[1554] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: signing syslog files with PGP

daemon@ATHENA.MIT.EDU (Wolfgang Ley)
Tue May 27 02:12:19 1997

From: Wolfgang Ley <ley@cert.dfn.de>
To: linux-security@redhat.com
Date: Mon, 26 May 1997 13:14:47 +0200 (MET DST)
Cc: hannes@boehm.org
In-Reply-To: <19970525191601.49246@boehm.org> from "Hannes R. Boehm" at May 25, 97 07:16:01 pm
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

-----BEGIN PGP SIGNED MESSAGE-----

Hannes R. Boehm wrote:
>
> I am thinking about writing some sort of deamon which signs syslog
> files with PGP.
[...]
> To decrease the cpu load the deamon could wait until it has received a
> bunch of syslog messages before actually writing them to the file.

... which might result into a serious delay (depending how many syslog
messages are being received).

> To prohibit unauthorised access to the secret key, the key ring is
> protected by a pass-phrase which is only known by the system
> administrator and has to be entered on startup.

... and then is stored in memory to be accessible by the daemon. If
an attacker has root-privs to modify the syslog's then he can also
grab the secret key from the running daemon and calculate a new
signature.

> > What do you think about this concept ?
>
> If you think this will [not] work, please write me a short message.

I don't think that this will actually work well.

+ the daemon must have access to the secret key
  (thus someone else with root-privs can grab thesecret key, too)
+ performance is a problem
  (e.g. the a syslog file with 20MB - now sign this one for each new
  message. If you sign it for a block of new messages then you have
  a delay which might be a problem, too --- e.g. if you're processing
  the logs automatically in real/near-real time)

IMHO it's easier to send the log message (as a copy) to a loghost that
does nothing else and therefor can't be accessed from the network. This
also has the advantage that you have the logs if someone modifies the
logs on your main system (while using the PGP sign model you might only
notice that someone has modified them --- but you don't know what was
modified).

Bye,
  Wolfgang Ley (DFN-CERT)
- --
Wolfgang Ley, DFN-CERT, Vogt-Koelln-Str. 30, 22527 Hamburg,    Germany
Email: ley@cert.dfn.de   Phone: +49 40 5494-2262 Fax: +49 40 5494-2241
PGP-Key available via finger ley@ftp.cert.dfn.de any key-server or via
WWW from http://www.cert.dfn.de/~ley/               ...have a nice day

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i

iQCVAwUBM4lwpAQmfXmOCknRAQES6wQAhv4M3x59BrGQTU9PhABbdaKWDt7MFD37
Mltyx7BRwDI8Mu+UZzezMFMTsOWJLJlWXgaT5XOq7GB5nGbxlsmGDCw9gAoAAnjD
SCf7sd01a1d2EyTsHLy9lOit9MoHu/txuhGK+EyhzuDK621limMHhupQd1sqlz8/
8XhSEl+ZHFQ=
=H7iL
-----END PGP SIGNATURE-----


home help back first fref pref prev next nref lref last post