From owner-freebsd-security  Fri Jul  9  9:46: 9 1999
Delivered-To: freebsd-security@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id EC9C11563D
	for <security@FreeBSD.ORG>; Fri,  9 Jul 1999 09:46:03 -0700 (PDT)
	(envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id MAA25989;
	Fri, 9 Jul 1999 12:45:32 -0400 (EDT)
	(envelope-from robert@cyrus.watson.org)
Date: Fri, 9 Jul 1999 12:45:32 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: proff@suburbia.net
Cc: Warner Losh <imp@village.org>, alla@sovlink.ru,
	avalon@coombs.anu.edu.au, security@FreeBSD.ORG
Subject: Re: Syslog alternatives?
In-Reply-To: <19990709163459.22243.qmail@suburbia.net>
Message-ID: <Pine.BSF.3.96.990709124340.24202L-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Sat, 10 Jul 1999 proff@suburbia.net wrote:

> > In message <3785AB58.2B3D8F05@sovlink.ru> Alla Bezroutchko writes:
> > : > Prove to me that your log files have any integrity, in such a way that
> > : > I cannot dispute it.
> > : 
> > : How integrity is achieved with syslog's alternatives?
> > 
> > That's a good question....  In order to do that, you'd have to have
> > some kind of public-key private-key mechanism based on shared secrets
> > to be sure.  I'm not sure how you can really achieve a secure log file
> > integrity when things like VI exist...
> > 
> > Warner
> 
> Just because you can't think of an answer doesn't mean there isn't one :)

I still lean towards a combination of existing securelevel code, and a
protected process flag indicating that the process may not be intefered
with by unauthorized userland code (i.e., no debugging, signaling, etc).
Alternatively a kernel thread, but the lack of preemption is unappealing.

Also, a kernel-based "integrity stamper" that MAC's a log entry along with
some noise, and a date-time stamp, would at least prevent individual
records from being modified or reordered.  It doesn't prevent removal, but
as long as the kernel is ok, it's worth something.

  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Computing Laboratory at Cambridge University
Safeport Network Services



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message