Forgot your password?
typodupeerror
Businesses IT

DSS/HIPPA/SOX Unalterable Audit Logs? 381

Posted by kdawson
from the write-once-keep-forever dept.
analogrithems writes "Recently I was asked by one of the suits in my company to come up with a method to comply with the new PCI DSS policy that requires companies to have write once, read many logs. In short the requirement is for a secure method to make sure that once a log is written it can never be deleted or changed. So far I've only been able to find commercial and hardware-based solutions. I would prefer to use an open source solution. I know this policy is already part of HIPPA and soon to be part of SOX. It seems like there ought to be a way to do this with cryptography and checksums to ensure authenticity. Has anyone seen or developed such a solution? Or how have you made compliance?"
This discussion has been archived. No new comments can be posted.

DSS/HIPPA/SOX Unalterable Audit Logs?

Comments Filter:
  • by Anonymous Coward on Wednesday August 01, 2007 @02:29AM (#20067393)
    Optical media are great for write once, read many.
    • by arivanov (12034) on Wednesday August 01, 2007 @04:37AM (#20068011) Homepage
      Not quite.

      They are not very good at tasks which involve writing a lot in small increments like a log. The sector size is quite big so if you guarantee that each log entry has finished physically on disc without caching till the sector is full the disc will be eaten in no time.

      You probably need a custom writer/reader (most normal ones cannot alter sector size) and custom formatted media along with something different from isofs. Not rocket science really, but definitely beyond the scope of DIY.
      • by jabuzz (182671) on Wednesday August 01, 2007 @05:38AM (#20068283) Homepage
        Or you could just use a DLT/lTO drive with WORM media. Works just fine for appending, no special software needed. Admitedly the drives are not cheap, but it is an easy solution. In fact the WORM media for DLT/LTO where developed specifically for this sort of application.
        • Re: (Score:3, Informative)

          by beckerist (985855)
          ^^not related to the parent, but not off-topic^^

          It's HIPAA [wikipedia.org], not HIPPA, though we in the medical biz do refer to it as the giant hippo on our back!

          Don't get me wrong, patient privacy is important, but these regulations are incredibly strict! If I receive an email containing just ONE identifiable record for a medical patient, I'm to report it and the sender is to be cited. This includes birthdays, phone numbers or billing IDs (which are completely internal to the facility!)

          Two citations and you're canned..
      • Re: (Score:3, Interesting)

        by Jah-Wren Ryel (80510)

        They are not very good at tasks which involve writing a lot in small increments like a log. The sector size is quite big so if you guarantee that each log entry has finished physically on disc without caching till the sector is full the disc will be eaten in no time.

        I seem to recall that DVD+R was designed to work around that problem. The thinking at the time was that people would used DVD+R media like they used VHS tapes, to record tv with the ability to pause and or stop/restart recording frequently. They wanted to avoid the inefficiency of CD-R and DVD-R which are very wasteful on start/stop record operations as you indicated.

        I really can't dig up the link, it was years ago that I read this and google ain't cooperating right now, but I recall that whereas a reco

        • Re: (Score:3, Informative)

          by CastrTroy (595695)
          I remember working with VHS tapes. We had to lay down a "control track" by recording a continuous stream over the entire disc before using it. Maybe it's just because my highschool had bad video editing hardware, but I remember that this control track was important if you wanted the editing machines to be able to properly align with single frames when editing, and for the time and frame number to be consistent.
    • by //rhi (15411) on Wednesday August 01, 2007 @04:51AM (#20068077)
      I always thought that WORM stood for "Write Once, Read Maybe"
      //rhi - Enjoy the American Dream - You have to be asleep to believe it.
    • by ajs (35943) <ajs@@@ajs...com> on Wednesday August 01, 2007 @06:40AM (#20068551) Homepage Journal
      Optical is the right choice here, but you need to understand the PCI requirements and their most common interpretation VERY clearly. What you will probably end up with is something like this:
      • Logs are written over the network (e.g. syslog)
      • Logging host, which is locked down, and has no access from the infrastructure that it's performing logging for other than the incoming log data itself.
      • Logging host writes the logs locally to files which are marked as append-only by the OS (Linux can do this)
      • The logs are then written periodically (e.g. once per hour) to optical media.
      • Add redundant logging hosts to taste (3 is a nice number for validation purposes).

      • by alcourt (198386) on Wednesday August 01, 2007 @09:24AM (#20069599)
        Append only files have not been required in my experience. What is required is that there be no ability to overwrite a previously written file by the team that is sending the log data. This can be done a number of ways, but the easiest method is to transmit the data in a way that the server chooses the filename, not the client. Add a date string into the filename and you can (with a few other details I've worked at but am here waving a wand at) avoid the problem.

        syslog works for most data, but not all. Linux is one of the only Unix based systems that puts sulog through syslog. The failed logins log is much more difficult, as is the wtmp data. wtmp data is especially annoying as it is one of the only ways to semi-reliably record both login and logout regardless of login type (including ssh), and can't really handle real time data streaming. The other annoying item is the command line history of all commands with EUID 0. I'm hoping to hear some news soon on a solution to that problem, but it is really difficult, especially since a lot of SAs become root via `sudo -s` or `su` (as opposed to `su -`, which would not modify their HISTFILE variable. Many root shells do not support direct sending of HISTFILE over the network.

        As to writing periodically to a optical media, I wouldn't worry quite so much about that. I would instead worry more about the encrypting all that security data while in network transit. (Sorry, can't recall if that is a firm requirement of PCIDSS 1.1 or not). Unfortunately, this makes use of syslog a less trivial solution. Authenticity is also an issue to be concerned with. How do you know that the event that got inserted into the log really came from that box, and not some random other server? Traditionally, syslog has not concerned itself with such issues, but a PCI system may care a great deal.

        Once the data is on the central logging host, it is already in a state that the author of the data (the SAs for the PCI impacted box) cannot modify it. That eliminates at least in the interpretation of PCI I've been working on, the need for writing to optical media. Immutable is not so much immutable by anyone, but immutable by the server in question.

        The point of the central copy of the logs is so that modification on either side can be readily detected and investigated. But if you cannot trust your central log host to have an accurate copy of the logs because you are receiving log data from anyone who chooses to pretend they are your PCI impacted server, then your central log host does not give you as much value as it may seem. The audit requirements aren't just for making lives miserable, they usually have a valid point behind them.

        When working with PCI, know which DSS you are on, 1.0 or 1.1. (I don't know the release schedule for the next PCIDSS.) The requirements do differ, as do even the interpretations. Reference https://www.pcisecuritystandards.org/ [pcisecuritystandards.org] for the information.
        • Re: (Score:3, Interesting)

          by ajs (35943)

          Append only files have not been required in my experience. What is required is that there be no ability to overwrite a previously written file by the team that is sending the log data.

          The one is a way to get the other... at least partially. Physical and electronic security and partitioning of roles gets you the rest of the way.

          This can be done a number of ways, but the easiest method is to transmit the data in a way that the server chooses the filename, not the client.

          I'm not sure how filenames enter into it, since you don't give the application people access to the log host anyway.

          syslog works for most data, but not all. Linux is one of the only Unix based systems that puts sulog through syslog. The failed logins log is much more difficult, as is the wtmp data.

          There is a "syslog Working Group" that's working on that and other problems. I don't know if syslogng supports any of their proposals yet, though.

          As to writing periodically to a optical media, I wouldn't worry quite so much about that.

          It's very important to be able to talk about your risk exposure profile. When you can say that the ex

          • Re: (Score:3, Interesting)

            by alcourt (198386)

            Append only files have not been required in my experience. What is required is that there be no ability to overwrite a previously written file by the team that is sending the log data.

            The one is a way to get the other... at least partially. Physical and electronic security and partitioning of roles gets you the rest of the way.

            Agreed. I just find that the lack of support for append only files makes it hard to use as a solution on most platforms.

            This can be done a number of ways, but the easiest method is to transmit the data in a way that the server chooses the filename, not the client.

            I'm not sure how filenames enter into it, since you don't give the application people access to the log host anyway.

            The solution I'm familiar with receives a datastream and writes to a file. If I allowed the sender to select a filename to write, they could hypothetically corrupt or worse, delete log data. It's a little easier to set up than most solutions to transmit the data securely.

            syslog works for most data, but not all. Linux is one of the only Unix based systems that puts sulog through syslog. The failed logins log is much more difficult, as is the wtmp data.

            There is a "syslog Working Group" that's working on that and other problems. I don't know if syslogng supports any of their proposals yet, though.

            I don't see how this can help. The issue isn't so much how to handle data that has gone into the syslog stream, b

          • Ok, I am not saying that one shouldn't encrypt. I think one generally should, but here are the requirements and relevant sections paraphrased:

            3.1: Store only what you must.
            3.2: Do not store sensitive authentication data (CVV, CVV2, magnetic stripe) subsequent to authorization.
            3.3: Mask the credit card number when it must be displayed whenever possible
            3.4: Render PAN (Credit Card account number) unreadible anywhere it is stored. If this is not possible, see appendix B for acceptable compensating contro
        • Re: (Score:3, Interesting)

          by einhverfr (238914)

          Append only files have not been required in my experience. What is required is that there be no ability to overwrite a previously written file by the team that is sending the log data. This can be done a number of ways, but the easiest method is to transmit the data in a way that the server chooses the filename, not the client. Add a date string into the filename and you can (with a few other details I've worked at but am here waving a wand at) avoid the problem.

          Sure, and append-only is not foolproof. It is just one step in the right direction. Defense in depth.

          syslog works for most data, but not all. Linux is one of the only Unix based systems that puts sulog through syslog. The failed logins log is much more difficult, as is the wtmp data. wtmp data is especially annoying as it is one of the only ways to semi-reliably record both login and logout regardless of login type (including ssh), and can't really handle real time data streaming. The other annoying item is the command line history of all commands with EUID 0. I'm hoping to hear some news soon on a solution to that problem, but it is really difficult, especially since a lot of SAs become root via `sudo -s` or `su` (as opposed to `su -`, which would not modify their HISTFILE variable. Many root shells do not support direct sending of HISTFILE over the network.

          Allowing multiple people to log in as root (through su or otherwise) violates the PCI-DSS requirements according to my reading. In my view the *only* acceptable option is to either limit root to one person (for small environments) or require that everyone use sudo exclusively for executing root commands.

          As to writing periodically to a optical media, I wouldn't worry quite so much about that. I would instead worry more about the encrypting all that security data while in network transit. (Sorry, can't recall if that is a firm requirement of PCIDSS 1.1 or not). Unfortunately, this makes use of syslog a less trivial solution. Authenticity is also an issue to be concerned with. How do you know that the event that got inserted into the log really came from that box, and not some random other server? Traditionally, syslog has not concerned itself with such issues, but a PCI system may care a great deal.

          PCI-DSS only requires that certain information (useful in creating credit card transactions) is encr

    • Re: (Score:3, Insightful)

      by itwerx (165526)
      Wish there was a way to mod an entire thread Offtopic.

      From TFA:
      "So far I've only been able to find commercial and hardware-based solutions. I would prefer to use an open source solution."
      FP:
      Write them to a DVD jukebox

      Hmm, yeah, I'm sure there's dozens of open source hardware designs for DVD jukeboxes - I'll have that Googled by the time my soldering iron heats up!
      Only on Slashdot can the First Post get modded to +5 for a
  • by Anonymous Coward
    What's to stop someone from reading in one of the WORM tapes, modifying the log file data and then writing it back to another blank WORM tape and claiming it's the unaltered tape?

    Do all logs have to be encrypted and signed with a seperate super sekret key/cert before being recorded?

    • Re: (Score:3, Insightful)

      by beyondkaoru (1008447)
      i don't know much about the laws/regulations in question here, but yes, there isn't anything stopping someone from making a new 'worm' storage device and claiming it to be new unless there's a third party who will remember identifying information on the data.

      if i really wanted to make sure my archives weren't tampered with, i'd bring my data (in whatever medium, the 'worm' thing wouldn't be necessary to ensure non-tampering, though it'd be good for storage purposes) to a trustworthy and hopefully vaguely co
      • by Barny (103770)
        Hrmm, tfa sounded more like he wanted something that was tamper proof, rather than tamper evident (although evident with knowledge of who changed it would at least give the company a scapegoat).

        Best bet imho is dump it all to a large DVD storage machine (pioneer used to make these, not sure if they still do) and replace the load of DVDs when it gets full, choose good quality DVDs, they degrade over time remember :)
        • Re: (Score:3, Insightful)

          by beyondkaoru (1008447)
          well, by being 'tamper evident' as you say, you are in fact tamper proof, so long as the data is well stored (and tape drives, cd or dvd jukeboxes, etc can do a good job of this). an iron-clad 'tamper-proof' box is not, in fact, tamper proof if one can simply substitute another iron-clad box in its place. this is the reason that only having a dvd jukebox wouldn't be secure (though again, i don't know what the regulation's requirements are). a nefarious company could simply juxtapose dvd's. remember that the
      • WORM devices are fine if you're talking about external compromise. Even paper documents are vulnerable to internal compromise. I've seen falsified paper documents. To guard against internal compromise, you usually look at remote data storage companies that you can only get a copy of the data if you need it back.
      • Re: (Score:3, Funny)

        by More_Cowbell (957742)

        /kill people who saw this form (difficult) or reverse a cryptographic hash (even more difficult).

        So you find it easier to kill people than to run computer programs... Remind me not to get on your shit list. :p

      • by rtb61 (674572)
        Actually any system you create, can be said to be tamper able by you, even when you go to the extent of providing a simultaneous non repeatable externally derived and verifiable analogue recording (based upon today's technology) combined with digital data to be stored.

        Other than that the only legal way is for you to outsource a certified solution provide by an independent company who is them legally liable for the failure of legally bound write once correctly read many times correctly storage medium.

        It

    • What's to stop someone from reading in one of the WORM tapes, modifying the log file data and then writing it back to another blank WORM tape and claiming it's the unaltered tape?

      The cryptographic checksums escrowed elsewhere, perhaps even printed in a newspaper classified for good measure.

  • use a line printer (Score:5, Insightful)

    by 1u3hr (530656) on Wednesday August 01, 2007 @02:31AM (#20067417)
    Connect a line printer to mirror the log file as it's created. Use continuous fanfold paper. Get staff to sign and date first and last page.

    Lawyers love paper. (A magistate once asked me if a printout I presented in a case was an "original email". I said it was as close as you could get.) In all likelihood, no one will ever refer to it, so don't worry about that it might take 10 minutes to find a page. Once a month, ship it to a secure storage. For real paranoia, have two printers making two simultaneous copies.

    • If you only had a single machine or maybe even a couple lightly used boxes a printer might work. But even that would be near impossible to go back and sort through and if you ever ran out of paper or ink you would be SOL. And trust me the last thing you want is to to be SOL when it comes to SOX. If you have the money don't half ass an audit solution.
    • Re: (Score:3, Interesting)

      Wouldn't work in Australia, compliance penalties apply if you can't dredge up the data within a specified period of time. YMMV but it'd be worth checking what the regs actually require. A good reference is this little PDF I found http://www.ironport.com/pdf/ironport_email_compli a nce_guide.pdf/ [ironport.com]

      Personally I'd think about a hardware solution, block replication off-site to a third party registry. When you're talking compliance (especially fiduciary compliance) it's usually easy to come up with the bucks, s

      • by 1u3hr (530656)
        Wouldn't work in Australia, compliance penalties apply if you can't dredge up the data within a specified period of time.

        Within a day at most, I'd think. Anyway, you'd have your "ordinary" file copies to make reference to immediately, you'd only have to dig up the papr record to verify it.

        How often would that actually occur? Only in case of company meltdown, a la Enron?

        • by Zadaz (950521)

          How often would that actually occur?


          Once would be enough.
          • by 1u3hr (530656)
            Once would be enough.

            So if it's only likely to be needed once, why is it a problem to take a few hours to rerieve it? We're talking about accouting records of years gone by, not Jack-Bauer-lives-at-stake urgency.

      • Re: (Score:3, Insightful)

        by pla (258480)
        Wouldn't work in Australia, compliance penalties apply if you can't dredge up the data within a specified period of time.

        The hardcopy just "proves" that no one has tampered with the normal (and searcheable) logs. You would never actually use the hardcopy, you would just have it in storage somewhere. You would still use the standard system (or application) logs for day-to-day auditing.

        And if/when you find yourself in court, answering the question "can you prove this as the real logged data?", you can
    • by KlaymenDK (713149)
      I was going to post exactly this, the use of continuous paper.

      But please, do make sure to select as small a typeface as technically possible.

      This not only "saves trees", but also costs associated with handling and storing the logs after the fact. Paper piles quickly get both large and heavy! If you can save 15% by running 7pt instead of 10pt, it pays off in terms of square footage in the archive.
    • by JohnFluxx (413620)
      Instead, save the files to disk but get the md5 sum of the file and print out the md5 sum. Then you can prove that the logs haven't been tampered with.

    • by Eivind (15695)
      Better yet. Don't print the logs. Print every (hour|day) a single line:

      At (time) the sha1sum of [file] was [sha1sum] signed: .....

      Then proceed to store [file] however you please, make sure to have good backups. There's a problem offcourse, there's nothing stopping you from replacing the paper in the future. Since you produced it once, you can certainly produce a valid-looking similar copy.

      This problem can be solved by having an external, trustworthy, keep or publish a fact. For example, if you published the
  • And you thought there was no use for a USB card punch.

    Hard to change punched cards. Just don't trip with your box of cards.

  • Tattoos (Score:2, Funny)

    by Anonymous Coward
    Start tattooing everyone in the office with data. Encode it in some nice optical way (a la barcodes) for easy reading later.

    Ontop of the obvious benefits, it provides a good deal of job security, if they get fired, they take away some important data, your employees will be thrilled with their newfound sense of security.
  • by jsimon12 (207119) <tzzhc4 AT yahoo DOT com> on Wednesday August 01, 2007 @02:34AM (#20067431) Homepage
    I preface this by saying I know I will get flamed for not recommending Open Source but SOX is a Federal mandate (Federal equals PMITA)

    EMC's Centera [emc.com] is my personal favorite, it isn't cheap but it does exactly what you need and is auditable and recognized by all the third party audit compmaies as well as the Federal government.

    I have worked in IT for 15 years and 5 of those have been for a LARGE financial institution. When it comes to audit and SOX go with something standard, tested and commercial, unless you want to spend the next 6 months explaining to your auditors how your homegrown solution works and then the next 6 months building something new that your auditors do understand (or worse, like losing your job).
  • How odd (Score:2, Insightful)

    by Anonymous Coward
    It looks like that commercial offering is a piece of hardware with a network API (web service) that you write to which doesn't provide any network APIs for deleting or modifying records. Presumably it has a read-only view of the data.

    Now, assuming that they use harddrives, we all know that someone could extract mount the file system and change records. They could hide their tracks by recalculating cryptographic hashes. So it's simply a lie to say that the only way to modify or indeed delete the data the dat
    • Re: (Score:3, Informative)

      by arivanov (12034)
      Now, assuming that they use harddrives, we all know that someone could extract mount the file system and change records.

      Not if they have done it properly. If it is designed as an audit solution it is likely to have a hardware crypto module, a device specific key and have all data written out to disks at least signed with it. More likely - encrypted with it. In either case even if the fs is standard you cannot do jack sh*** with it after taking the drives out.

      By the way - implementing the above using OSS

    • Re: (Score:3, Insightful)

      by Sobrique (543255)
      Sort of, but not quite. A Centerra is a Content Addressed Storage thingy. Which basically means it's file identifiers are md5 sums. It's a multi node thingummy too, which replicates stuff about. Is it impossible to tamper with? Well, no, nothing is. But it's pretty hard. Simply because it has implicit 'tamper detection'.

      The API is also geared up so you can choose what 'mode' you want it to operate in. In the most secure mode, the API and OS built in (it's Suse based) won't let you delete anything. Which,

      • Re:How odd (Score:4, Informative)

        by Sobrique (543255) on Wednesday August 01, 2007 @05:16AM (#20068175) Homepage
        I should add:

        Centerras don't count as the original post, of a 'cheap solution'. They're not all that expensive by 'enterprise standards' but that's ... well not quite the same as 'affordable for most people'.

        Also, our data centre is under fairly intensive scrutiny and control of physical access. My employer and customer are well aware that physical access means all bets are off, so in order to get physical access you need escorting, and authorization in advance, including documentation of what you're changing, why, and which grid squares in the datacentre you need access to.

        I and the rest of my team are admins on this Centerra don't get access to the datacentre. If we have a need to enter, then we can fill in the paperwork and do so, but ... well, we're based 100 miles away. Most 'hands on' is done by someone else.

        Now, combine that with the fact that each 'clip' (file) is stored 4 times, on 4 separate physical devices (2 of each, on 2 different sites) it would require ... well quite a few people to be complicit to even be able to destroy (or tamper with) data, physically. And a hell of a lot more to do so without leaving great big footprints all over the place screaming to the world what you've done.

        I think you'd need 2 people on each site (one to actually tamper, and one to 'not notice' as he was escorting), plus an admin person offsite to identify which drives need 'doing', on both sites, and to mess with the 'self healing' replication so that one site didn't just restore the other. (You'd have to be fairly quick on the drives too, as soon as one goes down, the healing starts to replicate to other 'spare' drives).

        And then you'd need some other people to mess with the entry logs to site, CCTV footage, change authorization....

        You'd have to be pretty damn serious to pull that off. I mean, it's not even a case of some pointy haired one seeing their career on the line, and demanding immediate sabotage.

  • If so, you could use a hardware solution, e.g. a WORM MOD disk rto store periodic crypto-hashes of your logs. Then any changed would be reasily obvious, even if it would not be obvious what was changed.
  • Nothing is an unalterable as a line printer which lacks reverse-vertical-paging capability. Just make sure it doesn't run out of ink or paper.
  • WORM Device (Score:3, Informative)

    by passthecrackpipe (598773) * <passthecrackpipe ... .com minus punct> on Wednesday August 01, 2007 @02:37AM (#20067459)
    What you need is a Write Once Read Many (WORM) device. Unless EMC started shipping Open Source hardware (hahaha) I don't think you will be able to find this as Open Source. There may be some software solution, but you would most likely need some certification for it anyway ("no, officer, it _really_ is unalterable, trust me....."). Granted, most "hardware" solutions implement WORM through software, but I know from experience that it is impossible to change the data on WORM.

    Technically, a CD-R with some checksumming would work to be compliant - these guys [am-utils.org] have some more info, but if you need it for formal compliance use, you are better off talking to your friendly neighbourhood storage vendor to save you lots of legal hassle should you ever need the WORM thing for evidence. It is the difference between a lengthy legal process where you have to explain exactly why your homebrew solution is legal and simply saying "talk to NetApp"
  • by edashofy (265252) on Wednesday August 01, 2007 @02:40AM (#20067473)
    Cryptography, digital signatures, and checksums can only take you so far. They can detect tampering pretty easily. However, crypto can't prevent someone from deleting a file, although by checksumming or signing a whole bunch of files you could at least detect deletion of one of them. Ultimately, if you really want permanence, you need to write it out (as an above poster suggested) to some sort of write-once media. CD-Rs or DVD-Rs would obviously fit the bill here, although one can indeed delete a CD-R by simply throwing it out, of course.

    Another cheap write-only medium is paper; I suppose you could purchase a laser printer (or even a line printer), and have it spit out the logs as they occur. If you kept the printer in a locked transparent box, nobody but people with the keys would have access to the output.

    You could burn the logs onto PROMs as well, that's pretty permanent :)

    Anything on magnetic or flash media can be erased or tampered with somehow, unless the drive controller hardware itself prohibited overwriting existing data. Even then you're relying on someone not being able to replace the drive controller or take the drive apart and diddle the platters/flash chips directly (although I suppose a decent amount of epoxy could thwart this). Any software-based solution can be tampered with in theory. One hacker favorite (which may be a legend or not) is that people used to get root on other people's boxes and then replace their copy of PGP with an instrumented copy. Thus, even the encryption software became compromised.

    For compliance, though, I'm not sure what kind of oversight you have to have. At the end of the day, somebody has to be trusted with these logs, and that person would almost assuredly have the power to destroy them, or at least portions of them.
    • by JohnFluxx (413620)
      Save data to a hard disk. Put in envelope. Have lawyer time and date envelope. Stick in bank vault with bank time and dating it and not allowing any future access to the device until needed.
  • Syslog + chattr (Score:5, Insightful)

    by ethzer0 (603146) on Wednesday August 01, 2007 @02:45AM (#20067491)
    I use syslog-ng to relay information from several different datacenters to a centralized and secure location hosting all of the syslog information. Each DC has its own syslog-ng system acting as the local relay, transporting syslog information from local clients using TCP over a VPN to the centralized host. The logs are written on the central syslog sever organized by on date and hostname, and each file that is created is then assigned an 'append-only' bit using chattr. It works really well.
  • The Linux way (Score:2, Insightful)

    tail -f thelog.txt >> /mnt/cdrom/thelog.txt
  • by stox (131684) on Wednesday August 01, 2007 @02:46AM (#20067501) Homepage
    FeeBSD supports append only files via the chflags command.
    • Re: (Score:3, Informative)

      by moosesocks (264553)
      Yes, but the tricky thing about this situation is that it's a "who will guard the guards" type of deal.

      If the root user can set that attribute, he can just as easily unset it, modify the data, and clean up after himself before re-setting it.

      Remotely spitting your logs out to a line printer managed by a trusted 3rd party would seem to be a reasonable solution.
  • One-way data cable (Score:5, Interesting)

    by rjh (40933) <rjh@sixdemonbag.org> on Wednesday August 01, 2007 @02:47AM (#20067509)
    At USENIX/EVT06 last year a team from the University of Iowa presented a cheap one-way data cable you could make with off-the-shelf parts from Radio Shack. Total cost is about $5 (for bulk, maybe $10 if you're buying single units) and it is provably, auditably, one-way. It was originally developed for electronic voting, to allow for counting computers to communicate with webservers that post election results. An attacker compromising the webserver cannot attack the counting computer, because there is literally no return path.

    It works with very high reliability up to about 9600 baud.

    You may be able to use this to your benefit. Have an isolated system air-gapped from the rest of the network which listens for log events on a one-way data cable. While you're no longer guaranteed to be safe (since if a logging PC is compromised, an attacker could send compromised data to the syslog PC and perhaps cause some sort of mayhem), but the lack of a return path makes interactive attacks infeasible.

    ObDisclosure: I am a graduate student at UI and know the guy who invented the data cable, although I am not associated with the gadget.
    • At USENIX/EVT06 last year a team from the University of Iowa presented a cheap one-way data cable you could make with off-the-shelf parts from Radio Shack. Total cost is about $5 (for bulk, maybe $10 if you're buying single units) and it is provably, auditably, one-way. It was originally developed for electronic voting, to allow for counting computers to communicate with webservers that post election results. An attacker compromising the webserver cannot attack the counting computer, because there is literally no return path.

      It works with very high reliability up to about 9600 baud.

      Ah, the old "RS232 cable with the RX conductor snipped" trick. So, how does this help if you've got 20 servers?

      • by rjh (40933)
        (a) snipping RX doesn't make the cable auditable or provable.
        (b) serial cards are cheap.
  • by jmv (93421) on Wednesday August 01, 2007 @02:55AM (#20067549) Homepage
    That's all you need [wikipedia.org]
  • by Ptur (866963) on Wednesday August 01, 2007 @03:15AM (#20067653)
    I would dump it in GIT or the likes.... any change of it will be recorded ;) Seriously, many version controlling systems already contain the data integrity and authenticity checks that you need
  • Are there no modifications possible of standard filesystem code, say ext2, to create an append-only filesystem ? You can pass O_CREAT but not O_TRUNC to a open(2) call, and you cannot do lseek(2) (or you can do lseek, but only to EOF, or you can do lseek, but only to read - as soon as you write, your pointer moves to EOF). It could also be a mount option next to read-only and read-write. Then, once a month, under four eyes only, you copy the lot to a tape/DVD/paper/your mom's forehead, remount in read/wr
  • by amorsen (7485)
    People have only mentioned hardware solutions so far (apart from a few useless ones like chattr). You can do this with SELinux, in a way so that it requires a reboot with console access to do anything about it. It may not be enough for you, but it's enough for some people.
  • by The Master Control P (655590) <`ejkeever' `at' `nerdshack.com'> on Wednesday August 01, 2007 @03:24AM (#20067691)
    Given sufficient resources, time, and dedication, ANY log can be altered.

    If the "unalterable" log is maintained in software, it's a comparatively simple matter of hoisting it up on a VM. Since we're presumably talking about white-collar crime, it's a fair bet they have or can get root access to the machine to install the VM and rootkit to hide it. At that point, the CEO can do anything and the system can't fight back. Capture passwords of people logging in, alter data, you name it.

    A hardware system would be more robust, but still vulnerable. I imagine the most likely attack vector would be Man in the Middle - Just take over the box that guards/drives the logger machine.
    • by smallpaul (65919)

      A hardware system would be more robust, but still vulnerable. I imagine the most likely attack vector would be Man in the Middle - Just take over the box that guards/drives the logger machine.

      Why is SSL not sufficient to overcome a man in the middle attack?

      • by pilot1 (610480)
        An SSL certificate has to be signed by a CA, Verisign for example. There's nothing stopping someone from telling the system creating the logs to accept certificates from another CA (yourself), and using this CA to sign the man in the middle's SSL certificate. SSL won't provide any protection when the attacker has access to the software involved.
    • Re: (Score:3, Insightful)

      by hazem (472289)
      Given sufficient resources, time, and dedication, ANY log can be altered.

      What really matters is if there is any case law that actually interprets the laws and provides standards for due diligence.

      The law might say "unalterable" or "lasting indefinitely" we all know there are practical physical limits - given enough time, anything is alterable and nothing lasts forever. We could come up with outrageous methods like using satellites with lasers to etch logs on the surface of the moon, but there's not much po
  • Guy Fawkes Protocol (Score:5, Interesting)

    by LilBlackKittie (179799) on Wednesday August 01, 2007 @03:24AM (#20067693) Homepage
    Some of the work I do may require something like this, so I'm considering implementing Guy Fawkes over syslog.

    http://www.cl.cam.ac.uk/~rja14/Papers/fawkes.pdf [cam.ac.uk]

    From the paper:

    6.2 Tamper-evident audit trails

    It is a well known problem that an intruder can often acquire root status by using well known operating system weaknesses, and then alter the audit and log information to remove the evidence of the intrusion. In order to prevent this, some Unix systems require that operations on log and audit data other than reads and appends be carried out from the system console. Others do not, and it could be of value to arrange alternative tamper-evidence mechanisms.

    A first idea might be to simply sign and timestamp the audit trail at regular intervals, but this is not sufficient as a root intruder will be able to obtain the private signing key and retrospectively forge audit records. In addition, the intervals would have to be small (of the order of a second, or even less) and the computation of RSA or DSA signatures at this frequency could impose a noticeable system overhead.

    In this application, the Guy Fawkes protocol appears well suited because of the low computational overhead (two hash function computations per signature) and the fact that all secrets are transient; this second's secret codeword is no use in forging a signature of a second ago.
  • Clicky (Score:3, Informative)

    by mritunjai (518932) on Wednesday August 01, 2007 @03:39AM (#20067767) Homepage
    WORM media with HIPPA compliance in mind...

    WORM on wiki [wikipedia.org]
  • From Experience (Score:5, Informative)

    by Evets (629327) * on Wednesday August 01, 2007 @03:50AM (#20067805) Homepage Journal
    I honestly don't know about DSS or SOX, but I have had plenty of fun with HIPAA.

    Unalterable logs as a matter of compliance does not mean "absolutely unalterable under any circumstances". There should be no way for an end user to modify audit trails. There should be no preconceived way for an administrator to alter audit trails - i.e. no utilities for doing so. That does not mean that an admin can't go directly into the DB and alter the data from behind the application layer.

    Under every circumstance when I have run into audit logs involving HIPAA compliance, they have been written by an application directly into a SQL database (oracle, ms sql, informix, and one time db2). It used to be that they were written in a fairly easy to decipher format within a single text column on a per record basis - which made for a fairly-difficult-to-alter audit trail because within that easy to decipher format were non-printable characters that you would at least have to know to look for them. With current implimentations, however, the records are stored in a separate table with a many-to-one relationship with the audit-required records, in varchar fields, as plain text - much easier to alter or get rid of single entries. There is still a level of obfuscation as far as table names and column names but thats really a side effect of other things that are going on.

    These systems have been reviewed by auditors and certified as compliant. In the older system, there was no application interface to delete audit records. In the newer system, there is an application interface to delete records in any given application table - and therefore there is one for the audit tables as well. Admin level access is required to delete or alter the records, though.

    Personally, I would expect more as far as HIPAA compliance goes - from both a customer standpoint and an auditor standpoint. My experience (and it is pretty extensive across several high profile enterprises) - is that the customer will demand a better system only when the auditors demand a better system. I haven't run into an auditor yet who has even given more than a casual glance at the 'back door' scenario. I suppose it's because there is no true way to keep things absolutely secure and application level audit log security is only one layer of the onion.

    Before you get too far into an overly complex and potentially expensive solution, talk with your auditors about the requirements for your specific scenarios. They've seen it before and can tell you exactly what they are looking for from an audit compliance standpoint. They are usually pretty easy to work with and open with their knowledge.
    • Re: (Score:3, Informative)

      Second the "ask the auditors what they are looking for"... not everyone gets audited the same.

      Financial company I know passed audit fine with syslog -> a secure system which the normal sysadmins didn't have access to. The people whose actions were being logged couldn't get to the logs (well, presumably someone could break the system, but it was well secured and had non-overlapping sysadmin staff).

      That was good enough. As long as it took two compromised people to hide any given event, that passed audit.
    • by RMH101 (636144)
      Agree 100% from an FDA perspective, too.
      Your bigger worry is going to be the paperwork and audit trail for document versioning control, change control and user accountability. Sure, you may have a system that documents who did what, but if you don't have the "who" and the "what" buttoned down, it's of questionable use.
      Talk to the auditors and find out what they actually *need*. If necessary, pull in a consultant who specialises in your area to help: costs of non-compliance can be *really really bad*.
    • Re: (Score:3, Informative)

      by sjames (1099)

      Unalterable logs as a matter of compliance does not mean "absolutely unalterable under any circumstances". There should be no way for an end user to modify audit trails. There should be no preconceived way for an administrator to alter audit trails - i.e. no utilities for doing so. That does not mean that an admin can't go directly into the DB and alter the data from behind the application layer.

      That's VERY important to keep in mind. A lot of the wailing, hype, and FUD around all of the various auditing

  • In short the requirement is for a secure method to make sure that once a log is written it can never be deleted or changed.

    Although it is possible to prevent logs from being modified (using write-once media) or undetectably tampered with (using crypto, possibly with a TPM module for the ultra-paranoid), any log can be 'deleted' by physically destroying the device/media on which it is stored.
  • Dont skimp... (Score:4, Insightful)

    by pjr.cc (760528) on Wednesday August 01, 2007 @03:53AM (#20067827)
    Seriously, when it comes to legal requirements, do not skimp!

    Go for something that is guarentee'd to fulfill your legal compliance requirements.

    Yeah, optical media is great for WORM, but you dont want something your going to have to manage day to day. The legal req's of sox and so forth are beyond that of traditional optical drives in terms of life span in any case. Do not go with optical for compliance unless its something specifically designed for compliance (Again, thats $$$).

    As someone suggested, centera is a good option - but all the storage vendors have good options (from emc, netapp, hds, sun, falconstor, mimosa the list is endless) and they'll all tell you how theirs is better than anyone else (and why). At the end of the day, you want a compliance solution with someone's stamp on it, and a throat you can cut when it goes wrong.

    If your absolutely determined to go the compliance route on OSS - go with ext3cow (www.ext3cow.com) IMHO, a fully versioning COW fs with a non-erasable past and the best OSS solution for the job - backup on to optical if you like, but dont make optical your only option. If it only had policy-based management (i.e. snapshot whenever user X or group y writes a file) rather then crontab'ing its snapshot agent it would almost be perfect for a start-point solution for compliance. It has a big benifit along with it though, you can show users how to get files "from yesterday".

    Keep in mind, WORM means policy-based write-once, not necessarily immutable storage! And almost every compliance worm product out there depends on that fact.

    • by pjr.cc (760528) on Wednesday August 01, 2007 @04:18AM (#20067925)
      ext3cow was written with compliance in mind (i.e. with an untouchable past), and so its AFAIK the ONLY solution that can fit in compliance (keeping in mind that this only covers part of compliance). svn, git, cvs - im sorry, but thats just a non-solution for compliance. It also gives you no-mess management with a very easy interface to make sure you are being compliant (this is important, and its something YOU dont have to be involved in, your lawyers can "look at the past" to make sure "discovery" is going to be consistent).

      The second thing is, compliance is (ridiculously) complex - the compliance vendors have spent many hours with lawyers getting it together, they know the requirements and they know they fullfill them - this is important. It also means their solutions come with an implicit warranty - "hey, your using netapp worm, we know it works" as apposed to "what software is that? how do you know it works?". At the end of the day a lawyer is going to either go "well i cant argue with the compliance solution" when your with a well-known or "your honor, the defendant is using ... which has never been proven or certified by anyone".

      Compliance is the only time i will say to someone - "get a throat to cut", get a solution you know works, written by people who know what they are doing and its all because compliance req's were written by lawyers for lawyers (i.e. scum) and so their scum is going to make you have to act like scum.
  • It's already been said in other posts but to summarise:

    It's not just Read Only (which can be achieved easily with syslog), it's the ability to return requested data quickly that the critical thing with SOX et al.

    If someone says they want to see information on item X, you HAVE to return this imformation in hours not days or weeks.

    This is where the commercial products have spent their time, developing fast search capabilities over the data they collect.

    Certification is also important. Ie product X has been sh
  • by Interfacer (560564) on Wednesday August 01, 2007 @04:13AM (#20067905)
    I work for a big pharma company as a sysadmin, and we have to abide by similar rules and laws. Our data recording and data logging has to be proven to be unalterable.

