I am thinking about writing some sort of deamon which signs syslog files with PGP. This should help dedecting unauthorised changes in the syslog files. What I have in mind works as follows: Whenever a new line is added to a syslog file the existing syslog file checked against the privious made signature. If the file passes this test, the new line(s) is/are added. Then a new signature is computed, and stored. If the secret key ring is modified or deleted or the syslog files have been changed by hand, the deamon can=B4t verify the signature and will alarm the system administrator. To decrease the cpu load the deamon could wait until it has received a bunch of syslog messages before actually writing them to the file. To prohibit unauthorised access to the secret key, the key ring is protected by a pass-phrase which is only known by the system administrator and has to be entered on startup.> What do you think about this concept ?If you think this will [not] work, please write me a short message. Hannes R. Boehm [mod: reformatted, deleted PGP signature. Sorry. -- REW] -- !------------------------------------------------------------------! Hannes R. Boehm email : hannes@boehm.org www : http://hannes.boehm.org PGP-key : http://hannes.boehm.org/hannes-pgp.asc !------------------------------------------------------------------!
-----BEGIN PGP SIGNED MESSAGE----- Hannes R. Boehm wrote:> > I am thinking about writing some sort of deamon which signs syslog > files with PGP.[...]> To decrease the cpu load the deamon could wait until it has received a > bunch of syslog messages before actually writing them to the file.... which might result into a serious delay (depending how many syslog messages are being received).> To prohibit unauthorised access to the secret key, the key ring is > protected by a pass-phrase which is only known by the system > administrator and has to be entered on startup.... and then is stored in memory to be accessible by the daemon. If an attacker has root-privs to modify the syslog''s then he can also grab the secret key from the running daemon and calculate a new signature.> > What do you think about this concept ? > > If you think this will [not] work, please write me a short message.I don''t think that this will actually work well. + the daemon must have access to the secret key (thus someone else with root-privs can grab thesecret key, too) + performance is a problem (e.g. the a syslog file with 20MB - now sign this one for each new message. If you sign it for a block of new messages then you have a delay which might be a problem, too --- e.g. if you''re processing the logs automatically in real/near-real time) IMHO it''s easier to send the log message (as a copy) to a loghost that does nothing else and therefor can''t be accessed from the network. This also has the advantage that you have the logs if someone modifies the logs on your main system (while using the PGP sign model you might only notice that someone has modified them --- but you don''t know what was modified). Bye, Wolfgang Ley (DFN-CERT) - -- Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg, Germany Email: ley@cert.dfn.de Phone: +49 40 5494-2262 Fax: +49 40 5494-2241 PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via WWW from http://www.cert.dfn.de/~ley/ ...have a nice day -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBM4lwpAQmfXmOCknRAQES6wQAhv4M3x59BrGQTU9PhABbdaKWDt7MFD37 Mltyx7BRwDI8Mu+UZzezMFMTsOWJLJlWXgaT5XOq7GB5nGbxlsmGDCw9gAoAAnjD SCf7sd01a1d2EyTsHLy9lOit9MoHu/txuhGK+EyhzuDK621limMHhupQd1sqlz8/ 8XhSEl+ZHFQ=H7iL -----END PGP SIGNATURE-----
Robert L. Millner
1997-May-26 09:51 UTC
Re: [linux-security] signing syslog files with PGP
-----BEGIN PGP SIGNED MESSAGE----- "HRB" == Hannes R Boehm <hannes@boehm.org> writes: HRB> Whenever a new line is added to a syslog file the existing syslog file HRB> checked against the privious made signature. If the file passes this HRB> test, the new line(s) is/are added. Then a new signature is computed, HRB> and stored. Since this is an automated procedure, the key must be stored somewhere where it can be read without a passphrase (the memory of a program or a file on disk). Most of the scenarios where a user will be able to modify the syslog files that I can think of require root perms. If the attacker only wants to cover tracks and isn''t interested in the logs looking sane, then there are attacks that scramble or nuke the file without being root and the pgp scheme is still useless. If the attacker has root, and wants the logs to look sane, he can edit and re-sign them manually. HRB> To decrease the cpu load the deamon could wait until it has received a HRB> bunch of syslog messages before actually writing them to the file. A good idea to save processing time. The problem with it is that it allows an attacker to get in, break root and then -9 syslog before it flushes the cache. His trail is gone. It is better to get the data on disk as quickly as possible. HRB> To prohibit unauthorised access to the secret key, the key ring is HRB> protected by a pass-phrase which is only known by the system HRB> administrator and has to be entered on startup. In memory or on disk, either way, its still vulnerable to someone with root perms. This also means that the system cannot reboot without someone at the console which may be fine for your home system but is a bad idea on a LAN of 200 machines. I basically like the idea of being able to sign the logs to ensure that no one tampers with it. I don''t see the PGP scheme being it though. To protect the files from even root, there may be a way to use securelevel and `chattr -a`. I know securelevel protects `chattr -i`, perhaps it protects the -a flag as well. Pax et Bonum, Robert Millner -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQCVAwUBM4m/iyBb0YO3vJbJAQHgQAQAoLl5DQ6FJ3Vn+/YxemwdASXFTvqxOmYs 6hVPycZ99zRreQzGgPaSF/Qqqj0NqMdxuKgtJ1sp9GGYXpVfAF0nyVxnpZo2Xjs/ pmEqxDXQD6aw9PAUqOorHcMWrhZ07B61Aryyp6bj+npF81wqFdxC3HnsNxsYUVrn opxky7CQuD8=un/v -----END PGP SIGNATURE----- [mod: Last I looked the "securelevel" implementation wasn''t complete. For example, you could edit the inode on disk although the chattr stuff was disabled..... -- REW]
* Hannes R. Boehm wrote:> I am thinking about writing some sort of deamon which signs syslog > files with PGP. > > This should help dedecting unauthorised changes in the syslog files.Try the idea of continuing hashes: http://www.iks-jena.de/mitarb/lutz/logfile/ -- | Lutz Donnerhacke +49/3641/380259 voice, -60 ISDN, -61 V.34 und Fax |
Pablo Saratxaga
1997-May-27 11:05 UTC
Re: [linux-security] Re: signing syslog files with PGP
Kaixo ! > Hannes R. Boehm wrote: > > > > I am thinking about writing some sort of deamon which signs syslog > > files with PGP. I find it totally unpracticable. I have already worked on systems where logfiles are biger than 20 MB in size, and in some moemets of high load you can end whith several dozens of lines loged per second. How do you plan to manage that ? There is too the problem of storing the passphrase, needed to encode... And I wonder if that will give any security at all, as you can log through syslog quite easily, no need to modify the files themselves ! A much better idea imho will be to rewrite a new kind of syslog, that checks the UID/GID of the process sending the info to log, and allow writting to log files only if permissions match for that UID/GID. Eg have a file /var/log/news/news.log be -rw-rw---- news.news (sorry, I never remember the octal values) and that only processes of UID=news or GID=news can wrote to it through syslog. Whith the current syslog anybody can wrote to it as long as the process request for that syslog service, regarless of permission of the file and [UG]ID of the process. What do you think of that ? Would that idea will be too difficult to implement ? (more difficult than PGP signing ? I doubt it) -- A bienttt, Pablo Saratxaga ~ ~ :wq ;-) PGP Key available, key ID: 0x8F0E4975
Terrence Martin
1997-May-30 13:04 UTC
Re: [linux-security] Re: Re: signing syslog files with PGP
> Hannes R. Boehm wrote:> > > > I am thinking about writing some sort of deamon which signs syslog > > files with PGP. We were discussing this problem at a recent Linux Group meeting on Security and we seemed to come to the conclusion that actually hashing or signing the logs is uneccessary. What you can do is send your syslog not only to the local machine but to a remote, central, possibly dedicated log server. This redirection would be done my the syslog daemon itself and would allow you to compare one syslog to the other. Perhaps making note of such things as whether or not the file sizes are the same, or maybe whether all of the lines match from one log to another. The log server itself could be made especially secure but not exporting any other facilities besides syslog. Granted this is not absolutely perfect, but it would reduce the risk and is possible to do without any changes to syslogd as far as I know. If my memory serves me correctly, one of the group members mentioned that Bell Labs suggested this mechanism for protecting log files and it was critical in nabbing one particularly notorious hacker. Regards Terrence Martin ----------------------------------------------------- | Terrence Martin | Web Page and Public key | | | http://missing.link.ca/~twm139 | ----------------------------------------------------- | "Do not gobble proffered baits." Sun Tzu | -----------------------------------------------------
Reasonably Related Threads
- Sendmail 8.8.2 exploit.
- CERT Advisory CA-96.20 - Sendmail Vulnerabilities
- Re: Re: Re: Bind Overrun Bug and Linux (fwd)
- [PATCH 1/3] ipv6: Select fragment id during UFO/GSO segmentation if not set.
- [PATCH 1/3] ipv6: Select fragment id during UFO/GSO segmentation if not set.