Title: Secure alternatives for system logging in Linux

KBTAG: kben10000027
URL: http://www.securityportal.com/lskb/10000000/kben10000027.html
Date created: 14/04/2000
Date modified: 07/10/2000
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Syslog replacements with security enhancements for Linux
Keywords: Logging, Network/Logging

Summary:

Logging is important for any operating system, Linux ships with Syslogd/Klogd by default, and these are quite acceptable for most people, however they do have numerous security concerns, especially when it comes to log validity.

More information:

Syslog does not sign logs or use a very reliable mechanism for logging to remote hosts (UDP, which means messages can easily be lost). If you need "secure" logging you are advised to use something like secure-syslog, next generation syslog or Nsyslogd.

Downloads:

modular syslog

An interesting approach, you have input modules (such as Linux, BSD, UDP) and output modules (MySQL and PostGRESQL, a "classic" module, and one that does hash protection on the log files). This replaces secure syslogin with a more flexible design.

http://www.core-sdi.com/english/slogging/modular-dl.htm

 

secure-syslog

No longer supported, replaced by modular syslog.

The major problem with syslog however is that tampering with log files is trivial (setting the log files append only with “chattr +a” helps, but if an attacker gains root, they can unset the attribute). There is however a secure version of syslogd, available at http://www.core-sdi.com/english/freesoft.htm (these guys generally make good tools and have a good reputation, in any case it is open source software for those of you who are truly paranoid). This allows you to cryptographically sign logs to ensure they haven’t been tampered with. Ultimately, however, an attacker can still delete the log files so it is a good idea to send them to another host, especially in the case of a firewall to prevent the hard drive being filled up. 

next generation syslog

Another alternative is “syslog-ng” (Next Generation Syslog), which seems much more customizable then either syslog or secure-syslog, it supports digital signatures to prevent log tampering, and can filter based on content of the message, not just the facility it comes from or priority (something that is very useful for cutting down on volume). Syslog-ng is available at: http://www.balabit.hu/products/syslog-ng/.

Nsyslogd

Nsyslogd supports tcp, and SSL for logging to remote systems. It runs on a variety of UNIX platforms and you can download it from: http://coombs.anu.edu.au/~avalon/nsyslog.html.