[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
syslog protection (lPEO)
- To: tech@openbsd.org
- Subject: syslog protection (lPEO)
- From: Alejo Sanchez <alejos@speedy.com.ar>
- Date: Thu, 12 Jun 2003 17:02:09 -0300
- User-Agent: Mozilla/5.0 (X11; U; OpenBSD i386; en-US; rv:1.4b) Gecko/20030608
[this was droped earlier because of having an attachment]
Hi,
Here's a patch to -current syslogd to have log protection. No doc yet,
but it's quite easy to use. Included is a tool peo.c
http://alejo.com.ar/syslog-lpeo.diff
if you want to learn the internals of PEO go read first part of:
http://ezine.daemonnews.org/200112/log_protection.html
and/or
http://www2.corest.com/files/files/11/PEO.pdf
l-PEO adds line checking, in this case, I implemented it as K'i = H(ki)
and saved it on the msg line
(this is not the original l-PEO, but it is as good AFAIK)
PEO: you can tell if a logset was modified
l-PEO: you can tell at what line a logset was modified
So you put a "(" before the pathname on your syslog.conf to protect with
PEO, or a "[" to protect with l-PEO.
Then create a dir /var/ssyslog only read/write by root (or whatever
syslogd runs as), and inside that create a file with the initial key.
That initial key you must store somewhere else, NOT IN THIS MACHINE
unless you encrypt it or something. If an intruder gets that initial
state, he can change logs without you noticing. This initial key can be
any text up to 40 chars. Store it in a secure place.
The name of that file with the initial key, should be the same of the
file being protected at syslog.conf but using "_" instead of "/", i.e.
/var/log/secure will have it's initial key at
/var/ssyslog/_var_log_secure. This later will be overwriten with a new
key (also called state) every time a log line gets in the former.
If you use l-PEO your log lines will have a trailing " MAC: " and a
number. i.e.
Jun 12 09:38:14 cabron alejo: stress test take even more! MAC:
c02c5828c7cebedbad945f4b21c634763ce04c9b
run the syslog daemon as usual, the default method used is "sha1" but
you can use any the openssl lib supports (i.e. rmd16o/md5) with the new
flag [-H method] of the syslogd.
Then you can check the integrity with the "peo" tool (go get the initial
key from wherever you had it, and place it on, say /tmp/initialpeo):
./peo -l -v -i /tmp/initialpeo -s /var/ssyslog/_var_log_secure
</var/log/secure # for l-PEO
or
./peo -v -i /tmp/initialpeo -s /var/ssyslog/_var_log_secure
</var/log/secure # for PEO
and it will give you this if ok:
file /var/ssyslog/_var_log_secure OK
or if corrupted:
file /var/ssyslog/_var_log_alejo2 corrupted at line 112
line: Jun 12 08:09:08 cabron sudo: alejo : TTY=ttyp7 ; PWD=/etc ;
USER=root ; COMMAND=/bin/ls -l MAC: c02c5828c7cebedbad945f4b21c634763ce04c9b
Params to this util are
peo [-s file] [-s file] [-H method] [-l] [-v]
-s file final PEO state file
-i file initial PEO state file
-H method digest method (sha1/rmd160/md5/etc)
-l use l-PEO (instead of only PEO)
-v show message if file corrupted
the -H method MUST be the same used with the syslog daemon. this util
reads from stdin lines, until it gets EOF or corruption is detected. if
no -v is provided, it will not print the error messages. it exits with 0
on OK, and 1 on corruption.
if you have rotated protected logs, you should dump them orderly
uncompressed, concatenated. the prog was made to read from stdin to make
it easy for scripts.
So, things to change may be the "(" "[" and the " MAC: " thing.
The peo.c util can be compiled with
cc -O2 -o peo peo.c -lcrypto
(somebody plz hack it inside the Makefile in the proper way).
[bug on usage() already spotted while writing this :)].
Well, any ideas, doc of manpage, Makefile fix, etc will be appreciated.
PEO and l-PEO algorithms were developed by Ariel Futoransky & Emiliano
Kargieman for www.corest.com
enjoy
Alejo