[1555] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: signing syslog files with PGP

daemon@ATHENA.MIT.EDU (Robert L. Millner)
Tue May 27 05:12:28 1997

Date: Mon, 26 May 1997 12:51:39 -0400 (EDT)
From: "Robert L. Millner" <rmillner@NRAO.EDU>
To: linux-security@redhat.com
Cc: hannes@boehm.org
In-Reply-To: Your message of Sun, May 25, 1997 19:16:01 +0200
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

-----BEGIN PGP SIGNED MESSAGE-----

"HRB" == Hannes R Boehm <hannes@boehm.org> writes:

HRB> Whenever a new line is added to a syslog file the existing syslog file
HRB> checked against the privious made signature. If the file passes this
HRB> test, the new line(s) is/are added. Then a new signature is computed,
HRB> and stored.

Since this is an automated procedure, the key must be stored somewhere
where it can be read without a passphrase (the memory of a program or a
file on disk).  Most of the scenarios where a user will be able to
modify the syslog files that I can think of require root perms.  If the
attacker only wants to cover tracks and isn't interested in the logs
looking sane, then there are attacks that scramble or nuke the file
without being root and the pgp scheme is still useless.  If the attacker
has root, and wants the logs to look sane, he can edit and re-sign them
manually.  

HRB> To decrease the cpu load the deamon could wait until it has received a
HRB> bunch of syslog messages before actually writing them to the file.

A good idea to save processing time.  The problem with it is that it
allows an attacker to get in, break root and then -9 syslog before it
flushes the cache.  His trail is gone.  It is better to get the data on
disk as quickly as possible.

HRB> To prohibit unauthorised access to the secret key, the key ring is
HRB> protected by a pass-phrase which is only known by the system
HRB> administrator and has to be entered on startup.

In memory or on disk, either way, its still vulnerable to someone with
root perms.  This also means that the system cannot reboot without
someone at the console which may be fine for your home system but is a
bad idea on a LAN of 200 machines.

I basically like the idea of being able to sign the logs to ensure that
no one tampers with it.  I don't see the PGP scheme being it though.  To
protect the files from even root, there may be a way to use securelevel
and `chattr -a`.  I know securelevel protects `chattr -i`, perhaps it
protects the -a flag as well. 

	Pax et Bonum,
	Robert Millner

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQCVAwUBM4m/iyBb0YO3vJbJAQHgQAQAoLl5DQ6FJ3Vn+/YxemwdASXFTvqxOmYs
6hVPycZ99zRreQzGgPaSF/Qqqj0NqMdxuKgtJ1sp9GGYXpVfAF0nyVxnpZo2Xjs/
pmEqxDXQD6aw9PAUqOorHcMWrhZ07B61Aryyp6bj+npF81wqFdxC3HnsNxsYUVrn
opxky7CQuD8=
=un/v
-----END PGP SIGNATURE-----

[mod: Last I looked the "securelevel" implementation wasn't complete. 
For example, you could edit the inode on disk although the chattr
stuff was disabled..... -- REW]


home help back first fref pref prev next nref lref last post