Re: "Dropsafe" logs

[Joseph S D Yao <jsdy () cospo osis gov>]

> We are seeking a means to implement real-time write-once "dropsafe" logs of our 
> firewall bastion in case of a system failure or a hacker trying to cover their 
> tracks.  Unfortunately, unless there's an alternative I'm not aware of, a CD-R 
> requires a complete disk image in ISO 9660 format to be burned into the 
> writeable disk all at once, which means we either have to wait until we have 
> nearly 640 MB of logfiles to write or waste an awful lot of writeable disk 
> space.  We have no operational experience with MO drives here, nor would we want 
> to risk those models where write-once settings can be turned off in software. 
...
> What are others doing to maintain real-time write-once copies of firewall logs?  
> Is there write-once media to which data can be written in realtime (i.e. like a 
> real filesystem)?

Several years ago, an organization that was very concerned with its
security and logs had us hook up a Kodak magnet-optical write-once disk
jukebox to an SGI system via SCSI bus for archiving of various logged
data.  ISTM that it was truly write-once, and also that the device
mounted just like a regular Unix file system, except that the software
in the device knew, when a file was deleted or renamed or otherwise
changed, to mark invalid the blocks that had been used and use the next
free set of blocks.

I'm afraid that I don't know who owns that part of Kodak now.

--
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO/OSIS Computer Support                                     EMT-A/B
-----------------------------------------------------------------------
      This message is not an official statement of COSPO policies.