Slashdot Mirror

← Back to Stories (view on slashdot.org)

DSS/HIPPA/SOX Unalterable Audit Logs?

Posted by kdawson on from the write-once-keep-forever dept.

analogrithems writes "Recently I was asked by one of the suits in my company to come up with a method to comply with the new PCI DSS policy that requires companies to have write once, read many logs. In short the requirement is for a secure method to make sure that once a log is written it can never be deleted or changed. So far I've only been able to find commercial and hardware-based solutions. I would prefer to use an open source solution. I know this policy is already part of HIPPA and soon to be part of SOX. It seems like there ought to be a way to do this with cryptography and checksums to ensure authenticity. Has anyone seen or developed such a solution? Or how have you made compliance?"

4 of 381 comments (clear)

  1. use a line printer by 1u3hr · · Score: 4, Insightful
    Connect a line printer to mirror the log file as it's created. Use continuous fanfold paper. Get staff to sign and date first and last page.

    Lawyers love paper. (A magistate once asked me if a printout I presented in a case was an "original email". I said it was as close as you could get.) In all likelihood, no one will ever refer to it, so don't worry about that it might take 10 minutes to find a page. Once a month, ship it to a secure storage. For real paranoia, have two printers making two simultaneous copies.

  2. Re:Syslog by Whiney+Mac+Fanboy · · Score: 4, Insightful

    Besides logging locally to disk, also add a line to /etc/syslog.conf to log to a remote machine.

    If syslog can write to a remote machine, then a compromised syslog can overwrite a file on a remote machine. I suspect thats not even remotely close to enough read-only.

    As others have suggested, print your logs on a line printer.

    --
    There are shills on slashdot. Apparently, I'm one of them.
  3. Syslog + chattr by ethzer0 · · Score: 5, Insightful

    I use syslog-ng to relay information from several different datacenters to a centralized and secure location hosting all of the syslog information. Each DC has its own syslog-ng system acting as the local relay, transporting syslog information from local clients using TCP over a VPN to the centralized host. The logs are written on the central syslog sever organized by on date and hostname, and each file that is created is then assigned an 'append-only' bit using chattr. It works really well.

  4. Re:Syslog by Anonymous Coward · · Score: 4, Insightful

    a compromised syslog can overwrite a file on a remote machine

    Not with a properly configured syslog. You're not supposed to just use a remote logfile, but a remote logging daemon (RFC 3164). That way you can add entries to a remote log, but not change or delete any (unless you make the logfile directly accessible over the network, which I wouldn't recommend).