[logs] Re: Log integrity handling on central logsystem

From: John H. Sawyer (jsawyer@private)
Date: Tue Aug 22 2006 - 07:59:22 PDT


Hey Patrick,

I'm interested to hear others' ideas but here's some of mine...

We have a "forensic" logging system where the logging server is
completely firewalled through network ACLs and iptables so that it only
allows the incoming logs and has no outbound--the only way to review the
logs is to sit at the console. It's sole purpose is to review after
compromise within a particular dept. Thankfully, we haven't had to use
it yet, but we have verified that it is logging properly just in case
something does happen.

Some ideas related to your questions:

> I'm looking for feedback how centralized log solutions handle data
> integrity; If you would log directly to a central system, that log is
> the only source. So you would miss something to compare against.

If you could afford two systems, have your one system accepting the logs
and another system that has no IP sniffing the wire for the logs as they
go by. Now you have two sources and can compare them later.

> -Would you rely on taking checksums of the logs and storing them on
> another system?

Write a script that will take a checksum and then pass it via syslog to
another host.

> -How do you protect yourself from the fact that the central logging is
> compromised with a still growing logfile?

Defense in Depth (that term gets nauseating after you hear it too much).
ACLs, firewall, iptables, IPSec, run only the services you need on that
logging host so you limit its attack surface as much as possible, out of
bounds management for the logging server, etc.

And, use a similar idea as the sniffer one above to have a backup copy
of the logs.

> Would you consider signing each log line? Signing within a text file
> is fairly easy, but what about content stored in a database?

You could create a checksum each line if you really want but if you have
two copies you can always diff them. You could also checksum every kb or
so. What ever it takes for your level of paranoia will let you sleep
easy at night.

As for the database issue, I don't know. Can you create a stored
procedure that will checksum a particular field or row?

-jhs
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Tue Aug 22 2006 - 11:36:19 PDT