Hey Marcus. I hear what you're saying but I have to wonder if log management solutions, whether commercial or homegrown, will eventually be held to standards higher than what they are today. I look at my days as an EDP auditor reviewing how financial applications like SAP processed transactions as part of their annual financial audit. Were the controls in place to ensure that transactional data could not be altered from point of entry to reporting? It seems a logical extension that if companies are required to have solutions for collecting and safeguarding (audit) log data, that system should have similar controls in place for ensuring data integrity from collection to restoration to reporting. In the end I think TaO has it right, collect everything you can and implement as many controls possible that can help verify log data integrity with an eye towards future legal requirements. Better to have the controls in place and not need them than... It will be interesting to see how this all evolves. > -----Original Message----- > From: loganalysis-bounces+chris.petersen=logrhythm.com@private > [mailto:loganalysis-bounces+chris.petersen=logrhythm.com@private ] > On Behalf Of Marcus J. Ranum > Sent: Thursday, August 31, 2006 8:23 PM > To: Taneli Otala; Anton Chuvakin; loganalysis@private > Cc: Eric Fitzgerald > Subject: [logs] Re: Log integrity handling on central logsystem > > > >But, at the same time -- you are collecting evidence TODAY, that will be > >used two years from today... and in that time the regulations will > change. > > > Logs are, like any other evidence, going to have to be presented as part > of > a complete case. I doubt very much that you'd get a conviction out of any > jury, with JUST a log-file as evidence -- there would have to be some kind > of > corroborating evidence. > > That's why, for at least the next decade, I don't think log-signing is > going > to be that big a deal. If you care, buy a satellite clock for your log- > server > and have the log-server's backups retained offsite by a service that can > give you a _copy_ of them on demand. It'd be really hard for someone to > explain to a jury how the logs were altered at both your facility and on > tapes locked in someone else's vault, in exactly the same way at the > same time. > > Gerry Spence (a really really good lawyer) says that a court case is > simply a matter of telling a story. And the story that's the most > consistent and comprehensible will almost always win. You don't > need fancy technology, hashes, or certificate authorities to tell the > story of your logs. In fact, adding certificate authorities to your story > just opens the door to someone forklifting in 2,000 white papers > about how PKI sucks. But if you explain that your logs are taken > to a backup facility in montana, and you also keep a local copy, and > that when you saw something suspicious in your logs you asked > for a _copy_ from the backup facility and it matched and, well, > no lawyer's going to stick their fingers into that particular band-saw. > > The whole case will have to hang together, anyhow. You may > present logs as evidence that what you think happened happened. > But you'll need other evidence to place the criminal, to illuminate > their motives, and methods. The logs are a tiny (but important) > piece of the puzzle and they're probably pretty much as good as > they can/will/need to get, already. > > mjr. > > _______________________________________________ > LogAnalysis mailing list > LogAnalysis@private > http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Fri Sep 01 2006 - 11:20:54 PDT