Hi Patrick, When dealing with centralized log management, I always like to store the logs locally on the box that generated it and to send them to an external log server as closed to real time as possible (for storage and analysis). If your log server is *compromised, you still have the logs on the real system. If the system is compromised, you have the logs in the log server. If both get compromised, you have more problems... :) *The log server should be hardened. **rest of the reply inline. --- Patrick Debois <Patrick.Debois@private> escreveu: > -Would you rely on taking checksums of the logs and > storing them on > another system? I like to create a "chain" of checksums, where basically at each day (or every hour) I generate a checksum of the currently log and also a checksum of it plus the previous day. So your checksum is something like that: log-dayX.sum dayX md5 = XXX dayX sha1 = YYY (dayX + dayX-1.md5) = XXX (dayX + dayX-1.sha1)= YYY It does not garantee the integrity of the currently log, but protects you against modification of old logs (since it will require a change to all the checksums after it). > -How do you protect yourself from the fact that the > central logging is > compromised with a still growing logfile? > Would you consider signing each log line? Signing > within a text file is > fairly easy, but what about content stored in a > database? If your log server is compromised and the logs can be deleted, the attacker can do the same with the hashes. The checksum of each line is going to be almost the size of the log line itself (md5 does not count anymore). So if you can protect the hashes, you can protect the logs (no need to hash all of them)... You can do some form of chaining of hashes, where each log line is hashed with the checksum of the previous one. However, if the monitored system is compromised, the attacker can just stop the log daemon or your log generation tool (or modify the logs in the fly). **IMHO, You are worried about the log server, but this should be the hardest link to break. If you are using syslog to send the messages (which most people do) you have much more problems (no integrity, no privacy,etc). > My customer is currently looking at Splunk. It seems > a great way to go > through the logfiles, but I'm not sure that we can > fullfill his > dataintegrity requirements with it. But then again > it does not stand in > the way of another solution doing it probable. > > Patrick Hope it helps.. -- Daniel B. Cid dcid ( at ) ossec.net _______________________________________________________ Você quer respostas para suas perguntas? Ou você sabe muito e quer compartilhar seu conhecimento? Experimente o Yahoo! Respostas ! http://br.answers.yahoo.com/ _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Wed Aug 23 2006 - 12:38:17 PDT