[1566] in linux-security and linux-alert archive
[linux-security] Re: Re: Re: signing syslog files with PGP
daemon@ATHENA.MIT.EDU (Terrence Martin)
Sat May 31 07:13:12 1997
Date: Fri, 30 May 1997 14:04:19 -0600 (CST)
From: Terrence Martin <twm139@missing.link.ca>
To: linux-security@redhat.com
In-Reply-To: <199705271805.UAA18347@linux.chanae.stben.be>
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
> Hannes R. Boehm wrote:
> >
> > I am thinking about writing some sort of deamon which signs syslog
> > files with PGP.
We were discussing this problem at a recent Linux Group meeting on
Security and we seemed to come to the conclusion that actually hashing or
signing the logs is uneccessary.
What you can do is send your syslog not only to the local machine but to a
remote, central, possibly dedicated log server. This redirection would be
done my the syslog daemon itself and would allow you to compare one syslog
to the other. Perhaps making note of such things as whether or not the
file sizes are the same, or maybe whether all of the lines match from one
log to another.
The log server itself could be made especially secure but not exporting
any other facilities besides syslog.
Granted this is not absolutely perfect, but it would reduce the risk and
is possible to do without any changes to syslogd as far as I know.
If my memory serves me correctly, one of the group members mentioned that
Bell Labs suggested this mechanism for protecting log files and it was
critical in nabbing one particularly notorious hacker.
Regards
Terrence Martin
-----------------------------------------------------
| Terrence Martin | Web Page and Public key |
| | http://missing.link.ca/~twm139 |
-----------------------------------------------------
| "Do not gobble proffered baits." Sun Tzu |
-----------------------------------------------------