RE: WORM file system for logging

["Andrew J. Luca" <andrewluca () mediaone net>]

Not to belabor this point, but we built a similar configuration using a
terminal server and an extra host.  Each of the secure hosts pushed syslog
traffic out of the /dev/term/b port in addition to logging some of it
locally.  The /dev/term/b port was connected to a terminal server which was
in turn connected (via a direct ethernet connection) to a dedicated loghost.
This host ran a process per secure host which would telnet to the terminal
server and collect all of this data.

        We then had a process which would parse the data based upon pre-determined
rules.  The data was either discarded (in the case of stuff we knew we
didn't want), written to a rotating file, or written to a file which was
permanently archived.  This server also generated pages and e-mails for the
support groups.  Last I saw, this had scaled to about fifty hosts in a
single site with about four of these installations.

        I am not sure that this was the cleanest way to do this but you can't
telnet down the serial port and an intruder couldn't just go to the log host
since there was no easy way to know where that host was.

Just my thoughts.
Drew

-----Original Message-----
From:   owner-firewall-wizards () nfr net [mailto:owner-firewall-wizards () nfr net]
On Behalf Of Paul McNabb
Sent:   Thursday, August 06, 1998 1:20 PM
To:     firewall-wizards () nfr net; mjr () nfr net
Subject:        Re: WORM file system for logging

Another alternative is to have the syslogd running on a trusted
OS and have it configured so that the daemon can only receive
but never transmit.  You could even set it up so that the log
files are accessible in only 2 ways:

(1) from log traffic being passed to the daemon via the network
and/or local processes, or
(2) in a read/write mode from the console when the machine is in
single user mode and networking is disabled.

You could relax the 2nd mechanism as much as you wanted, making
the files readable or writable via certain daemons, hosts, or
network interfaces.

paul

>  From: "Marcus J. Ranum" <mjr () nfr net>
>  Date: Thu, 06 Aug 1998 10:19:20 -0400
>
>  >> Perhaps if you can tell us your requirements, we can
>  >> suggest something that'd match more closely.
>  >
>  >Well, the idea was simply to have a tamper proof syslog (apart from
>  >overrunning).
>
>  As far as I can tell, the easiest way to do that is to
>  have a system that can read from the network and can't talk
>  to it, then simply pull the syslog traffic off the wire
>  and record it. You could build something like that fairly
>  easily with a sniffer or an NFR that had the transmit lead
>  on its network cable cut. That's a good way of securing it,
>  but it does make it a pain to network manage. :) Hook a
>  serial line up and strap it over to another system so you
>  can tip/kermit in.
>
>  >Anything but the WORM file system that we came up with has time windows
in
>  >which the data could be modified after it has been received.
>
>  Even the WORM does, really, if you're not willing to trust
>  the platform it's running on.
>
>  [...]

[...]

---------------------------------------------------------
Paul McNabb                     Argus Systems Group, Inc.
Vice President and CTO          1809 Woodfield Drive
mcnabb () argus-systems com        Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433                "Securing the Future"
---------------------------------------------------------