[logs] Eventlog to syslog

[David Corlette]

You're absolutely correct Tina, my very brief response glossed over several complexities. My overall point, though, is that "syslog" itself isn't really much of a standard; if you look at CEE or XDAS or even things at the level of BSM/LAF/etc, you will see a much more consistent effort to cover all the bases you describe below, as opposed to syslog's "hand us any string" approach.

Just to highlight two key requirements that we've been discussing at great length lately:

1) The events to be captured by the audit subsystem should be defined by the auditor, not the system administrator.  The sysadmin should have no rights to change the configuration of the audit system, or at the very least without generating obvious audit messages that the auditor can capture.

2) In some high-security environments, no system action should be taken unless it can be audited. This implies that the application have a feedback mechanism so that it "knows" when there is a problem with the audit system and can halt, display warnings, or perform other operations as necessary. The operation of the application in this regard should again be defined by the auditor, not the system administrator.

It should be obvious that syslog does not do any of this; neither do LAF/BSM/etc but they come closer.

Finally, to your pet peeve about what events should be audited and what data should be included - see specifically PCI 10.2/10.3. Of course the XDAS standard speaks to this to some degree by virtue of defining an event structure that requires certain information to be included (specifically, information about the originator, initiator, and target of all events, as well as an event classification and outcome). As it happens, these are precisely the pieces of information required by standards like PCI.

In our current implementations we are diverging the concepts of "logging" vs. "auditing" based on these differing requirements. Syslog might work fine for the former, but not for the latter.

>>> On Fri, Feb 29, 2008 at 11:34 PM, in message
<20080229223400.7nb4ox0hcok8gcgk at www.precision-guesswork.com>,
<tbird at precision-guesswork.com> wrote: 
> Quoting David Corlette <DCorlette at novell.com>:
> 
>> Why not have them implement a modern, secure auditing standard?  The  
>>   CEE and XDAS work is promising, and is getting analysts attention   
>>  (Burton, for one).  They aren't complete yet, but if you look at  
>> the   requirements they embody you will see why insecure syslog  
>> really   isn't the way to go.  In fact, *nix OSs are moving away  
>> from syslog   - witness LAF on Linux, BSM on Solaris, etc....  
>> Anything that might   have security-relevance needs to be treated a  
>> little more carefully.
>>
>> And yeah, I know that there are all sorts of more secure extensions   
>>  to syslog, but they aren't "standards," at least not yet.
> 
> Whoa, d00d, talk about comparing apples and oranges...you've got
> apples, tomatoes, sheep and, uh, oil filters in there ;-) There are at  
> least 4 different areas to consider:
> 
> - what events to record
>   -- and what information is vital for each event
> - how to secure the log data locally
> - how to transport the log data to a central location securely and reliably