Alex Brown wrote:
> [...]
> Does anyone have any similar experience with firm security related
> requirements for event logging?
Let's see...
Orange Book requires that the TCB shut down if it can't log, so that jibes with
Chris L's statement about the .gov wanting confirmed delivery. Not all subsystems
will have this requirement, however, and it will also be difficult to do over UDP,
so we want this to be optional in some way. This probably means an option to
openlog(3) and logger(1) to specify that the logs must be verified, and an option
in syslog.conf to say that a particular log stream can only go over a verifiable
connection.
The courts are going to want chain-of-custody evidence, so that implies digital
signatures to prove where the data came from and that it has not been altered.
This is both in transmission and in the log store. Again, this means options in
openlog(3), logger(1), and syslog.conf to control this stuff.
Since multiple systems are generating events at roughly the same time, we need a
timestamp to be able to show in what order events happened in.
Since each process can generate more than one event, we need a process identifier
(PID, etc.) to show how messages group together.
Since some log information may be confidential we need encrypted transmission.
Again, we're going to need options in openlog(3), logger(1) and syslog.conf to
control this. Security of the log store is an implementation issue that can be
handled by encryption or by other "system" security mechanisms.
Since we need log even correlation to support things like intrusion detection, we
need standardized tags to correlate on (the ULM/XML idea).
The following are implementation issues that don't affect the design of the wire
protocol or the syslog(3)/logger(1) interfaces...
Since special actions may be taken based on the log's facility and priority, we may
want some way of restricting what facilities/priorities a particular process can
access.
We probably don't want to lose log entries, so we may want some kind of signed
sequence-number scheme in the log store so we can tell what records have been
deleted if the logs are stored on rewritable media.
--
Chris Calabrese
Internet Infrastructure and Security
Merck-Medco Managed Care, L.L.C.
[EMAIL PROTECTED]
.
