On Mon, 16 Aug 1999, Vin McLellan wrote:
> been urging my clients to consider crypto-enhanced audit logs: irreversible
> updating to log files with a one-way function, at a minimum.... Maybe with
> an option to write logs to a WORM drive? Maybe with a timestamp in the digest?
Definitely the way to go. Hardened hosts are good, but you still need
authentication and hashes work well for that.
>
> Anyone got any comments? Cautions or suggestions for
> implementation? Hashed digests or digital signatures?
Signatures require a secret on the same machine, which is normally a big
problem. I think you have to worry about how you refute false subsequent
logs with actual event-up-to-compromise logs.
>
> Isn't it about time for OS, NOS, and PKI vendors (all who sell or
> install access control systems?) to finally offer something in audit that
> can perhaps withstand Mr. Moore's threat scenario: "[If] someone gets root
> on your machine, they can do anything."
That's an OS problem, and is best addressed by compartmented systems. Not
that I think we'll see that, but I'm still holding out hope...
>
> "Irreversible" updates for audit logs may not withstand all attacks
> unless the records are stored offline -- and access controls without strong
> two-factor authentication is a joke -- but done right, I presume this sort
> of audit files could only be destroyed, not faked.
You could fake subsequent logs if the authentication is on-machine, and
the machine is given in o complete compromise.
>
> Traditionally, of course, records made in the normal course of
> business are admissible as forensic evidence in courts throughout the world.
> Testimony is usually required to show that these records meet this test. I
> fear, however, that even with strong user authentication, and relatively
> weak controls over many types of computerized records may allow them to be
> legitimately called into question if they are used as evidence in court, or
> as the justification for punitive action within the firm or organization.
That's why cryptographic signatures/hashes are an important adjunct to a
strong log host. The log host still has administrators.
[snip]
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
PSB#9280
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
