On Wed, 18 Dec 2002, listuser wrote: > 2. Is there any logger that can store logs in a secure manner, so that > it can be presented as an evidance. I am following the discussions here > with much interet, but so far I have not heard of any software that can > be used now. What you have now can be used now. You need to be able to show that it logs correctly and that the box has had integrity since the logs were generated. > 3. Which file system (Linux) gives best preformance. I don't know if it > makes any difference, but I am thinking too much about file systems now, > see below :) Ext3 is probably the best bet at this point, since you have a lesser chance of losing data, but performance is reasonable. As the VFS layer changes, we may see improved performance from other FS'- I don't know what happened to tux2, the concept was really nice, but I'm not sure the IP issues ever got settled. > Now for a wierd idea, How about making an FS exclusievly for logging. An > FS which will not support any editing of data once written, ie only > appending, which computes a hash of each line and stores them seperatly > in another file etc. I am thinking about it now, may be, I might get > some time to try to implement atlest some part of it. Hashes are expensive to do on the fly, and to do it well, you'd have to write it as a stream, so moving/deleting logs would be an issue, but it's an interesting proposition. Of course, to really be effective you'd want to protect the device with some sort of compartmented OSish thing like RSBAC or SE Linux. > The file system can store only 2 actual files, one logs and another > hash, but it can be indexed with words. ie if I create a (virtual) file > with name apache, it will be an index containing all the lines in the > logs with the string apache. Also you cannot delete the real logs using > the normal system call. This means even if some one hacks into the > system, the logs are pretty safe, (ok, the hacker just needs to find the > special program to delete the logs) In any case logs are tamper proof, > if the logs are present they are reliable. If dd if=/dev/zero of=/dev/sda works, you're sunk- though it's certainly tamper evident (which is the real standard and goal, tamper proof is too high a bar to shoot for.) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 12:15:42 PST