Firewall Wizards mailing list archives
RE: WORM file system for logging
From: "Andrew J. Luca" <andrewluca () mediaone net>
Date: Fri, 7 Aug 1998 07:04:29 -0400
Not to belabor this point, but we built a similar configuration using a terminal server and an extra host. Each of the secure hosts pushed syslog traffic out of the /dev/term/b port in addition to logging some of it locally. The /dev/term/b port was connected to a terminal server which was in turn connected (via a direct ethernet connection) to a dedicated loghost. This host ran a process per secure host which would telnet to the terminal server and collect all of this data. We then had a process which would parse the data based upon pre-determined rules. The data was either discarded (in the case of stuff we knew we didn't want), written to a rotating file, or written to a file which was permanently archived. This server also generated pages and e-mails for the support groups. Last I saw, this had scaled to about fifty hosts in a single site with about four of these installations. I am not sure that this was the cleanest way to do this but you can't telnet down the serial port and an intruder couldn't just go to the log host since there was no easy way to know where that host was. Just my thoughts. Drew -----Original Message----- From: owner-firewall-wizards () nfr net [mailto:owner-firewall-wizards () nfr net] On Behalf Of Paul McNabb Sent: Thursday, August 06, 1998 1:20 PM To: firewall-wizards () nfr net; mjr () nfr net Subject: Re: WORM file system for logging Another alternative is to have the syslogd running on a trusted OS and have it configured so that the daemon can only receive but never transmit. You could even set it up so that the log files are accessible in only 2 ways: (1) from log traffic being passed to the daemon via the network and/or local processes, or (2) in a read/write mode from the console when the machine is in single user mode and networking is disabled. You could relax the 2nd mechanism as much as you wanted, making the files readable or writable via certain daemons, hosts, or network interfaces. paul
From: "Marcus J. Ranum" <mjr () nfr net> Date: Thu, 06 Aug 1998 10:19:20 -0400 >> Perhaps if you can tell us your requirements, we can >> suggest something that'd match more closely. > >Well, the idea was simply to have a tamper proof syslog (apart from >overrunning). As far as I can tell, the easiest way to do that is to have a system that can read from the network and can't talk to it, then simply pull the syslog traffic off the wire and record it. You could build something like that fairly easily with a sniffer or an NFR that had the transmit lead on its network cable cut. That's a good way of securing it, but it does make it a pain to network manage. :) Hook a serial line up and strap it over to another system so you can tip/kermit in. >Anything but the WORM file system that we came up with has time windows
in
>which the data could be modified after it has been received. Even the WORM does, really, if you're not willing to trust the platform it's running on. [...]
[...] --------------------------------------------------------- Paul McNabb Argus Systems Group, Inc. Vice President and CTO 1809 Woodfield Drive mcnabb () argus-systems com Savoy, IL 61874 USA TEL 217-355-6308 FAX 217-355-1433 "Securing the Future" ---------------------------------------------------------
Current thread:
- Re: WORM file system for logging, (continued)
- Re: WORM file system for logging Andreas Siegert (Aug 06)
- Re: WORM file system for logging Marcus J. Ranum (Aug 06)
- Re: WORM file system for logging Adam Shostack (Aug 06)
- Re: WORM file system for logging Joseph S. D. Yao (Aug 06)
- Re: WORM file system for logging Bobo Rajec (Aug 07)
- Re: WORM file system for logging Doug Hughes (Aug 07)
- Re: WORM file system for logging Andreas Siegert (Aug 04)
- RE: WORM file system for logging Andrew J. Luca (Aug 07)
- Re: WORM file system for logging Andreas Siegert (Aug 07)