On Sun, Mar 31, 2002 at 01:25:24AM -0500, Sweth Chandramouli wrote: > On Fri, Mar 29, 2002 at 12:24:16PM -0800, Devin Kowatch wrote: > > protocol). In this situation it's basically impossible for the attacker > > to insert a message before the attack on A. So we should get good, > > verifiable logs of the attack. However, because it's impossible to > > determine where the bad messages started, if an attacker inserts a bogus > > message into the channel between A and L _after_ time t then all the log > > entries are invalidated for the entire logging session. This will include > > the log entries that show the source and method used to gain accesss. > Let's say that at some time "r", A is assumed to be safe > (i.e. uncompromised). At some subsequent time "s", a hacker gains > privilege on A and logs of this event are (we hope) generated. One copy > of those log entries should be going to the local logfile, and the hash > should be updated; another copy of those log entries is sent to L, where > another PEO hash is updated as well. (K-Ai, the hash on A at any time > i, is used to determine the integrity of logs GENERATED ON A; K-Li, the > hash on L at any time i, is used to determine the integrity of logs > RECEIVED ON L.) You are right here, I was assuming (without realizing it) that the machine A would be generating the hash, and sending it to the log server L. And that L would not be keeping it's own hash. There are still problems when the machine that is attacked is not logging to a remote log server (as in the case of the central log server). thanks, -- Devin Kowatch devinkat_private --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Mon Apr 01 2002 - 14:11:27 PST