3

We have hundreds of workstations, tens of servers, sending logs to a syslog server or Windows Event Collector server whether they come from Linux or Windows machines. At this point, logs integrity and confidentiality is managed by access rules and push to the log servers via https and TCP. Authentication of assets sending logs is not performed but assets inventory is with a strict policy of what we have inside the information system.

As we have a PKI, I would like to use it to secure logs to the next level. Ensuring security during transport is alright, but I don't feel comfortable with securing log storage before archiving since the log files are growing. That would mean:

Lock the log file before a new entry is added
Check integrity by comparing the crypto signature
Add the entry
Compute the new signature
Unlock the file

I can sign the log files when archived, but what about the current log files (the above pseudo code looks complex to implement unless some tool already cover it)?
I widen the question to: what are the best practices to secure logs integrity and ensure their authenticity?

lalebarde
  • 141
  • 8

1 Answers1

2

At least for Linux Syslogs, using rsyslogd, it is possible to secure the log transfer with TLS.

https://www.rsyslog.com/doc/v8-stable/tutorials/tls_cert_summary.html

Also fluentd, filebeat, logstash and all other major log-shippers do support TLS encryped transfer.

I do assume that a similar method is available for Windows Event logs.

hargut
  • 3,848
  • 6
  • 10
  • Thanks hargut, and for log files storage? – lalebarde Sep 19 '18 at 08:57
  • 1
    On Linux servers I'd tend to implement proper auditing with `auditd` and probably combine it with `selinux` mandatory access system. Also `aide` is always very welcome in that areas. But file integrity monitoring without proper permission enforcement and access auditing is not worth too much. – hargut Sep 19 '18 at 16:12
  • Could you precise `aide` please and add a link, because it is a too common word to search – lalebarde Sep 21 '18 at 15:17
  • `advanced intrusion detection environment` https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using-aide – hargut Sep 21 '18 at 16:30
  • It is also often recommended to store the aide.db for comparing on a remote machines read-only network file system. – hargut Sep 21 '18 at 16:55