Re: [logs] Unforgeable logs

From: Jeff King (peff-loganalat_private)
Date: Thu Dec 06 2001 - 18:14:25 PST

Next message: Jeff King: "Re: [logs] Unforgeable logs"

Previous message: Jose Nazario: "Re: [logs] Unforgeable logs"
In reply to: James F. Hranicky: "[logs] Unforgeable logs"
Next in thread: Jeff King: "Re: [logs] Unforgeable logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 6 Dec 2001, James F. Hranicky wrote:

> Seems like we need the syslog command to identify the UID of the person
> sending the message, and then the message needs to be cryptographically
> signed before it gets sent to the central logging facility. The loghost
> would drop any messages not signed.

There are systems which tunnel log entries over authenticated channels.
My system uses an SSH tunnel with keys to authenticate individual hosts.
You could theoretically tunnel syslog messages over an SSL or SSH
connection. You can also send them along a separate physical LAN that
only loggers are allowed onto (of course this doesn't provie per-host
checking and is more costly).

As far as UID logging goes, I think this is a quality of implementation
issue for syslog daemons. I would definitely like to see the syslog
daemon stamping UIDs for each message (and presumably only the syslog
daemon has permission to send messages to the log daemon, either by
binding to a root-only port or preferably by use of a cryptographic
key). However, the typical interface to the syslog daemon is a UNIX
domain socket; peer credentials for such sockets are not available under
all systems.

> In the event of a root compromise, it would be useful if the set*[ug]id
> system logged each change of uid as well, both effective and real.

Yes and no. Typically on a UNIX box, if you compromise root all bets are
off for future log messages (at that point you can usually modify the
kernel memory space).

As for detecting the actual root compromise, how would you know which
set*[ug]id()s were the bad ones? Their use is usually part of the
typical program execution. It's using the gained privileges to do things
that shouldn't be done that you want to detect.

> I gyess for kernel logging, this means crypto in the kernel.

Not necessarily. You have a chain of kernel to root-owned syslog to the
logserver. Syslogd executes locally and trusts the kernel (using socket peer
credentials of some sort, or some special "get logs from the kernel"
API). Crypto is either in syslogd (or some helper program which it
spawns).

-Jeff

---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: Jeff King: "Re: [logs] Unforgeable logs"
Previous message: Jose Nazario: "Re: [logs] Unforgeable logs"
In reply to: James F. Hranicky: "[logs] Unforgeable logs"
Next in thread: Jeff King: "Re: [logs] Unforgeable logs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 06 2001 - 18:12:05 PST