LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Forward secure sealing

Forward secure sealing

Posted Aug 23, 2012 14:47 UTC (Thu) by dps (subscriber, #5725)
Parent article: Forward secure sealing

A *long* time ago some people implemented well protected centralised log servers and drop safe logging boxes. The latter were basic non-networked boxes recording logs sent via a serial line. Even the best remote attackers can't hack a non-networked box.

An open source drop safe logging box would be really nice. Erasing your tracks by flooding the box would be impossible in these days of multiple Tb discs. Seals are great but if somebody has adjusted your logs then a copy which has not been edited might be really useful.

Of course FSS might be handy to detect that the logs are unreliable and you should check the emergency ones.

(Log in to post comments)

Forward secure sealing

Posted Aug 23, 2012 19:49 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]

doing this with a serial line doesn't work nowdays because the serial line isn't fast enough.

I've created such systems, both with serial lines and with static arp entries and modified 100Mb ethernet cables that only allow traffic to go one way through the wire.

I've also created similar systems that have the logs sent out over the wire to a static arp entry and then use a Gig-E network tap to pull traffic going in one direction and send it to a machine (the tap makes the connection one-directional)

This is pretty trivial to do with opensource on commodity (or at least very readily available) hardware.

In practice, very few people want to go to this much effort, even if pretty high security situations.

it's also worth noting that if you start filtering logs, you need to hash/seal/sign each output stream separately, and such logs don't work well when you then start sending the logs to a remote system.

Forward secure sealing

Posted Aug 24, 2012 0:52 UTC (Fri) by mezcalero (subscriber, #45103) [Link]

serial lines are neither fast enough nor do they really scale that well to large numbers of hosts.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds