On Tue, 17 Dec 2002 16:11:29 +0000, you wrote: >On a course I did a few years ago the idea of logging direct to CD-R came >up. Thus meaning that if anyone ever hacked the the logging server the worst >they could do was prevent any further logging but they could never delete >already logged data as it was on a write once CD. The only way to destroy >the data would be to gain physical access to the syslog server take the CD >out and trash it in an appropriate manor. In most secure environments this >is considerably more difficult than gaining network access to the system. > >I guess in this day and age you would probably implement such a solution >using write once DVDs instead of CDs. Thinking about it a solution with two >writers would probably be better as it allows continuous logging, i.e. DVD-A >becomes full so commence logging on DVD-B, admin change disc in DVD-A for >new blank media, when DVD-B is full go back to logging on DVD-A and so on. >Mean while the DVDs get filed in a firesafe or somewhere else suitable for >such things. This of course does not preclude logging to a big old hard >drive or raid array or something so that you can have the data online for >analysis. It just means that the hacker can't modify the DVD stored trace of >his break in after the fact. > >Anybody ever heard of such a solution, or is it in reallity just a >completely insane and impractical idea? > >Regards, > >PC I would first figure out who you want to keep from tampering with the logs, then come up with solutions to mitigate those specific risks (network intruders, people with physical access, disasters, etc). In my experience, heavily manual processes will eventually fail so I like to avoid them. Below are some items that may help you. Use of a line printer for specific events in addition to syslog Use of next generation syslog implementations (SDSC, Syslog-NG, etc) WORM (Write Once Read Many) drive Use of binary log format using the hash of your choice for a checksum Use of file integrity program Set up a receive only syslog server by clipping the transmit wires Use of tape and/or CD/DVD. Encrypt the data and checksum it BEEP Heavily armed guards with orders to shoot anyone but you.... :) HTH Mike -- http://www.cotse.net Privacy Services E-Mail, Remailers, Proxy, Usenet, Web-Hosting, and more. Full server side control over your e-mail. Your mail, your rules. _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Dec 30 2002 - 22:24:56 PST