Wednesday, November 07, 2007

Protecting Logs from Admins: A Lost Battle?

One of the truly horrible, horrible, horrible :-) challenges of log management is obtaining trusted logs (see my log trust pyramid) of administrator activities (sometimes broadened to cover so-called "privileged users"). Many consider it to be the "lost battle" of logging. However, logging administrator access and actions is more important than ever today (and it is one of the few workable way to deal with insider attacks)

So, let's have a little table where I try to summarize how to protect the C-I-A of various logs from administrators and privileged users (some successful and some very hard to pull off). Note that in case of databases and application, we need to protect the log from the DBA and application admins and not from the underlying server platform admins.

UPDATE: table below might look weird; see the full table here.

"C" - prevent admins from reading logs "I" - prevent admins from changing logs "A" - prevent admin from disabling logging
Standard Unix Forget it! Maybe stealth logging (sebek) Remote logging via syslog to another server, append-only log files (via RBAC) Forget it! But this is logged and thus can be detected (also: stealth logging)
Windows server Forget it! Maybe stealth logging (sebek for Windows) Pull the logs ASAP to a central server Forget it! But this is logged and can be detected (also stealth logging)
Databases DBA activity log stored outside the database (append-only access) DBA activity log stored outside the database (append-only access) DBA activity log stored outside the database
Firewalls and network gear Remote logging via syslog to another server - no local logging Remote logging via syslog to another server Forget it! But this is logged and can be detected
IDS/IPS boxes Remote logging to another server - no local logging Remote logging to another server, inaccessible to admin Forget it! But this is logged and can be detected
Misc enterprise applications App admin log outside the app (not readable to application user) App admin log outside the app (only appendable by the application user) Forget it! But this is logged and can be detected

(just in case, full table is here)

Comments?

Technorati tags: , , ,

8 comments:

Anonymous said...

I don't understand why in "standard Unix" you say you cannot prevent machine admin from reading logs. You can easily do remote-only log with a smarter logd as syslog-ng for example (although I don't know if you can install it on every Unix system and not only Linux/FreeBSD)

Rory McCune said...

What do you think about the option of logging outside of the sphere of control of the admin you want to monitor.

For example on databases implementing a device which sits in-line in front of the DB and logs queries executed.

Another option for append-only access would seem to be logging to write-once material. Obviously for OS level processes the admin can switch it off, but they shouldn't be able to tamper with the logs unless they can get physical access to the media. This approach is probably more useful in larger organisations where there's likely to be separation of duties between the sysadmin and the ops staff who manage physical media for the server...

Andy, ITGuy said...

DR A,

Your chart doesn't show up well on the site. Can you email me a copy of it?

Anonymous said...

can't you scope admin access on windows and *lix using tools like Tivoli's access management for operating systems or eTrust access control ?

For databases, isn't this one of the reasons why database activity monitoring products are used.

For network gear, IPS, firewalls, isn't this what SIM solutions do ?

Anton Chuvakin said...

Sorry - I will post the full table/fix it (later today)

I am traveling now.

Thx for the fun comments! I will respond to them as well, of course.

Anton Chuvakin said...

First, let me apologize for screwing the table; maybe my blog template needs a refresh...

So:

>I don't understand why in "standard
>Unix" you say you cannot prevent
>machine admin from reading logs.

I said that stealth logging is the only way I can think of. Just having the second 'lodg' probably won't do it (unless you then use a rootkit or sebek to hide it). Think about it - if you are an admin, will you allow an unknown suspicious demon running on your box?


>What do you think about the option
> of logging outside of the sphere
>of control of the admin you want
>to monitor

Exactly my suggestion for app and b logs - logs outside the app to files to see/readable by the admin. Yes, external device is usable too (like traffic sniffer), but it will not see the encrypted stuff.

>can't you scope admin access on
>windows and *lix using tools like
>Tivoli's access management for
>operating systems or eTrust access
>control ?

Good idea, which falls under having a separate agent (Tivoli or other) to collect and extract the logs.

And, yes, for network gear the external logging to a log management, SIEM or just a syslog server will do fine (agaist unauthorized change only)

Anonymous said...

You could also use something like SELinux on Linux to prevent the root user from accessing or modifying log files, even if you're just saving to a local drive (not recommended).

Anton Chuvakin said...

>SELinux on Linux to prevent the root
> user from accessing or modifying
>log files,

Yes, RBAC is certainly an option, but I suspect it will be more pain than gain (maybe you'd do it only on some logs that log root actions AND are not needed for his system management work)...

Dr Anton Chuvakin