[logs] Re: Log integrity handling on central logsystem

From: Marcus J. Ranum (mjr@private)
Date: Thu Aug 31 2006 - 19:23:28 PDT


>But, at the same time -- you are collecting evidence TODAY, that will be 
>used two years from today... and in that time the regulations will change.


Logs are, like any other evidence, going to have to be presented as part of
a complete case. I doubt very much that you'd get a conviction out of any
jury, with JUST a log-file as evidence -- there would have to be some kind of
corroborating evidence.

That's why, for at least the next decade, I don't think log-signing is going
to be that big a deal. If you care, buy a satellite clock for your log-server
and have the log-server's backups retained offsite by a service that can
give you a _copy_ of them on demand. It'd be really hard for someone to
explain to a jury how the logs were altered at both your facility and on
tapes locked in someone else's vault, in exactly the same way at the
same time.

Gerry Spence (a really really good lawyer) says that a court case is
simply a matter of telling a story. And the story that's the most
consistent and comprehensible will almost always win. You don't
need fancy technology, hashes, or certificate authorities to tell the
story of your logs. In fact, adding certificate authorities to your story
just opens the door to someone forklifting in 2,000 white papers
about how PKI sucks. But if you explain that your logs are taken
to a backup facility in montana, and you also keep a local copy, and
that when you saw something suspicious in your logs you asked
for a _copy_ from the backup facility and it matched and, well,
no lawyer's going to stick their fingers into that particular band-saw.

The whole case will have to hang together, anyhow. You may
present logs as evidence that what you think happened happened.
But you'll need other evidence to place the criminal, to illuminate
their motives, and methods. The logs are a tiny (but important)
piece of the puzzle and they're probably pretty much as good as
they can/will/need to get, already.

mjr. 

_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Thu Aug 31 2006 - 19:31:18 PDT