Re: [logs] "Temperproof" logfiles?

• Previous message: Andy_Bachat_private: "RE: [logs] comparison chart/ magic Quadrant or something about ce ntralized l ogging systems.."
• In reply to: Blaise St-Laurent: "Re: [logs] "Temperproof" logfiles?"
• Next in thread: Kieran: "Re: [logs] "Temperproof" logfiles?"
• Next in thread: Kieran: "Re: [logs] "Temperproof" logfiles?"
• Reply: Kieran: "Re: [logs] "Temperproof" logfiles?"
• Reply: Blaise St-Laurent: "Re: [logs] "Temperproof" logfiles?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 03, 2003 at 04:04:43PM -0500, Blaise St-Laurent wrote:
> the more i think about it though, the less i think that database + 
> tamper resistance is going to be an syslog issue. If you want to sign 
> or at least put a checksum against every line that goes into your db, 
> the best way i could think of doing this is to write a trigger on 
> insert that calculates the checksum based on the values you supply 
> (time, server, msg etc..) and adds it to the appropriate column. I'm 

I may be showing my ignorance here, but can someone explain to me how
checksums *by themselves* actually "prove" the data hasn't been tampered
with? 

I mean, if I have a years worth of syslog data, md5 checksum the files, and
burn them all off onto tape. A year later in court, I can confidently say
that the syslog data *as it is on the tape* is as valid today as it was
*when the tape was written* (as the checksum will hopefully match).

I mean, as far as legal goes, surely all that this checksumming does it
"prove" the data hasn't been altered *since it was written*. It doesn't say
anything about me fiddling with it before I checksumed it...

Surely in court, it's simply about proving your copy of the data hasn't been
altered since it was written, and then it's *totally* a "reliability of the
witness" type problem after that...?

Similarly, if you have some nice proprietary "logging server" that can take
input from syslog clients and it puts it into a checksummed database you
can't fiddle with as you don't know how it works, then you can still input
bogus data can't you... 

I don't understand why this issue is always shown off as being a technical
issue, when it court is usually ends up being a "people issue" (i.e. do they
trust you)?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Kieran: "Re: [logs] "Temperproof" logfiles?"
• Previous message: Andy_Bachat_private: "RE: [logs] comparison chart/ magic Quadrant or something about ce ntralized l ogging systems.."
• In reply to: Blaise St-Laurent: "Re: [logs] "Temperproof" logfiles?"
• Next in thread: Kieran: "Re: [logs] "Temperproof" logfiles?"
• Next in thread: Kieran: "Re: [logs] "Temperproof" logfiles?"
• Reply: Kieran: "Re: [logs] "Temperproof" logfiles?"
• Reply: Blaise St-Laurent: "Re: [logs] "Temperproof" logfiles?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 22:24:28 PST