[logs] Re: Log integrity handling on central logsystem

From: Eric Fitzgerald (Eric.Fitzgerald@private)
Date: Fri Sep 01 2006 - 10:15:37 PDT


Mea culpa: the link to my blog is actually
http://blogs.msdn.com/ericfitz and the category on legal/regulatory
requirements can be directly reached via this link:
http://blogs.msdn.com/ericfitz/archive/category/14726.aspx

Currently I have an excerpted section (with link to full text) on
Canadian national law on rules for electronic evidence and an excerpted
section (with link to full text) from the US Department of Justice
Cybercrime manual, which discusses logs in detail, citing statutory &
case law.

-----Original Message-----
From: Eric Fitzgerald 
Sent: Thursday, August 31, 2006 6:15 PM
To: 'Anton Chuvakin'
Cc: loganalysis@private
Subject: RE: [logs] Re: Log integrity handling on central logsystem

Regulations are probably coming and we are partly to blame.

I've started collecting legal & regulatory requirements for computer
logs, on my blog: http://msdn.microsoft.com/ericfitz

If you stumble across links, send them and I'll post them.  Maybe Dr.
Bird will put up a repository on loganalysis.org. (Hi Tina!)

A large number of my customers assume that log signing is a legal
requirement.  However I'm unaware of such a requirement.  I fear that
the industry itself is doing customers a disservice by pushing log
signing solutions.  In fact there is a warning from the courts on this
in the DoJ Cybercrime manual, section V, subsection B-1
http://www.usdoj.gov/criminal/cybercrime/s&smanual2002.htm#_VB1_ :

     United States v. Glasser, 773 F.2d 1553, 1559 (11th Cir. 1985)
     ("The existence of an air-tight security system [to prevent
     tampering] is not, however, a prerequisite to the admissibility
     of computer printouts. If such a prerequisite did exist, it
     would become virtually impossible to admit computer-generated
     records; the party opposing admission would have to show only
     that a better security system was feasible."). 

Also consider what you're giving up with log signing:  You can't reduce
signed logs by filtering out stuff you know you don't want prior to
storage.  You have to store everything.  You also can't translate
numeric tokens (often used in both Solaris and Windows logs) into
human-readable strings.

Regarding translation: "DOMAIN\USER" is a lot more understandable than
"S-1-5-21-32413514364-16452321255-1623531341-1964"

Regarding filtering prior to storage: I'm also seeing guidance here that
filtering is unacceptable.  I don't understand this.  The policy that
tells the system what activities for which to generate logs is itself a
kind of filter (it's a pre-filter instead of a post-filter).  By this
line of reasoning, if you are not allowed to filter, then you must turn
everything on full throttle, and store it all.  This will be untenable
for most organizations.  There are many systems, Windows included, that
are capable of generating so much log information that the system will
spend more resources logging than performing its "real" job.

In an enterprise the size of Microsoft, even with a reasonable audit
policy we generate tens of terabytes of security log data per month
(yes, we collect most of it and analyze what we collect).  The storage
cost for this is not cheap.  Online storage is nearly cost prohibitive.
Offline storage would be much less but dealing with that quantity of
data requires very diligent processes and sophisticated tools.
Extracting data out of this is actually quite a technical feat as well.

With ACS, which will ship late this year as part of Operations Manager
2007, we filter prior to event generation (audit policy); we don't
filter prior to transmission but we order, encrypt and sign (so we can
detect gaps and tampering), and we filter after verifying event stream
integrity but prior to routing to analysis tools or database.  This
seemed like a good compromise, although we get a lot of customer
requests for filtering at the agent what is sent on the network.

Finally, log signing requires key management.  To prevent log tampering
on the box where the log was generated you probably need a perfect
forward secrecy kind of key rotation solution.  For scalability you
probably will use HMAC and hash chains rather than true public-key
signing operations for most event records, instead choosing to sign only
every nth record or every t hours or whatever.  Each block will have its
own key although depending on implementation there might be a way to
derive K(n+1) from K(n).  Local key storage pretty much would obviate
the usefulness of the feature as in the absence of a TPM, obtaining the
local key has exactly the same difficulty as tampering with a
well-designed audit trail.  This implies a pretty sophisticated,
distributed key management solution.

Overall I am very concerned about the trend towards log signing- I think
it's the wrong move for the reasons above.

However I'm not blind to the way that the wind is blowing.  Sigh.

Eric




-----Original Message-----
From: anton.chuvakin@private [mailto:anton.chuvakin@private] On
Behalf Of Anton Chuvakin
Sent: Thursday, August 31, 2006 2:10 PM
To: Eric Fitzgerald
Cc: loganalysis@private
Subject: Re: [logs] Re: Log integrity handling on central logsystem

> Regarding log signing: is anyone aware of an actual regulatory or
legal
> requirement for log signing?

Isnt't that a bit too specific for most current regulations? I
personally haven't seen any direct regulatory mandate for log
signing...

-- 
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
     http://www.chuvakin.org
 http://chuvakin.blogspot.com
http://www.securitywarrior.com
_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Fri Sep 01 2006 - 11:15:21 PDT