Hello there, sorry for the delay in getting in touch with the list.
As a lot of you said before, we too believe that it was time to start
thinking about the new syslog.
Ariel Futoransky and I started working in 1994 on a cryptographic
protocol we called PEO (from the spanish phrase 'primer estado
oculto' meaning 'Hidden First State') that would allow an auditor to
check the authenticity of a supposedly append only file on a server
even on the case of an intrusion. The original paper on PEO was,
unfortunatly, published only on spanish on 1995. If you are interested
in reading it you can get the original paper from
http://www.core-sdi.com/soft/vcr-peo.doc.gz
Using this protocol, we implemented a first version of ssyslog (yes,
Secure Syslog) in early 1997 based on the then current OpenBSD
and Linux syslog (we used both versions so we could port it to both
BSD and SystemV easly).
The PEO protocol suffered further modifications during late 1997 in
an attempt to formally (this means mathematicaly) prove the security
of the protocol based only on the properties of hash functions (and
MACs).
The outcoming protocol, PEO-1, was very similar to the protocol
proposed by Bruce Schneier in 98' USENIX Security. The paper
describing PEO-1 can be found in http://www.core-sdi.com/soft/peo.ps
in PostScript form or in http://www.core-sdi.com/soft/vcr-peo.dvi
as a .dvi. This time in english! (we learned our lesson)
The version of ssyslog currently available for download @
http://www.core-sdi.com/english/slogging/ssyslog-dl.html
is, as somebody pointed out, a little bit old. And was intended as
a proof-of-concept version. This ssyslog implements both PEO-1
for authentication of the logs and a protocol for auditing purposes.
You are supposed to use it either with audlog (for unix) or
WinAudlog (for NT) which are the auditor front-ends.
The auditor downloads and checks the integrity of the logfiles from
her own machine. This communication is both cryptographically
authenticated and encrypted for privacy.
We kept working on Secure Logging since then, with the following
ideas in mind:
* Rewrite ssyslog from scratch (i.e. not based on any syslog
implementation) and make it fully portable.
* Define a modular approach for the integrity/authentication
procedures on syslog (the daemon, that is) so we could easly add
new auth protocols as plug-ins (such as PEO, PEO-1, Schneider's,
VCR [similar to PEO but the logs are kept encrypted])
* Add log-rotation capabilities (similar to what you get when using
Project Athena Theodore Ts'o's newsyslog)
* Redesign syslog UDP protocol so that it could be both
authenticated and encrypted AND keep backwards compat (it could
be easy to upgrade your syslog daemon on most unixes, but routers et
al are a complete different story)
* Separate the Log-auditing capabilities into a different daemon, and
create an auditing protocol that could be used for auditing syslog logs
along with logs created by other programs and NT Event Logs, with
the possibility of using any of these log-integrity protocols when present
and also fully authenticated/encrypted.
* Add certain capabilities to this auditing protocol so that the auditor
could remotely configure syslog.
* Store Logs in a way that could be easly be used to cross-reference/
cross-check between different machines/architectures (this involves some
sort of unified timing for the logs)
The results of this ongoing work are not yet published nor downloadable,
but we do have some on-house feature-incomplete versions of these.
This project is being refered to as ALAT, for advanced logging and auditing
techniques.
A statement of the purposes of ALAT can be found in
http://www.core-sdi.com/english/product.html
I look forward with great interest on the developing of a syslog standard, and
both myself and Gerardo Richarte, who is project-leading the development of
ALAT, are willing to contribute in any way possible to the project.
Cheers,
EK.
--
===================[ CORE Seguridad de la Informacion S.A. ]====
Emiliano Kargieman
[EMAIL PROTECTED]
Director de Investigacion
www.core-sdi.com
Corelabs
Pte. Juan D. Peron 315 Piso 4 UF 17
Buenos Aires, (1038). Argentina. Tel/Fax :
+(54.11)43.31.54.02
=======================================================
"When I was younger, I could remember anything, whether it had happened or not;
but my faculties are decaying now and soon I shall be so I cannot remember any
but the things that never happened. It is sad to go to pieces like this but we
all
have to do it." -- Mark Twain
"La maxima adquisicion psicologica del mundo portenio es la absoluta insumision
de las
nuevas generaciones" -- Florencio Escardo
--- For a personal reply use [EMAIL PROTECTED]
