Slashdot Mirror

← Back to Stories (view on slashdot.org)

Secure Syslog Replacement Proposed

Posted by Unknown on from the why-all-the-hate dept.

LinuxScribe writes with this bit from IT World: "In an effort to foil crackers' attempts to cover their tracks by altering text-based syslogs, and improve the syslog process as a whole, developers Lennart Poettering and Kay Sievers are proposing a new tool called The Journal. Using key/value pairs in a binary format, The Journal is already stirring up a lot of objections." Log entries are "cryptographically hashed along with the hash of the previous entry in the file" resulting in a verifiable chain of entries. This is being done as an extension to systemd (git branch). The design doesn't just make logging more secure, but introduces a number of overdue improvements to the logging process. It's even compatible with the standard syslog interface allowing it to either coexist with or replace the usual syslog daemon with minimal disruption.

28 of 248 comments (clear)

  1. I don't know... by ksd1337 · · Score: 4, Informative

    Text is damn convenient to use. How are you gonna grep a binary file?

    1. Re:I don't know... by Anonymous Coward · · Score: 5, Informative

      journalgrep -e "Nov 0[1234]-[0-9][0-9]-2011" | less

    2. Re:I don't know... by iluvcapra · · Score: 5, Insightful

      Witness the deeply-ingrained UNIX Philosophy thing where if you can't use grep(1), it naturally follows that the thing is impossible to search.

      You can't grep a Berkeley DB, yet for some reason you can find stuff in it, too.

      --
      Don't blame me, I voted for Baltar.
    3. Re:I don't know... by Anonymous Coward · · Score: 4, Funny
      You can't grep a Berkeley DB, yet for some reason you can find stuff in it, too.

      strings berkeley.db | grep "data"

      Enjoy,

    4. Re:I don't know... by quanticle · · Score: 5, Insightful

      The problem isn't searching in the ordinary case. The problem is searching in the failure case. I can grep a truncated, mangled text file. If I truncate and mangle your BerkeleyDB can you still search it?

      --
      We all know what to do, but we don't know how to get re-elected once we have done it
    5. Re:I don't know... by TheRaven64 · · Score: 5, Insightful

      Grep is just one example. Grep lets me search any text file. Tail -f lets me watch anything that's added to it. Wc -l lets me enumerate the entries in it. Awk lets me extract elements from it. There are lots of other standard UNIX utilities for manipulating text files. If you are replacing a text file with a binary file then you need to provide equivalent functionality to all of these. If this file is one that is important for system recovery, then you need to put all of these in the root partition, without significantly increasing its size. These are not insurmountable problems, but they are problems.

      --
      I am TheRaven on Soylent News
    6. Re:I don't know... by pclminion · · Score: 5, Interesting

      If you are replacing a text file with a binary file then you need to provide equivalent functionality to all of these.

      No, I just need to provide a bin2txt program. The UNIX philosophy, I think you missed it. It's based on simple, self-contained, modular components, not some "everything is just text!" fantasy.

    7. Re:I don't know... by hedwards · · Score: 5, Insightful

      I disagree, the fact that such a model still works so well decades later is definitely evidence that they were doing something right. When it comes down to it, if you make everything a file then you don't have to worry about envisioning niche uses as most of them can be accomplished by chaining together several commands. The ones that don't are still not impossible as you can just throw together a Perl script or similar to manage them.

    8. Re:I don't know... by maxwell+demon · · Score: 4, Insightful

      Also, binary data is open to endian issues and integer/pointer size issues.

      You seem to mix up binary data with ad-hoc binary files. Any reasonable binary format has a well-defined and well-specified encoding, which includes sizes and endianness of numeric data. Just fwriting from your program variables directly into the file is not defining a proper binary format. Also note that pointers have no place in binary files at all.

      --
      The Tao of math: The numbers you can count are not the real numbers.
  2. Pointless -- there is already a secure solution by whoever57 · · Score: 5, Informative

    Set your machine to also log over a secure channel to another machine. Perhaps one that only accepts the syslog entries and no other connections. Problem solved.

