private
> Subject: Re: [logs] Due Diligence for Admission in Court
> 
> > Log to multiple hosts so you
> > could see time differences to show log time patterns, etc??
> 
> OK now there is the issue of provable synchronicity. I refer 
> to this as
> making the "Trust model portable",  i.e. easily compared to others.
> 
> >
> > The real question (and one that will have no basis in 
> logic!) is where
> will
> > the courts find log data to be as reliable a source as say 
> a "word of
> mouth"
> > evidence stream? i.e.
> 
> Look at the differences between first hand and hear-say 
> testimony. These are
> the real issues, what constitutes hear-say evidence from a computer.


---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: todd glassey: "Re: [logs] Due Diligence for Admission in Court"
Previous message: Jason Murray: "[logs] "Do you Trust you System Logs?""
Maybe in reply to: Tina Bird: "[logs] Due Diligence for Admission in Court"
Next in thread: todd glassey: "Re: [logs] Due Diligence for Admission in Court"
Reply: todd glassey: "Re: [logs] Due Diligence for Admission in Court"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 11:45:16 PST