3

In a security-sensitive service with REST APIs, what is the best way to produce tamper-resistant audit logs?

Signing each log entry is a possibility, but that does no prevent a malicious operator from hiding some of the logs.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
MarinaLilv
  • 31
  • 1
  • 2
  • 2
    "... a malicious operator " - if you cannot trust your operator you have lost anyway. – Steffen Ullrich Aug 29 '16 at 10:45
  • 1
    you can make the logs files append-only for non-root – dandavis Aug 29 '16 at 20:45
  • Not prevention, but you can look into log collection and log centralization. There was another question that I had answered today which could be useful: https://security.stackexchange.com/questions/202709/prove-log-files-werent-tampered-with/203418#203418 – NASAhorse Feb 12 '19 at 10:54

6 Answers6

2
  1. Use Central Log Server - it can be as simple as cronjob to copy log files at one place or using Syslog-NG to store logs in Database. (https://syslog-ng.org/ )
  2. Or You can use AIDE sort of tool to ensure integrity of the logs. Rotate logs at frequency based on size and criticality.

Also an excellent answer is given here Techniques for ensuring verifiability of event log files and https://crypto.stackexchange.com/questions/8104/tamper-proofing-log-files

Community
  • 1
Krishna Pandey
  • 1,497
  • 1
  • 16
  • 26
1

Log to a dedicated machine which does nothing but this and has restricted access. A special-purpose machine requires a lot less administration than one that hosts a complex service, so few people would need to have access to the log server.

If you really need very high integrity assurance, log to a paper tape. That requires physical access to perform any tampering, and erasing paper logs tends to leave evidence (cut paper, ashes, …).

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
1

You might consider running your logging service inside a secure enclave like Intel SGX. Having a log signed by a hardware root-of-trust mitigates the risk of an attacker or insider tampering with the log.

crcat
  • 11
  • 4
0

My personal preference would go to Open TripWire, It's quite adept at monitoring the entire filesystem for local modifications.

Like you said, data destruction is always a risk, so maybe RSync the log folder to a remote host.

J.A.K.
  • 4,793
  • 13
  • 30
0

Set the correct permissions. For example, only the users from a certain group are allowed to write logs, while reading is available to another group. Store the logs at multiple locations so you can compare them later on. If logs become large, archive and encrypt them with asymmetric encryption and sign them.

You could also you an online service to outsource all these operations.

Yorick de Wid
  • 3,346
  • 14
  • 22
0

Include a hash of the previous log entry for each entry. Depending on security requirements, a hash of the log, can be sent to bitcoin network or a timekeeping service or similiar, to create a "timestamp" that will make it impossible to modify the log without being detected.

When you rotate, you just hash the whole log file and include that hash in the start of the next log file. At the time of log rotation, is also a great time to do the actual timestamping, for example by bitcoin network or a timekeeping service.

Yes, a advisary can delete or destroy the log, but that will leave telltale evidence of being done.

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33