Secure logging syslog-ng w i t h F o r w a r d i n t e g r i t y a n d c o n f i d e n t i a l i t y o f s y s t e m l o g s S t e p h a n M a r w e d e l F O S D E M 2 0 2 0 S e c u r i t y D e v r o o m
T h e s e c u r i t y c y c l e 2 F O S D E M 2 0 2 0
S e c u r i t y m o n i t o r i n g o b j e c t i v e M a k e t h e a t t a c k e r v i s i b l e I n s t r u me n t t h e s y s t e m P e r f o r m c o n t i n u o u s l o g a n a l y s i s 3 F O S D E M 2 0 2 0
S e c u r e l o g g i n g t h r e a t m o d e l • S u c c e s s f u l c o m p r o m i s e o f l o g h o s t • F u l l c o n t r o l o v e r l o g d e v i c e • H i d e t r a c e s • A d d l o g e n t r i e s • R e m o v e l o g e n t r i e s • E d i t l o g e n t r i e s 4 F O S D E M 2 0 2 0
S y s t e m l o g i n t e g r i t y p r i n c i p l e S y s t e m l o g h o s t S y s t e m l o g f i l e S y s t e m l o g f i l e T i m e D a t a T i m e D a t a A v e r i f i e r w i l l d e t e c t t h a t h a s b e e n t a m p e r e d w i t h 5 F O S D E M 2 0 2 0
F o r w a r d i n t e g r i t y p r i n c i p l e S y s t e m l o g f i l e • C o m p r o m i s e a t m e a n s T i m e D a t a n o i n t e g r i t y g u a r a n t e e f o r w i t h • L o g e n t r i e s a r e s t i l l P r o t e c t e d e n t r i e s i n t e g r i t y p r o t e c t e d f o r w i t h T i m e o f c o m p r o m i s e L o s t e n t r i e s 6 F O S D E M 2 0 2 0
F o r w a r d i n t e g r i t y a l g o r i t h m I n t e g r i t y p r o t e c t e d s y s t e m l o g f i l e • S T i m e D a t a I n t e g r i t y t a g h a r e k e y a n d c o m p u t e • C o m p u t e i n d i v i d u a l i n t e g r i t y t a g s p e r l o g e n t r y • C o m p u t e a g g r e g a t e d i n t e g r i t y t a g f o r t h e w h o l e l o g f i l e : • D e l e t e p r e v i o u s a n d • A t t i m e o f c o m p r o m i s e t h e a t t a c k e r h a s a c c e s s t o b u t n o t t o • T h e i n t e g r i t y t a g p r o t e c t s t h e w h o l e l o g f i l e 7 F O S D E M 2 0 2 0
syslog-ng o v e r v i e w syslog-ng Source Destination Source Destination Network Source Destination driver driver driver driver Filter Template Filter Template Source Destination Source Destination OS Source Destination driver driver driver driver Filter Template Filter Template Source Destination Source Destination Destination Source driver driver driver driver Application https://github.com/balabit/syslog-ng 8 F O S D E M 2 0 2 0
S e c u r e l o g g i n g i m p l e m e n t a t i o n syslog-ng Secure Logging Source Destination Source Destination Source Destination slogkey slogkey Network driver driver driver driver Network File slogverify slogverify Source Destination Source slog Destination slog OS Filter Filter Source Destination OS driver Template driver driver Template driver OS Database Source Destination Source Destination Relay Destination Relay Source driver driver driver driver Relay Application Application Key MAC Key MAC 9 F O S D E M 2 0 2 0
S e c u r e l o g g i n g e x a m p l e O r i g i n a l i n p u t a t s o u r c e D i e s i s t e i n e L o g N a c h r i c h t U n d d i e s a u c h H i e r k o m m t m a l e i n e l a e n g e r e N a c h r i c h t L o g me s s a g e s OS O F M B A A A A A A A = : L o u I 2 v S f I J A u q 1 7 C j Q d B e q h 1 Y d g v w q F Y 9 R y x T c Q k 2 u 0 y c + T q f m 1 4 O m O d U + L p C + a l J M n P n 3 a T / A = = O V M B A A A A A A A = : U W E h U d N 2 d + i A D s P t B F K V G B N B + n G R n m / D 0 3 m 2 3 / O M J / j p d p X d 6 S Q 5 c b 4 = O l M B A A A A A A A = : 4 r 5 H w 8 k y X y t l k F 5 z / n I W w d m 8 J 4 X O y l K x B Y 5 7 2 t l q O I N g 0 v j A V D b O o o 1 m j s h 4 L H s w E q W / x C J S b i u 9 6 Q F F X q F y q a x c O u t p u t o f s u c c e s s f u l l o g v e r i f i c a t i o n Relay Relay 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 : D i e s i s t e i n e L o g N a c h r i c h t 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 : U n d d i e s a u c h 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 2 : H i e r k o m m t m a l e i n e l a e n g e r e N a c h r i c h t 1 0 F O S D E M 2 0 2 0
E x a m p l e s y s l o g - n g . c o n f s o u r c e s _ n e t w o r k { n e t w o r k ( t r a n s p o r t ( " u d p " ) p o r t ( 5 1 4 ) # N O T E : S e c u r e l o g g i n g r e q u i r e s t h i s fl a g t o b e s e t Network fl a g s ( s t o r e - r a w - m e s s a g e ) ) ; ) ; # S e c u r e l o g g i n g t e m p l a t e w i t h k e y a n d M A C fi l e l o c a t i o n s t e m p l a t e t _ s l o g { OS OS t e m p l a t e ( " $ ( s l o g - k / v a r / s l o g / h o s t . k e y - m / v a r / s l o g / m a c . d a t $ R A W M S G ) \ n " ) ; } ; # D e s t i n a t i o n t h a t u s e s t h e s e c u r e l o g g i n g t e m p l a t e d e s t i n a t i o n d _ l o c a l { fi l e ( " / v a r / l o g / m e s s a g e s . s l o g " t e m p l a t e ( t _ s l o g ) ) ; Relay } ; Relay l o g { s o u r c e ( s _ n e t w o r k ) ; d e s t i n a t i o n ( d _ l o c a l ) ; } ; 1 1 F O S D E M 2 0 2 0
I m p l e m e n t a t i o n a n d p e r f o r m a n c e ● 6 n e w s o u r c e f i l e s t o s y s l o g - n g ● N o n e w d e p e n d e n c i e s w e r e i n t r o d u c e d ● A Network l l c r y p t o g r a p h i c o p e r a t i o n s r e l y o n O p e n S S L ● E x c e l l e n t p e r f o r m a n c e w h e n u s i n g A E S - N I ● I t h n t e l C o r e i 7 6 G e n @ 2 . 2 G H z 9 0 0 0 l o g e n t r i e s / s OS ● T OS 5 y p i c a l l o g h o s t w i t h 2 ∙ 1 0 e n t r i e s i n 2 4 h o u r s ● 7 7 . 3 ∙ 1 0 l o g e n t r i e s d u r i n g 1 y e a r o f o p e r a t i o n ● K e y d e r i v a t i o n i n < 1 s Relay Relay 1 2 F O S D E M 2 0 2 0
C h a l l e n g e s ● L o g s y s t e m b e h a v i o r u n d e r l o a d Network ● s i n t e r n a l A P I p o o r l y d o c u m e n t e d y s l o g - n g ● N o d e v e l o p e r s g u i d e a v a i l a b l e s y s l o g - n g ● C o m p l e x b u i l d s y s t e m OS OS ● P a c k a g i n g f o r t a r g e t p l a t f o r m m u s t b e p e r f o r m e d m a n u a l l y ● N o l o g r o t a t i o n Relay Relay 1 3 F O S D E M 2 0 2 0
E x a m p l e s c e n a r i o A i r b o r n e s e g me n t G r o u n d s e g me n t Airport SIEM K L e y d e r i v a t i o n o g r e c o r d r e l a y L L o g r e c o r d c r e a t i o n o g r e c o r d a n a l y s i s 1 4 F O S D E M 2 0 2 0
Recommend
More recommend
