[logs] Unforgeable logs

From: James F. Hranicky (jfhat_private)
Date: Thu Dec 06 2001 - 10:18:01 PST

  • Next message: Jose Nazario: "Re: [logs] Unforgeable logs"

    While the packages mentioned seem to have methods for detecting log 
    tampering, does anything out there prevent log forging? I.E. , sending
    bogus messages to the syslog port, users calling syslog() to make
    it look like someone is breaking in, etc?
    
    Seems like we need the syslog command to identify the UID of the person
    sending the message, and then the message needs to be cryptographically
    signed before it gets sent to the central logging facility. The loghost
    would drop any messages not signed. 
    
    In the event of a root compromise, it would be useful if the set*[ug]id 
    system logged each change of uid as well, both effective and real.
    
    I gyess for kernel logging, this means crypto in the kernel.
    
    Would changes like this aid in considering the system logs "proof" of
    activities, at least until after a root compromise?
    
    ----------------------------------------------------------------------
    | Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
    | E314D CSE Building                            Phone (352) 392-1499 |
    | jfhat_private                      http://www.cise.ufl.edu/~jfh |
    ----------------------------------------------------------------------
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    For additional commands, e-mail: loganalysis-helpat_private
    



    This archive was generated by hypermail 2b30 : Thu Dec 06 2001 - 14:06:24 PST