Information Technology Reference
In-Depth Information
Acquisition occurs the moment a network sniffer, a system agent or a daemon ac-
quires the event and makes it available to a subsequent transmission process directed
to a machine that is usually different from the one that is the source of the event.
Once the log has reached the destination machine (called the
Log Machine)
it may
be temporarily memorized in a pre-assigned slot or input to a database for later con-
sultation. Once the policy-determined disc capacity has been reached, the data are
stored in a predetermined location. The original logs are deleted to make room for
new files from the source object. This method is known as
log rotation
.
Log file integrity can be violated in several ways. An attacker might take advan-
tage of a non-encrypted transmission channel between the acquisition and destination
points to intercept and modify the transiting log. He might also spoof the IP send-
ing the logs, making the log machine think it is receiving log entries and files that
actually come from a different source.
3 . 2
A n E x a m p l e o f L o g F i l e I n t e g r i t y P r o b l e m : S y s l o g
The basic configuration of
Syslog
makes this a real possibility. The RFC 3164
states that
Syslog
transmissions are based on UDP, a connectionless protocol and
thus one that is unreliable for network forensic purposes, unless separate LANs are
used for the transmission and collection of log files. But even here there might be
some cases that are difficult to interpret.
So, Despite its popularity and widespread use, the
syslog
protocol is intrinsically
insecure. Indeed the protocol specifications themselves cite gaps in the definition of
the standard. Although some of these shortcomings are remedied in RFC 3195, this
standard is far from being widely implemented and the majority of logging systems
do not conform with its recommendations.
For this reason we should list the main drawbacks involved in using this protocol
to collect and maintain a consistent series of data to be used following an incident or
for routine log reviews.
For clarity we should break the problems down into 3 categories:
Transmission related problems.
Message integrity problems.
Message authenticity problems.
For each of these categories we will look at examples of possible attacks which
highlight the dangers associated with using this logging protocol.
