linux security - May 1997 - signing syslog files with PGP

I am thinking about writing some sort of deamon which signs syslog
files with PGP.

This should help dedecting unauthorised changes in the syslog files.

What I have in mind works as follows:

Whenever a new line is added to a syslog file the existing syslog file
checked against the privious made signature. If the file passes this
test, the new line(s) is/are added. Then a new signature is computed,
and stored.

If the secret key ring is modified or deleted or the syslog files have
been changed by hand, the deamon can=B4t verify the signature and will
alarm the system administrator.

To decrease the cpu load the deamon could wait until it has received a
bunch of syslog messages before actually writing them to the file.

To prohibit unauthorised access to the secret key, the key ring is
protected by a pass-phrase which is only known by the system
administrator and has to be entered on startup.

> What do you think about this concept ?
If you think this will [not] work, please write me a short message.


Hannes R. Boehm

[mod: reformatted, deleted PGP signature. Sorry. -- REW]

--
!------------------------------------------------------------------!
  Hannes R. Boehm
        email   : hannes@boehm.org
        www     : http://hannes.boehm.org
        PGP-key : http://hannes.boehm.org/hannes-pgp.asc
!------------------------------------------------------------------!

-----BEGIN PGP SIGNED MESSAGE-----

Hannes R. Boehm wrote:
>
> I am thinking about writing some sort of deamon which signs syslog
> files with PGP.
[...]
> To decrease the cpu load the deamon could wait until it has received a
> bunch of syslog messages before actually writing them to the file.
... which might result into a serious delay (depending how many syslog
messages are being received).
> To prohibit unauthorised access to the secret key, the key ring is
> protected by a pass-phrase which is only known by the system
> administrator and has to be entered on startup.
... and then is stored in memory to be accessible by the daemon. If
an attacker has root-privs to modify the syslog''s then he can also
grab the secret key from the running daemon and calculate a new
signature.
> > What do you think about this concept ?
>
> If you think this will [not] work, please write me a short message.
I don''t think that this will actually work well.

+ the daemon must have access to the secret key
  (thus someone else with root-privs can grab thesecret key, too)
+ performance is a problem
  (e.g. the a syslog file with 20MB - now sign this one for each new
  message. If you sign it for a block of new messages then you have
  a delay which might be a problem, too --- e.g. if you''re processing
  the logs automatically in real/near-real time)

IMHO it''s easier to send the log message (as a copy) to a loghost that
does nothing else and therefor can''t be accessed from the network. This
also has the advantage that you have the logs if someone modifies the
logs on your main system (while using the PGP sign model you might only
notice that someone has modified them --- but you don''t know what was
modified).

Bye,
  Wolfgang Ley (DFN-CERT)
- --
Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg,    Germany
Email: ley@cert.dfn.de   Phone: +49 40 5494-2262 Fax: +49 40 5494-2241
PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via
WWW from http://www.cert.dfn.de/~ley/               ...have a nice day

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBM4lwpAQmfXmOCknRAQES6wQAhv4M3x59BrGQTU9PhABbdaKWDt7MFD37
Mltyx7BRwDI8Mu+UZzezMFMTsOWJLJlWXgaT5XOq7GB5nGbxlsmGDCw9gAoAAnjD
SCf7sd01a1d2EyTsHLy9lOit9MoHu/txuhGK+EyhzuDK621limMHhupQd1sqlz8/
8XhSEl+ZHFQ=H7iL
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----

"HRB" == Hannes R Boehm <hannes@boehm.org> writes:

HRB> Whenever a new line is added to a syslog file the existing syslog file
HRB> checked against the privious made signature. If the file passes this
HRB> test, the new line(s) is/are added. Then a new signature is computed,
HRB> and stored.

Since this is an automated procedure, the key must be stored somewhere
where it can be read without a passphrase (the memory of a program or a
file on disk).  Most of the scenarios where a user will be able to
modify the syslog files that I can think of require root perms.  If the
attacker only wants to cover tracks and isn''t interested in the logs
looking sane, then there are attacks that scramble or nuke the file
without being root and the pgp scheme is still useless.  If the attacker
has root, and wants the logs to look sane, he can edit and re-sign them
manually.

HRB> To decrease the cpu load the deamon could wait until it has received a
HRB> bunch of syslog messages before actually writing them to the file.

