KBTAG: kben10000027
URL: http://www.securityportal.com/lskb/10000000/kben10000027.html
Date created: 14/04/2000
Date modified: 07/10/2000
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Syslog replacements with security
enhancements for Linux
Keywords: Logging, Network/Logging
Logging is important for any operating system, Linux ships with Syslogd/Klogd by default, and these are quite acceptable for most people, however they do have numerous security concerns, especially when it comes to log validity.
Syslog does not sign logs or use a very reliable mechanism for logging to remote hosts (UDP, which means messages can easily be lost). If you need "secure" logging you are advised to use something like secure-syslog, next generation syslog or Nsyslogd.
modular syslog
An interesting approach, you have input modules (such as Linux, BSD, UDP) and output modules (MySQL and PostGRESQL, a "classic" module, and one that does hash protection on the log files). This replaces secure syslogin with a more flexible design.
http://www.core-sdi.com/english/slogging/modular-dl.htm
secure-syslog
No longer supported, replaced by modular syslog.
The major problem with syslog however is that tampering with log files is trivial (setting the log files append only with chattr +a helps, but if an attacker gains root, they can unset the attribute). There is however a secure version of syslogd, available at http://www.core-sdi.com/english/freesoft.htm (these guys generally make good tools and have a good reputation, in any case it is open source software for those of you who are truly paranoid). This allows you to cryptographically sign logs to ensure they havent been tampered with. Ultimately, however, an attacker can still delete the log files so it is a good idea to send them to another host, especially in the case of a firewall to prevent the hard drive being filled up.
next generation syslog
Another alternative is syslog-ng (Next Generation Syslog), which seems much more customizable then either syslog or secure-syslog, it supports digital signatures to prevent log tampering, and can filter based on content of the message, not just the facility it comes from or priority (something that is very useful for cutting down on volume). Syslog-ng is available at: http://www.balabit.hu/products/syslog-ng/.
Nsyslogd
Nsyslogd supports tcp, and SSL for logging to remote systems. It runs on a variety of UNIX platforms and you can download it from: http://coombs.anu.edu.au/~avalon/nsyslog.html.