[logs] Tamper Proof Logging

From: Bob the Builder (builder173at_private)
Date: Tue Dec 17 2002 - 08:11:29 PST

  • Next message: Jason Haar: "Re: [logs] Philosophical perspective on auditing"

    On a course I did a few years ago the idea of logging direct to CD-R came 
    up. Thus meaning that if anyone ever hacked the the logging server the worst 
    they could do was prevent any further logging but they could never delete 
    already logged data as it was on a write once CD. The only way to destroy 
    the data would be to gain physical access to the syslog server take the CD 
    out and trash it in an appropriate manor. In most secure environments this 
    is considerably more difficult than gaining network access to the system.
    
    I guess in this day and age you would probably implement such a solution 
    using write once DVDs instead of CDs. Thinking about it a solution with two 
    writers would probably be better as it allows continuous logging, i.e. DVD-A 
    becomes full so commence logging on DVD-B, admin change disc in DVD-A for 
    new blank media, when DVD-B is full go back to logging on DVD-A and so on. 
    Mean while the DVDs get filed in a firesafe or somewhere else suitable for 
    such things. This of course does not preclude logging to a big old hard 
    drive or raid array or something so that you can have the data online for 
    analysis. It just means that the hacker can't modify the DVD stored trace of 
    his break in after the fact.
    
    Anybody ever heard of such a solution, or is it in reallity just a 
    completely insane and impractical idea?
    
    Regards,
    
    PC
    
    _________________________________________________________________
    Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
    http://join.msn.com/?page=features/featuredemail
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 12:28:13 PST