    --
    The real "Libtards" are the Libertarians!
    1. Re:Pointless -- there is already a secure solution by whoever57 · · Score: 5, Insightful

      How does that help a single stand-alone system that someone came in and rooted and then covered up their tracks?

      Does anyone really care about forensic analysis of single stand-alone systems? Do you think that the FBI will go after whoever broke into your home system? Just rebuild the OS and move on.


      This is a fix which breaks lots of other stuff. Today, I can open up my logfiles (even the compressed ones) with "vim -R ". The convenience of that will be lost and my analysis will be limited by the tools available to analyze the undocumented, binary logs. What about old log files after the binary format changes? There are so many issues with the proposal and precious few advantages.

      --
      The real "Libtards" are the Libertarians!
    2. Re:Pointless -- there is already a secure solution by TheRaven64 · · Score: 5, Insightful

      The way we used to solve that was to have the syslog output write to a dot-matrix (or other) line printer. Every line in the security logs is written to paper immediately. You can substitute anything that can record things written to RS-232 (cue the arduino fanboys) for the line printer.

      This doesn't seem to actually solve the problem - if the person can modify the file, they can modify the file. If the lines are hashed, they just get the plaintext ones, delete the last ones, modify them, and then replay the fake ones and generate a new sequence of hashes. This just means that you need more tools in your recovery filesystem for fault diagnosis.

      --
      I am TheRaven on Soylent News
    3. Re:Pointless -- there is already a secure solution by silas_moeckel · · Score: 4, Informative

      If you have rooted the system you can parse the file remove what ya want and resign/hash everything. If you want a standalone system to have secure logging you use something that's write once, Crypto signing adds nothing unless that signing is coming from a separate system and including an external variable like a use counter so you can detect the jump. This is a solution looking for a problem. When you have a syslog box accepting udp syslog as the only open port, you can find an exploit or flood out the port.

      You should be running something like splunk or octopussy to parse your syslog in real time generate alerts etc.

      --
      No sir I dont like it.
    4. Re:Pointless -- there is already a secure solution by rev0lt · · Score: 5, Informative

      That's why in BSD systems, you can mark a file as append-only, and with securelevel >=1 not even root can remove the flag

    5. Re:Pointless -- there is already a secure solution by alcourt · · Score: 5, Informative

      In a well designed network, a compromise of a target system does not give one increased ability to compromise the log system, because there is no trust relationship, and the central log host does not even have the same user accounts. No user who has an account on the production system is permitted to have an account on the log system.

      This topic is basic PCI stuff, and common also for SOX compliance. The problems are far from complex.

      The so called solution does not provide sufficient security based on description to eliminate the requirement for central log storage, especially since that is an explicit requirement of PCI. Some may have that as an explicit SOX control as well. The obvious problem with the tool is it is only tamper detection, not tamper protection. Any fool with root can erase the evidence that they were the one logged in. It may be a tad harder to hide the fact that the logs were modified, but even that could be bypassed with the above description by simple virtue of rotating the log post-compromise and "losing" the entries in question.

      --
      "I may disagree with what you say, but I will defend unto the death your right to say it." -- Voltaire
  3. Overcomplicated by pclminion · · Score: 5, Funny

    Back in the late 90's when I first started connecting my home Linux systems to the Internet 24/7, I logged everything imaginable. To prevent tampering/falsification of the logs, I simply printed the log on a continuous-sheet dot matrix printer. Good luck tampering with the printout in my office.

    After a while I got to be able to recognize certain types of activity, such as a web user browsing to /index.html, based on the sounds the printer made.

    1. Re:Overcomplicated by Anonymous Coward · · Score: 5, Funny

      Did you ever get that OCD treated, or are you still suffering?

    2. Re:Overcomplicated by dickens · · Score: 4, Funny

      Yeah done that.. paper jams were a bitch, though.

      I remember even going to the trouble of cutting one of the leads in the RS-232 cable to make the logging printer a true write-only device.

