Re: [logs] Due Diligence for Admission in Court

From: todd glassey (todd.glasseyat_private)
Date: Wed Dec 05 2001 - 12:02:57 PST

Next message: Bennet S. Yee: "Re: [logs] Due Diligence for Admission in Court"

Previous message: todd glassey: "Re: [logs] Due Diligence for Admission in Court"
In reply to: Kohlenberg, Toby: "RE: [logs] Due Diligence for Admission in Court"
Next in thread: Bennet S. Yee: "Re: [logs] Due Diligence for Admission in Court"
Reply: Bennet S. Yee: "Re: [logs] Due Diligence for Admission in Court"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Original Message -----
From: "Kohlenberg, Toby" <toby.kohlenbergat_private>
To: <loganalysisat_private>
Sent: Wednesday, December 05, 2001 12:09 AM
Subject: RE: [logs] Due Diligence for Admission in Court


> Simple question- regarding the issue below of validity/reliability
> of logs and log sources, could this not be addressed by implementing
> cryptographic signing of logs by the local logging facilities both on
> the servers creating the logs (e.g. application servers) and the
> central logging servers?

As Emeril says, lets kick this up a notch - The key concept in maintaining
the logs is how to remove the local human tamper potential.

> It seems like that would provide additional
> authentication of the source of logs as well as allowing better integrity
> control of the logs....

Yes - there are any number of methods of securing the log content from
outside fiddling, but the real feat of magic here is how to eliminate the
potential of the systems admin from screwing around with the logs or the DBA
for that matter

> Or am I completely missing something?
>
> I do like the idea of sending to multiple central log hosts as a means of
> providing validation but how does that stand up against an attacker who
> has compromised the system sending the logs and can now manipulate it
> directly?

The question is one of how tightly coupled these systems are.

> I see this as where the signing by the sending server may work- if you use
> a signing model where the log facility can only access its private key so
> long as its integrity (or maybe the kernel's?) is sound (I am pretty sure
> this is possible using some programming techniques that would make most
> developers neurotic). If an attack is successful, the private key would no
> longer accessible or would be modified such that the signature is
different.
> Hrm... I need to go find references on this before I go any further with
it.
>
> toby
>
> All opinions are my own and in no way reflect the views of my employer
>
--- SNIP ---



---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Bennet S. Yee: "Re: [logs] Due Diligence for Admission in Court"
Previous message: todd glassey: "Re: [logs] Due Diligence for Admission in Court"
In reply to: Kohlenberg, Toby: "RE: [logs] Due Diligence for Admission in Court"
Next in thread: Bennet S. Yee: "Re: [logs] Due Diligence for Admission in Court"
Reply: Bennet S. Yee: "Re: [logs] Due Diligence for Admission in Court"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 13:23:33 PST