Firewall Wizards mailing list archives
Re: WORM file system for logging
From: Paul McNabb <mcnabb () argus-systems com>
Date: Thu, 6 Aug 1998 12:20:13 -0500 (CDT)
Another alternative is to have the syslogd running on a trusted OS and have it configured so that the daemon can only receive but never transmit. You could even set it up so that the log files are accessible in only 2 ways: (1) from log traffic being passed to the daemon via the network and/or local processes, or (2) in a read/write mode from the console when the machine is in single user mode and networking is disabled. You could relax the 2nd mechanism as much as you wanted, making the files readable or writable via certain daemons, hosts, or network interfaces. paul
From: "Marcus J. Ranum" <mjr () nfr net> Date: Thu, 06 Aug 1998 10:19:20 -0400 >> Perhaps if you can tell us your requirements, we can >> suggest something that'd match more closely. > >Well, the idea was simply to have a tamper proof syslog (apart from >overrunning). As far as I can tell, the easiest way to do that is to have a system that can read from the network and can't talk to it, then simply pull the syslog traffic off the wire and record it. You could build something like that fairly easily with a sniffer or an NFR that had the transmit lead on its network cable cut. That's a good way of securing it, but it does make it a pain to network manage. :) Hook a serial line up and strap it over to another system so you can tip/kermit in. >Anything but the WORM file system that we came up with has time windows in >which the data could be modified after it has been received. Even the WORM does, really, if you're not willing to trust the platform it's running on. [...]
[...] --------------------------------------------------------- Paul McNabb Argus Systems Group, Inc. Vice President and CTO 1809 Woodfield Drive mcnabb () argus-systems com Savoy, IL 61874 USA TEL 217-355-6308 FAX 217-355-1433 "Securing the Future" ---------------------------------------------------------
Current thread:
- RE: WORM file system for logging, (continued)
- RE: WORM file system for logging Marcus J. Ranum (Aug 05)
- Re: WORM file system for logging Andreas Siegert (Aug 06)
- Re: WORM file system for logging Marcus J. Ranum (Aug 06)
- Re: WORM file system for logging Adam Shostack (Aug 06)
- Re: WORM file system for logging Joseph S. D. Yao (Aug 06)
- Re: WORM file system for logging Bobo Rajec (Aug 07)
- Re: WORM file system for logging Doug Hughes (Aug 07)
- RE: WORM file system for logging Marcus J. Ranum (Aug 05)
- Re: WORM file system for logging Andreas Siegert (Aug 04)
- RE: WORM file system for logging Andrew J. Luca (Aug 07)
- Re: WORM file system for logging Andreas Siegert (Aug 07)