Mailinglist Archive: opensuse-factory (564 mails)

[Claudio Freire <klaussfreire@xxxxxxxxx>]

On Mon, Dec 26, 2011 at 5:22 PM, Greg Freemyer <greg.freemyer@xxxxxxxxx> wrote:
> On Mon, Dec 26, 2011 at 10:00 AM, Stefan Seyfried
> <stefan.seyfried@xxxxxxxxxxxxxx> wrote:
> > > > 2) Ability to write and read logs faster then before.
> > > Speed is not an issue.
> > > I've processed gigabytes of text logs quickly enough when doing forensics.
> >
> >
> > If you've really ever done real forensics, you'd probably value signed
> > tamper-proof log entries.
>
> I have done the work and definitely would love signed tamper-proof logs.
>
> I have reviewed FTP, Webserver, and SMTP logs for legal reasons.  It
> complicates life not knowing if those logs can be truly trusted as
> really having been originated by the daemon in question.
>
> Note that it is too late by the time the investigation starts.  The
> underlying logging needs to be tamper resistant from prior to the
> incident under investigation.

That will never happen.
In order to sign entries, the logging daemon needs to have the keys.

The task can be made very difficult, but the jist is, if the daemon
can have access to the signing keys, so does an attacker that
compromises the daemon.

So, it cannot be made provably secure for legal purposes. But it *can*
be made difficult for most attackers, a good yet not infalible
protection for practical purposes.
--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx