making the logs temper evident through git like hash chains
Posted Nov 19, 2011 5:28 UTC (Sat) by rgmoore
In reply to: making the logs temper evident through git like hash chains
Parent article: The Journal - a proposed syslog replacement
there's also nothing preventing the attacker from re-writing the entire file to have consistent hashes, but with missing entries (git allows this as well,I believe it's the filter-branch option)
That's true. The biggest thing it does is to increase the sophistication an attacker requires to cover his tracks thoroughly. Instead of editing a log file with his favorite text editor, an attacker will need a track erasing program that rewrites all the log files with suspicious entries removed and hashes recomputed. Of course once a program like that gets out, all the script kiddies will be able to use it and we'll be hardly any better off than today- securitywise, at least.
to post comments)