Information Technology Reference
In-Depth Information
3 . 3
M o r e I n t e g r i t y P r o b l e m s : W h e n t h e L o g s A r r i v e o n t h e L o g
M a c h i n e
Another integrity problem regards the management of files once they have arrived
on the log machine. If the log machine is compromised there is a very high probabil-
ity of integrity violation. This usually happens to individual files, whose content is
modified or even wiped. The integrity issue also regards how the
paternity
of log files
is handled; in many juridical contexts, you have to be certain as to which machine
generated the log files and who did the investigation.
There are several methods for resolving the problem. The first is specified in RFC
3195, which identifies a possible method for reliable transmission of
syslog
mes-
sages, useful especially in the case of a high number of relays (intermediate record
retransmission points between the source and the log repository). The main problem
in this case is that RFC 3195 has not been incorporated into enough systems to be
considered an established protocol.
Hence, practically speaking, most system administrators and security analysts
view SCP (Secure Copy) as a good workaround. The most evident contraindica-
tion is the unsuitability of such a workaround for intrusion detection purposes, since
there is no real time assessment of the existence of an intrusion via log file reading.
And the problem remains of security in transmission between the acquisition and
the collection points. In response to the problem, in UNIX-based architectures the
practice of using
cryptcat
to establish a relatively robust tunnel between the various
machines is gaining wider acceptance.
The procedure is as follows:
O n l o g - g e n e r a t i n g h o s t :
1 . y o u m u s t e d i t / e t c / s y s l o g . c o n f i n t h i s m o d e :
* . *
@ l o c a l h o s t
2 . t h e n r u n c o m m a n d :
# n c - l - u - p 5 1 4 | c r y p t c a t 1 0 . 2 . 1 . 1 9 9 9 9
O n l o g - c o l l e c t i n g h o s t :
1 . r u n s y s l o g w i t h r e m o t e r e c e p t i o n ( - r ) fl a g ( f o r L i n u x )
2 . r u n c o m m a n d :
# c r y p t c a t - l - p 9 9 9 9 | n c - u l o c a l h o s t 5 1 4
