RE: [logs] Tamper Proof Logging

• Previous message: Marcus J. Ranum: "Re: [logs] Syslog payload format"
• Maybe in reply to: Bob the Builder: "[logs] Tamper Proof Logging"
• Next in thread: Michael Ray: "Re: [logs] Tamper Proof Logging"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I would wager that md5sums or similar via Osiris / AIDE / Samhain / etc of
all the logfiles prior to tape archival, with just the md5sums burned to
CDR, would be sufficient to show no tampering in most courts, but IANAL.



--shawn



> -----Original Message-----
> From: Michael C. Ibarra [mailto:ibarraat_private]
> Sent: Tuesday, December 17, 2002 14:08
> To: loganalysisat_private
> Subject: Re: [logs] Tamper Proof Logging
> 
> 
> Or, how about a line printer, with a huge buffer :)
> 
> -mike
> 
> Quoting Bob the Builder <builder173at_private>:
> 
> > On a course I did a few years ago the idea of logging 
> direct to CD-R came
> > up. Thus meaning that if anyone ever hacked the the logging 
> server the worst
> > they could do was prevent any further logging but they 
> could never delete
> > already logged data as it was on a write once CD. The only 
> way to destroy
> > the data would be to gain physical access to the syslog 
> server take the CD
> > out and trash it in an appropriate manor. In most secure 
> environments this
> > is considerably more difficult than gaining network access 
> to the system.
> > 
> > I guess in this day and age you would probably implement 
> such a solution
> > using write once DVDs instead of CDs. Thinking about it a 
> solution with two
> > writers would probably be better as it allows continuous 
> logging, i.e. DVD-A
> > becomes full so commence logging on DVD-B, admin change 
> disc in DVD-A for
> > new blank media, when DVD-B is full go back to logging on 
> DVD-A and so on.
> > Mean while the DVDs get filed in a firesafe or somewhere 
> else suitable for
> > such things. This of course does not preclude logging to a 
> big old hard
> > drive or raid array or something so that you can have the 
> data online for
> > analysis. It just means that the hacker can't modify the 
> DVD stored trace of
> > his break in after the fact.
> > 
> > Anybody ever heard of such a solution, or is it in reallity just a
> > completely insane and impractical idea?
> > 
> > Regards,
> > 
> > PC
> > 
> > _________________________________________________________________
> > Add photos to your e-mail with MSN 8. Get 2 months FREE*.
> > http://join.msn.com/?page=features/featuredemail
> > 
> > _______________________________________________
> > LogAnalysis mailing list
> > LogAnalysisat_private
> > http://lists.shmoo.com/mailman/listinfo/loganalysis
> > 
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysisat_private
> http://lists.shmoo.com/mailman/listinfo/loganalysis
> 
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: marc: "Re: [logs] Syslog payload format"
• Previous message: Marcus J. Ranum: "Re: [logs] Syslog payload format"
• Maybe in reply to: Bob the Builder: "[logs] Tamper Proof Logging"
• Next in thread: Michael Ray: "Re: [logs] Tamper Proof Logging"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 19 2002 - 19:22:22 PST