    3. Re:Overcomplicated by pclminion · · Score: 4, Funny

      Did you ever get that OCD treated, or are you still suffering?

      That's right, every night I'd get into some cozy pajamas, maybe make a fire, cuppa tea, and sit back in a recliner for a stint of light reading. I tell you, last night's series of 404s by the guy who kept mistyping the URL to my "About Me" page were especially riveting.

    4. Re:Overcomplicated by Thing+1 · · Score: 5, Funny

      Yeah, and after a while you're like, "blonde, brunette, redhead"...

      --
      I feel fantastic, and I'm still alive.
  4. How? by Bert64 · · Score: 5, Insightful

    Log entries are "cryptographically hashed along with the hash of the previous entry in the file" resulting in a verifiable chain of entries.

    So this means that in order for someone malicious to modify a log entry, all they really need to do is then re-hash all subsequent entries?

    --
    http://spamdecoy.net - free throwaway anonymous email - avoid spam!
  5. Serious issues with this by anarcat · · Score: 5, Insightful

    Now, without getting into how much i dislike Pulseaudio (maybe because i'm an old UNIX fart, thank you very much), I think there are really serious issues with "The Journal", which I can summarize as such:

    1. the problem it's trying to fix is already fixed
    2. the problem isn't fixed by the solution
    2. it makes everything more opaque
    3. it makes the problem worse

    The first issue is that it is trying to fix a problem that is already easily solved with existing tools: just send your darn logs to an external machine already. Syslog has supported networked logging forever.

    Second, if you log on a machine and that machine gets compromised, I don't see how having checksums and a chained log will keep anyone from just running trashing the whole 'journal'.

    rm -rf /var/log

    What am i missing here?

    Third, this implements yet another obscure and opaque system that keeps the users away from how their system works, making everything available only through a special tool (the journal), which depends on another special tool (systemd), both of which are already controversial. I like grepping my logs. I understand http://logcheck.org and similar tools are not working very well, but that's because there isn't a common format for logging, which makes parsing hard and application dependent. From what I understand, this is not something The Journal is trying to address either. To take an example from their document:

    MESSAGE=User harald logged in
    MESSAGE_ID=422bc3d271414bc8bc9570f222f24a9
    _EXE=/lib/systemd/systemd-logind
    [... 14 lines of more stuff snipped]

    (Nevermind for a second the fact that to carry the same amount of information, syslog only needs one line (not 14), which makes things actually readable by humans.)

    The actual important bit here is "User harald logged in". But the thing we want to know is: is that a good thing or a bad thing? If it was "User harald login failed", would it be flagged as such? It's not in the current objectives, it seems, to improve the system in that direction. I would rather see a common agreement on syntax and keywords to use, and respect for the syslog levels (e.g. EMERG, ALERT, ..., INFO, DEBUG), than reinventing the wheel like this.

    Fourth, what happens when our happy cracker destroys those tools? This is a big problem for what they are actually trying to solve, especially since they do not intend to make the format standard, according to the design document (published on you-know-who, unfortunately). So you could end up in a situation where you can't parse those logs because the machine that generated them is gone, and you would need to track down exactly which version of the software generated it. Good luck with that.

    I'll pass. Again.

    --
    Semantics is the gravity of abstraction
    1. Re:Serious issues with this by jbov · · Score: 4, Informative
      I can mostly agree with you. There is one thing you might be missing.

      Second, if you log on a machine and that machine gets compromised, I don't see how having checksums and a chained log will keep anyone from just running trashing the whole 'journal'.
      rm -rf /var/log
      What am i missing here?

      Fourth, what happens when our happy cracker destroys those tools?

      I think what you are missing is this replacement is intended to prevent "undetected" tampering with the logs. Currently, a cracker can delete the log entries that would identify his or her activities on the machine, thereby going unnoticed. Deleting the log files or destroying the tools, as you suggested, would certainly be a detectable sign that the machine was compromised.

  6. I do (was: I don't know...) by Zero__Kelvin · · Score: 4, Insightful

    "It's even compatible with the standard syslog interface allowing it to either coexist with or replace the usual syslog daemon with minimal disruption.

    Your answer is right in the summary. I can use standard syslog in conjunction with it, and then have a process running in the background that notifies me if the integrity of the text file is violated, thereby getting the best of both worlds.

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  7. Absurd by Anonymous Coward · · Score: 5, Insightful

    From the FAQ:

    we have no intention to standardize the format and we take the liberty to alter it as we see fit. We might document the on-disk format eventually, but at this point we don’t want any other software to read, write or manipulate our journal files directly.

    Not only does it generate logfiles that are not human-readable, they're also in a format that in two years not even their own tool will be able to read. If it is still around in two years, which I doubt.

  8. GNOME 3 crack by David+Gerard · · Score: 4, Insightful

    This is on the same crack as the rest of GNOME 3. They've invented the Windows event log, well done! Now I hand you a trashed system, but you can read the disk. You look into /var/log/syslog ... no, you don't. "We might document the on-disk format eventually, but at this point we don’t want any other software to read, write or manipulate our journal files directly. The access is granted by a shared library and a command line tool."

    Speaking as a sysadmin, I shudder at this incredibly stupid idea. Are they even thinking of how to get something actually readable in disaster?

    --
    http://rocknerd.co.uk
  9. Serioulsy? by cdukes · · Score: 5, Insightful

    Is this a joke? Or is it someone just trying to push their ideology of what they think should be done to the rest of the world to make their idea a standard?

    Doing something like this would be a sure way for Linux to shoot itself in the foot. For evidence, one only needs to look as far as Microsoft who insists on doing it their special way and expecting everyone else to do what they deem as "good". The concept of syslog messages are that they are meant to be 'open' so disparate systems can read the data. How to you propose to integrate with large syslog reporting/analysis tools like LogZilla (http://www.logzilla.pro)?

    The authors are correct that a format needs to be written so that parsing is easier. But how is their solution any "easier"? Instead, there is a much more effective solution available known as CEE (http://cee.mitre.org/) that proposes to include fields in the text.

    > Syslog data is not authenticated.
    If you need that, then use TLS/certificates. when logging to a centralized host.

    >Syslog is only one of many logging systems on a Linux machine.
    Surely you're aware of syslog-ng and rsyslog.

    Access control to the syslogs is non-existent.
    > To locally stored logs? Maybe (if you don't chown them to root?)
    > But, if you are using syslog-ng or rsyslog and sending to a centralized host., then what is "local" to the system becomes irrelevant.

    Disk usage limits are only applied at fixed intervals, leaving systems vulnerable to DDoS attacks.
    > Again, a moot point if admins are doing it correctly by centralizing with tools like syslog-ng, rsyslog and LogZilla.

    >"For example, the recent, much discussed kernel.org intrusion involved log file manipulation which was only detected by chance."
    Oh, you mean they weren't managing their syslog properly so they got screwed and blamed their lack of management on the protocol itself. Ok, yeah, that makes sense.

    They also noted in their paper that " In a later version we plan to extend the journal minimally to support live remote logging, in both PUSH and PULL modes always using a local journal as buffer for a store-and-forward logic"
    I can't understand how this would be an afterthought. They are clearly thinking "locally" rather than globally. Plus, if it is to eventually be able to send, what format will it use? Text? Ok, now they are back to their original complaint.

    All of this really just makes me cringe. If RH/Fedora do this, there is no way for people that manage large system infrastructures to include those systems in their management. I am responsible for managing over 8,000 Cisco devices on top of several hundred linux systems. Am I supposed to log on to each linux server to get log information?

  10. jobs. by mevets · · Score: 5, Funny

    Attitudes like yours cost the industry jobs. It is best for if we store data away into increasingly inappropriate places so that lusers have to pay us to get their own data.

    Hell, going back to standard data formats and reusable tools would be the death of a thousand increasingly bizarre specialty languages alone.

    As a penance, you should rewrite diff in python to work on sqlite databases. That should set the industry back another few years.