    Go with a commercial solution unless you want to battle with the QA and Validation departments for haf a year. And even if you would get the go-ahead (unlikely) you'd get in a hell of a lot of trouble during an audit because auditors a) don't know your solution and b) they will quickly see that it is not certified.

    There are specified requirements (don't know the names and numbers by heart) that your solution has to proven to fulfill, and certified by some external party.
    Just saying 'Yeah but I know it cannot be altered because it is syslog / ' will not cut it.

    And non-compliance can eend up costing your company millions if not hundreds of millions.
    Open source or home grown has it's place, but in a regulated environment you go with commercial for certain things because that is the only option where you get certification with your device / software.
    • by timmarhy (659436) on Wednesday August 01, 2007 @04:30AM (#20067973)
      "Our data recording and data logging has to be proven to be unalterable."

      no such thing exists. given enough time and a mediocure amount of money, i'm 100% certain i could alter anything your storing your information on and make it look real.

      the toughest system i've ever seen as far as audit trails goes is using cdr's in a machine that makes a hash of the data on the cdr AND reads the serial number on the cd and stores that on a geographically seperate cdr system. it's similar to those automated cd turnstyle things you can buy, only beefy with steel casing and alarms on it and what not.

  • A couple of the posts above has already bought up the use of paper printing logs for the purpose. That's really practically used by many companies.

    The solution, however, is hardly cheap. You need an expensive 4000-line per minutes line printer with stackers to re-fold and stack the fan-fold papers as they emerged from the printer. Also, you need monitoring tools to monitor the status of the printer and a room with security staff to prevent physical tampering.

    (Don't bother using a laser printer, the co
  • A secure 'logging computer' is sent lines of text like "20070801:140537,The pearl is in the river".

    md5 = 0 // md5 of previous line
    When such a line is received:
    1. augmentedline = line & md5
    2. crypotline = encrypt(augmentedline,privatekey)
    3. md5 = md5(cryptoline)
    4. output = line & md5
    5. write output
    Wend

    (6. profit)

    An attacker cannot append lines to the output (without detection) because they do not know the private key.

    They cann
  • by Bright Apollo (988736) on Wednesday August 01, 2007 @08:44AM (#20069175) Journal
    I work in a regulated industry, and this is an ongoing topic at pharmaceuticals.
    Basically, you weigh the cost of non-compliance versus compliance, figure out
    what that risk is worth to your business, then try to spend as little as possible
    to mitigate the risk until the cost is acceptable.

    There is no such thing as 100% compliance or security. Oracle makes a big deal out
    of their data vault tech, but there's someone out there who can circumvent it. You
    need to figure out your comfort level for the risk, and in big corps, this is a
    financial decision.

    Which leads me to this: there is no "roll your own" compliance software. You do not
    want to assume the responsibility of proving to auditors that your software is correct
    and fully-functional. That is a difficult process to behold, and it will make your
    dev team crazy with paperwork. This is why people buy commercial off-the-shelf (COTS)
    software and then configure it, as they can then point to the COTS vendor and say
    "He vouches for the software". Auditors already versed in the COTS solution will
    then look to see examples of your configuration to see if it's sufficient, then
    move on.

    Sure, it's a nice intellectual exercise and certainly worthy of development, by a
    dedicated team willing to tackle all of the issues around securing the data, providing
    secure authentication and controls, proving non-repudiation and temporal consistency,
    etc, all of which a one-man show cannot achieve, all of which a half-assed token effort
    cannot achieve.

    Really, it boils down to this: you wanna roll the dice on your company being under a
    consent decree from the DoJ because you were too cheap to buy a system? That cost can
    shutter your doors.

    -BA

  • It's HIPAA not HIPPA (Score:3, Informative)

    by opkool (231966) on Wednesday August 01, 2007 @11:26AM (#20071541) Homepage
    Hi,

    It's HIPAA not HIPPA.

    See Wikipedia, among others:

    http://en.wikipedia.org/wiki/Health_Insurance_Port ability_and_Accountability_Act [wikipedia.org].

    Peace
  • by Riskable (19437) <YouKnowWho@YouKnowWhat.com> on Wednesday August 01, 2007 @05:05PM (#20077567) Homepage Journal
    Let me first state that I'm a PCI Qualified Security Assessor. That means I am certified by PCI to perform audits and report back to banks whether or not a company is compliant or not. In other words, consider me authoritative on this matter.

    When dealing with any PCI requirement the most important thing to think about is the INTENT. Is the intent of the logging requirements in section 10 of the PCI DSS to prevent anyone, anywhere, from EVER being able to modify log files? No! The intent is to prevent a compromised system from altering its own log files--hiding the fact that it has been compromised. As long as your logging solution handles this situation effectively you really don't have anything to worry about.

    In my role as auditor I would never fail a syslog host just because it was writing to a standard ext3 volume. I *would* fault a company if their logging solution was poorly configured (insecure: say, running telnetd) or was write-accessible by the same admins that send all their log data to it (unless they were a small company--if you only have one or two admins there's only so much separation of privilege you can get away with). I'd also have problems with a syslog host that wasn't backing itself up on a regular basis (90 days online, 3 year archive).

    If I were you I'd be more concerned with your logging system meeting the other requirements of the PCI DSS. If it is inherently insecure or fails to implement proper access controls (say, shared root account) who cares how the logging solution is configured?

    Remember: Intent is everything. If in doubt, call your acquirer (i.e. your bank). They're the ones who ultimately have to decide whether or not your implementation is good enough anyway. The auditor just writes a report--the bank has to sign off on it.

"I got everybody to pay up front...then I blew up their planet." "Now why didn't I think of that?" -- Post Bros. Comics

Working...