Wednesday, December 14, 2011

Feedback Request for digitally signed log store

I have just written about how I plan to implement digital signatures in LogStore, the secure store used by LogTools. The log store digital signature proposal details how and when signatures are written and provides reasoning why it will probably happen this way. There are two goals for the proposal: one is to document how things will work and the other, probably more important, one is to draw some feedback. It is easy to get security tools wrong, and even those with highest experience in that area (which I have not!) can fail. So it would be very beneficial to have some other folks read the proposal and comment on weaknesses they find - or simply things they would do differently or add to the overall idea. With that said, please read the (small) paper and provide feedback ;-).

Please keep on your mind that his is not only related to syslog but can  be used with any text-based log (including binary logs that are converted to text, e.g. by base64 encoding them). So it can affect you even if you are not interested in syslog itself. My (mostly uneducated) assumption is that this could be a toolset of great use for computer forensics.


John Moehrke said...

A critical thing to do before you get started is to understand what risk you would be trying to mitigate. What risk are you solving by digitally signing the log store.

It would seem to me that the original system creating each event is the one that will need to have signed their individual entry.

The other big problem with digital signatures is that it is very critical to have a trusted date/time stamp.

Rainer Gerhards said...

Thanks John,

I have begun to track the feedback on the original article. I think it makes sense to not rush this before the holiday season and then look into the specific cases in January. You are right, a risk profile should be specified.

Observer Journal said...

Digitally signing the logs provides some evidence of log integrity. Many logging and SIEM vendors already include this functionality as a requirement for compliance regulations. Some logging and SIEM vendors offer encryption as well as digital signing of logs because it contains sensitive information on the transactions of services.

D-Man said...

What's to stop someone simply stipping off the original digital signature, tampering with the data, then re-signing with another digital signature?

Rainer Gerhards said...

yup, that's exactly a problem with that method ... and actually with most signing methods. That was one reason why I proposed to ship off the hashes regularly. In any case, that was the primary reason why I was hesitant to move this implementation more into the main stream. However, I think I finally found a good solution, which moves into the rsyslog 7.4 stable branch. It's too much to write in a comment, I'll do a full blog posting soon and let you know.