Trillian and syslog centralized ?
lightoyou opened this issue · 2 comments
So, many company centralized computer/servers logs using syslog-ng.
I’m looking a way to secure logs inside this centralized server in integrity. This logs as forensic value so we have to trust them…
If for example an administrator try to :
• Add log entries
• Remove log entries
• Edit log entries
after they are write on disk we need to find something that can help us to say « you can be sure this logs are the original once nobody touch them »
So, with syslog-ng we are able to write or own python destination.
We can imagine :
All logs when they are received by the syslog-ng centralize server before directly write log on disk,
We can wwrite metadata in trillian
like that :
{
"hash": "...", // hash_of_the_data
"timestamp": "08.27.17;+4fes",// syslog_timestamp
"source": "server.com", // syslog_sender_ip_or_host
"line_nb": "485" // current_position_in_files
}
And when auditor/security team would like to verify forensic logs files just ask to trillian if the forensic logs are coherent with it’s data.
Hope you understand what I mean ?
Do you think it’s a good idea ? Is it feasible ?
Sorry about my poor english
Thank you in advance for your answers
Some related content here :
https://news.ycombinator.com/item?id=25995034
https://transparency.dev/application/reliably-log-all-actions-performed-on-your-servers/
Sorry for the slow reply! How did you get on with this integration? In principle integrating a logging solution into Trillian is a good idea.
The main thing to be aware of is that if Trillian is in the same security domain as the logs (i.e. one user might be root/admin in both systems) then it is still possible for the Trillian database to be modified and the tree recalculated. The way to ensure that this is detected is to copy log checkpoints (also known as signed tree heads) into a different security domain. If these are sent to the auditor / security team on a regular basis then this ensures the log cannot be manipulated. The witness code in trillian-examples performs exactly this function.
Closing this issue until we get more feedback from @lightoyou . Feel free to use our Slack channel if you want to discuss this in a more interactive channel: https://github.com/google/trillian#support