A good idea to save processing time.  The problem with it is that it
allows an attacker to get in, break root and then -9 syslog before it
flushes the cache.  His trail is gone.  It is better to get the data on
disk as quickly as possible.

HRB> To prohibit unauthorised access to the secret key, the key ring is
HRB> protected by a pass-phrase which is only known by the system
HRB> administrator and has to be entered on startup.

In memory or on disk, either way, its still vulnerable to someone with
root perms.  This also means that the system cannot reboot without
someone at the console which may be fine for your home system but is a
bad idea on a LAN of 200 machines.

I basically like the idea of being able to sign the logs to ensure that
no one tampers with it.  I don''t see the PGP scheme being it though. 
To
protect the files from even root, there may be a way to use securelevel
and `chattr -a`.  I know securelevel protects `chattr -i`, perhaps it
protects the -a flag as well.

	Pax et Bonum,
	Robert Millner

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBM4m/iyBb0YO3vJbJAQHgQAQAoLl5DQ6FJ3Vn+/YxemwdASXFTvqxOmYs
6hVPycZ99zRreQzGgPaSF/Qqqj0NqMdxuKgtJ1sp9GGYXpVfAF0nyVxnpZo2Xjs/
pmEqxDXQD6aw9PAUqOorHcMWrhZ07B61Aryyp6bj+npF81wqFdxC3HnsNxsYUVrn
opxky7CQuD8=un/v
-----END PGP SIGNATURE-----

[mod: Last I looked the "securelevel" implementation wasn''t
complete.
For example, you could edit the inode on disk although the chattr
stuff was disabled..... -- REW]

* Hannes R. Boehm wrote:
> I am thinking about writing some sort of deamon which signs syslog
> files with PGP.
>
> This should help dedecting unauthorised changes in the syslog files.
Try the idea of continuing hashes:
http://www.iks-jena.de/mitarb/lutz/logfile/

--
|   Lutz Donnerhacke   +49/3641/380259 voice, -60 ISDN, -61 V.34 und Fax    |

Kaixo !

 > Hannes R. Boehm wrote:
 > >
 > > I am thinking about writing some sort of deamon which signs syslog
 > > files with PGP.

I find it totally unpracticable.
I have already worked on systems where logfiles are biger than 20 MB in size,
and in some moemets of high load you can end whith several dozens of lines
loged per second.

How do you plan to manage that ?

There is too the problem of storing the passphrase, needed to encode...

And I wonder if that will give any security at all, as you can log through
syslog quite easily, no need to modify the files themselves !

A much better idea imho will be to rewrite a new kind of syslog, that
checks the UID/GID of the process sending the info to log, and allow
writting to log files only if permissions match for that UID/GID.

Eg have a file /var/log/news/news.log be -rw-rw---- news.news
 (sorry, I never remember the octal values) and that only processes of
UID=news or GID=news can wrote to it through syslog.
Whith the current syslog anybody can wrote to it as long as the process
request for that syslog service, regarless of permission of the file
and [UG]ID of the process.

What do you think of that ? Would that idea will be too difficult to
implement ? (more difficult than PGP signing ? I doubt it)

--

A bienttt,
Pablo Saratxaga

~
~
:wq ;-)                               PGP Key available, key ID: 0x8F0E4975

> Hannes R. Boehm wrote:
 > >
 > > I am thinking about writing some sort of deamon which signs syslog
 > > files with PGP.

We were discussing this problem at a recent Linux Group meeting on
Security and we seemed to come to the conclusion that actually hashing or
signing the logs is uneccessary.

What you can do is send your syslog not only to the local machine but to a
remote, central, possibly dedicated log server.  This redirection would be
done my the syslog daemon itself and would allow you to compare one syslog
to the other. Perhaps making note of such things as whether or not the
file sizes are the same, or maybe whether all of the lines match from one
log to another.

The log server itself could be made especially secure but not exporting
any other facilities besides syslog.

Granted this is not absolutely perfect, but it would reduce the risk and
is possible to do without any changes to syslogd as far as I know.

If my memory serves me correctly, one of the group members mentioned that
Bell Labs suggested this mechanism for protecting log files and it was
critical in nabbing one particularly notorious hacker.

Regards
Terrence Martin

-----------------------------------------------------
| Terrence Martin  | Web Page and Public key        |
|                  | http://missing.link.ca/~twm139 |
-----------------------------------------------------
| "Do not gobble proffered baits." Sun Tzu          |
-----------------------------------------------------