- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Secure syslog
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-21-2013 01:28 AM
тАО02-21-2013 01:28 AM
Hi ,
How can i secure my syslog , apart from permissions.
I want to track if any sysadmin does not tamper with it ?
I s there any software to track the same ?
os hpux 11i v2 .
Solved! Go to Solution.
- Tags:
- syslog
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-21-2013 02:13 AM
тАО02-21-2013 02:13 AM
Re: Secure syslog
If "sysadmin" means "someone with root privileges", then the sysadmin can stop or uninstall any tamper-detection software you can install, or edit its files to make it say "nope, nothing has been modified" even if it's not true.
I think the only real solution is to send the syslog messages directly to a line printer in a secure location, or to another system that is not accessible by that sysadmin, and have the logs archived there.
Such a log archive server should be configured to be as simple as possible (simpler = less things to go wrong), and accessible only to a small group of very trusted people. Even then, it might be wise to lock it down so that two people are needed to make any changes to it. For example, one person might be allowed to know only one half of the root password, and another person might be allowed to know the other half. Then the two people must be together to make changes to the archive system.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-21-2013 12:04 PM
тАО02-21-2013 12:04 PM
Re: Secure syslog
Another way to secure syslog messages is to employ a "syslog server" to which you forward syslog messages from all of your other servers. The "syslog server" should have very limited access. This way even if messages are modified in syslog.log an individual server, those messages will still be in the original format on the syslog server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-04-2013 09:09 PM
тАО03-04-2013 09:09 PM
Re: Secure syslog
Hi ,
Is there anything like parity bit which is to be set on syslog.log , which will ensure there is no tampering .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-04-2013 09:29 PM
тАО03-04-2013 09:29 PM
Re: Secure syslog
>Is there anything like parity bit which is to be set on syslog.log
You mean a digital signature? Not that I know of.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-05-2013 12:14 AM
тАО03-05-2013 12:14 AM
SolutionParity bits can protect against data transmission errors, but not against intentional tampering, because it would be too easy to modify the parity bits along with the data.
This is the Distributed System Administration Utilities package (DSAU):
https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=DSAUtilities
It contains (among other things) syslog-ng, a replacement syslog daemon, which can use SSL/TLS encryption to protect log messages while transmitting them to a secure location. In addition, it can use a special RELP protocol, which is designed to reveal any tampering of the log datastream.
But even the best encryption is useless if you store the logs on the system with a malicious root user.
Remember, root can debug every process: even if the encryption key is protected with a password, s/he can "debug" the process that is encrypting the logs to read the active encryption key directly from the memory of the running process, bypassing the password requirement. Then s/he can encrypt a set of fake logs with the real encryption key, and use that to overwrite the real logs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО03-07-2013 09:27 PM
тАО03-07-2013 09:27 PM