[syslog-ng] Encrypted messages

Gregor Binder gb@rootnexus.net
Tue, 9 Oct 2001 03:37:59 +0200 

todd glassey on Mon, Oct 08, 2001 at 05:27:57PM -0700:

Hi,

> The real issue is in building a timestamping regimen and PKI based crypto
> service so that the log can be claimed to be "non-repudiated" and can later
> for forensic reasons be taken apart.

I think it is going to take a while until it gets there. Until then,
there are various options you have to make a system as syslogd as tamper-
proof and secure as it can be. Consider creating logfiles with append
only flags and the like, an besides limiting access to the syslog server
physically and over the network (using firewalling and client certifi-
cates), encrypt and sign logs as they are being rotated. You can also
automate comparison of logs on client/server-side, etc.

> This is way more than just tunneling and BTW, if you need a reason why this
> would be a good feature set to add,  are you folks aware that under GLB and
> the privacy acts of a number of countries we all as systems admins can go to
> jail over what our logs contain.

For one of our customers, we were able to get an agreement with the
union in charge that we could keep plaintext-logs for five days for de-
bugging reasons, and instead of just compressing the old logs, they are
also encrypted and signed with a key that needs a four-eyes passphrase
to unlock. This is somewhat odd, since I would think that logically the
process of recording the information in the first place matters, and
not the storage of this information.

Besides that, I think it is possible to build a somewhat reliable (in
all aspects of security) setup with UNIX/syslog-ng/stunnel, and signing
and integrity checking tools. If "UNIX" is not BSD or Linux, I'd have a
strong tendency to go compartmented, meaning B1, since there are some
features that didn't make it into commercial vanilla UNIX yet. Even
though a very stripped down Solaris properly hardened is good enough
for all but the most paranoid. Caps and MAC are definitely nice to
have though.

I know that what I'm describing is far away from a completely neutral
audit trail. But after all this is just about securing syslog, which
by itself cannot be called a reliable source of information, since the
actual source (the process logging at a certain facility/priority) can
always be faked very easily given you have local access. So the main
goal must be preventing local access to client and server, and
authenticating and securing the communication between them (which is
done beautifully by stunnel). I'll think about PKI when the networks
are able to cope with full C2 audit trails going through :)

Greetings,

-- 
 ____ ____ 
/  _/| -  >  Gregor Binder <gb@(rootnexus.net|sysfive.com)>
| / || _\ \
\__ Id: 0xE2F31C4B Fp: 8B8A 5CE3 B79B FBF1 5518 8871 0EFB AFA3 E2F3 1C4B