Re: [logs] Tamper Proof Logging

ibarraat_private

Or, how about a line printer, with a huge buffer :)

-mike

Quoting Bob the Builder <builder173at_private>:

> On a course I did a few years ago the idea of logging direct to CD-R came
> up. Thus meaning that if anyone ever hacked the the logging server the worst
> they could do was prevent any further logging but they could never delete
> already logged data as it was on a write once CD. The only way to destroy
> the data would be to gain physical access to the syslog server take the CD
> out and trash it in an appropriate manor. In most secure environments this
> is considerably more difficult than gaining network access to the system.
> 
> I guess in this day and age you would probably implement such a solution
> using write once DVDs instead of CDs. Thinking about it a solution with two
> writers would probably be better as it allows continuous logging, i.e. DVD-A
> becomes full so commence logging on DVD-B, admin change disc in DVD-A for
> new blank media, when DVD-B is full go back to logging on DVD-A and so on.
> Mean while the DVDs get filed in a firesafe or somewhere else suitable for
> such things. This of course does not preclude logging to a big old hard
> drive or raid array or something so that you can have the data online for
> analysis. It just means that the hacker can't modify the DVD stored trace of
> his break in after the fact.
> 
> Anybody ever heard of such a solution, or is it in reallity just a
> completely insane and impractical idea?
> 
> Regards,
> 
> PC
> 
> _________________________________________________________________
> Add photos to your e-mail with MSN 8. Get 2 months FREE*.
> http://join.msn.com/?page=features/featuredemail
> 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysisat_private
> http://lists.shmoo.com/mailman/listinfo/loganalysis
> 
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis