Often times I run across security recommendation from security individuals that plainly have no operational experience. While in theory they sound good, they don't really work from an operational standpoint. Much to my dismay, it appears that these same sort of individuals played a large role in composing the PCI DSS 1.1 spec.There are several items within the PCI DSS 1.1 spec that seem simple enough on the surface, but are extremely difficult once you dive into the implementation details. For example:
10.5.5 Use file integrity monitoring and change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert).
I am finding this item difficult to truly get my hands around. I am find with using a tool like trip wire to md5sum the log file post log rotation. However, I can't figure out how to handle the logs that are actively being appended too. The premise of file integrity tools is to notify of changes to that file, regardless of whether its an addition or subtraction. Continual appending of an active log file, means that the file is constantly changing. If file integrity monitoring is configured not to alert on the new data being added, how can it alert on data be subtracted?
For instance, how does this protect against a rogue administrator going in and removing certain log entries from the active log to cover his tracks?
Short of spending extremely large sums of money on extravagant appliance solutions such as loglogic, how are others addressing this requirement?
5 comments:
Hey Mestizo,
My company makes a solution specifically for addressing this issue. It was developed with exactly this in mind. If you'd like to drop me a mail, I'd be happy to set something up.
Rob.
I won't try to sell you anything you don't need either by the way.
I'm a product manager, not a salesman.
Rob Newby.
I interpret this requirement not to apply to logfiles currently being generated but old logfiles that should not change for any reason.
If you configure logging to create a new logfile every X hours, generate the checksum, you should be in good shape.
howdy.
You only need to generate the checksum of the archived logs, nothing else. I know of at least one open source tool that does that (AFAIK):
http://ossec.net
http://www.ossec.net/wiki/index.php/Know_How:LogSign
-b
I've just came across to your blog.
Helpful blog!
Cheers..:-)
Post a Comment