> -----Original Message----- > From: loganalysis-adminat_private > [mailto:loganalysis-adminat_private]On Behalf Of Bob the Builder > Sent: Tuesday, December 17, 2002 11:11 AM > To: loganalysisat_private > Subject: [logs] Tamper Proof Logging > > > On a course I did a few years ago the idea of logging direct to CD-R came > up. Thus meaning that if anyone ever hacked the the logging > server the worst > they could do was prevent any further logging but they could never delete > already logged data as it was on a write once CD. The only way to destroy > the data would be to gain physical access to the syslog server > take the CD > out and trash it in an appropriate manor. In most secure > environments this > is considerably more difficult than gaining network access to the system. > > I guess in this day and age you would probably implement such a solution > using write once DVDs instead of CDs. Thinking about it a > solution with two > writers would probably be better as it allows continuous logging, > i.e. DVD-A > becomes full so commence logging on DVD-B, admin change disc in DVD-A for > new blank media, when DVD-B is full go back to logging on DVD-A > and so on. > Mean while the DVDs get filed in a firesafe or somewhere else > suitable for > such things. This of course does not preclude logging to a big old hard > drive or raid array or something so that you can have the data online for > analysis. It just means that the hacker can't modify the DVD > stored trace of > his break in after the fact. > > Anybody ever heard of such a solution, or is it in reallity just a > completely insane and impractical idea? Actually, it's not insane or impractical, it's just fairly limited in scope. I've seen this implemented using CD-R's in at least one case, and it seemed to work fairly well. The administrative issue that you've brought up (swapping CDs etc.) is a big factor. The other factor of course, is that you can't really write DIRECTLY to a CD-R. Multisession cd-rs with more then a couple of sessions tend to make life difficult, and you end up with a pile of tiny files. What's more, you usually need to layout the filesystem in such a way that you can burn the files as you go, e.g. a continual burning process. Since you can't easily stream to the drive, (burn-proof is good, but not that good) you need to temporarily write it out to the disk, and then sporadically write it to the CD-R. I'm actually putting in place something similar to this right now, using a DVD-R as secure archival media. Burning multiple sessions once a day is the way i'm getting around it. If the log server is compromised, all bets are off, but that's always been the case anyway. _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 12:18:48 PST