Bugtraq mailing list archives
Re: Write-only devices (Was read only devices) [via LSMTP - see
From: pcl () foo oucs ox ac uk (Paul C Leyland)
Date: Mon, 24 Jun 1996 16:27:01 +0100
A write-only logger is incredibly useful when performing forensic work after something has gone badly wrong.I cannot see why being unreadable helps for forensic work. By making it unreadable, you can log "sensitive" material, and the intruder cannot see what is being recorded.
That is the point. The intruder can't see what is being logged. Intruders tend to make fewer relevant mistakes when they know what is being auditted and what is not. For post-incident forensic work, the more mistakes the better! If all you want is deterrence then advertizing what is logged, and how, works better, at least in our environment. An advantage of paper over magnetic records is that they are human readable. Rightly or wrongly, important people such as law enforcement, lawyers and juries tend to trust paper more than magnetic records.
However, I would consider Write Once as being the important property.
Write-once is undeniably important, but it ought to be truly write-once. Hence my dig at CD-R. Printers must not be able to do reverse linefeeds (line starves?) for the same reason.
I do not know of any readily available write-only output device other than printers these days.
My plan is to get a small Linux box, put a MUX card in it, and connect all the consoles to it. I suspect most sites would be able to set up a "sufficiently" secure system to allow it to be network connected, but you could opt not to network connect it. You could change an Exabyte to which the data is written when it's full, or if you want to collect evidence before that, login to the console, select the required info, and write it to a floppy.
OK, I'll accept a computer writing a dribble file as a write-once device as long as it is truly impossible for anyone not physically present at the machine to read that file. Even then, I'd feel happier if the logging machine did not have software to read the file without a reboot from removable media. I would not trust any networked machine as a high-security data logger. String together the logged machines with serial lines and ensure that the logger is truly write-only (i.e. snip its Tx lines and use hardware flow control) and you're probably ok.
Where's the problem ??
In a word: complexity. Cheap 9-pin printers are simple, reliable and understandable. Linux boxes are complicated and go wrong more often and in mysterious ways. On the other hand, their great advantages are higher storage density and more powerful log analysis tools. Paul
Current thread:
- Re: Sendmail 6.x+ holes?, (continued)
- Re: Sendmail 6.x+ holes? Henry W. Farkas (Jun 24)
- Router programming,source routes and spoofed ICMP attacks. Alan Brown (Jun 19)
- Re: Router programming,source routes and spoofed ICMP attacks. Brian Mitchell (Jun 20)
- Re: Router programming,source routes and spoofed ICMP attacks. Alan Brown (Jun 22)
- Re: Router programming,source routes and spoofed ICMP attacks. Brian Mitchell (Jun 24)
- Re: Router programming,source routes and spoofed ICMP attacks. Brian Mitchell (Jun 20)
- Re: Router programming,source routes and spoofed ICMP attacks. Cyrus Durgin (Jun 20)
- Re: Router programming,source routes and spoofed ICMP attacks. Yiorgos Adamopoulos (Jun 21)
- Administratrivia Aleph One (Jun 21)
- Write-only devices (Was read only devices) Paul C Leyland (Jun 21)
- Re: Write-only devices (Was read only devices) Piete Brooks (Jun 21)
- Re: Write-only devices (Was read only devices) [via LSMTP - see Paul C Leyland (Jun 24)
- nuke *Hobbit* (Jun 21)
- Re: nuke Rowan Smith (Jun 24)
- Re: nuke Vadim Kolontsov (Jun 24)
- Re: nuke Chris A. Petro (Jun 26)