Transcription
Secure loggingwith syslog-ngForward integrity andconfidentialityof system logsStephan MarwedelFOSDEM 2020Security Devroom
The security cycle2FOSDEM 2020
Security monitoring objectiveMake the attacker visibleInstrument the systemPerform continuous log analysis3FOSDEM 2020
Secure logging threat model Successful compromise of log host Full control over log device Hide traces Add log entries Remove log entries Edit log entries4FOSDEM 2020
System log integrity principleSystem log hostSystem log fileSystem log fileTimeTimeDataDataA verifier will detect thathas been tampered with5FOSDEM 2020
Forward integrity principleSystem log fileTimeData Protected entries Time of compromiseLost entries6FOSDEM 2020Compromise at meansno integrity guaranteeforwithLog entries are stillintegrity protected forwith
Forward integrity algorithmIntegrity protected system log file 7Share keyand computeCompute individual integrity tags per log entryCompute aggregated integrity tag for thewhole log file:Delete previousandAt time of compromise the attacker hasaccess tobut not toThe integrity tagprotects the wholelog fileFOSDEM 2020TimeDataIntegrity tag
syslog-ng plateSourcedriverFilterDestinationdriverFOSDEM 2020
Secure logging implementationsyslog-ngSecure riverDestinationdriverKey9DestinationdriverFOSDEM onRelayRelayRelay
Secure logging exampleOriginal input at sourceDies ist eine Log NachrichtUnd dies auchHier kommt mal eine laengere NachrichtLog messagesOSOFMBAAAAAAA :LouI2vSfIJAuq17CjQdBeqh1YdgvwqFY9RyxTcQk2u0yc Tqfm14OmOdU LpC alJMnPn3aT/A OVMBAAAAAAA :UWEhUdN2d iADsPtBFKVGBNB nGRnm/D03m23/OMJ/jpdpXd6SQ5cb4 OlMBAAAAAAA DbOoo1mjsh4LHswEqW/xCJSbiu96QFFXqFyqaxcOutput of successful log verification0000000000000000: Dies ist eine Log Nachricht0000000000000001: Und dies auch0000000000000002: Hier kommt mal eine laengere Nachricht10FOSDEM 2020RelayRelay
Example syslog-ng.confsource s network {network(transport ("udp")port(514)# NOTE : Secure logging requires this flag to be setflags(store-raw-message)Network););OSOS# Secure logging template with key and MAC file locationstemplate t slog {template(" (slog -k /var/slog/host.key -m /var/slog/mac.dat RAWMSG)\n");};# Destination that uses the secure logging templatedestination d local {file("/var/log/messages.slog" template(t slog));};log {source(s network);destination(d local);};11FOSDEM 2020RelayRelay
Implementation and performance Network OSOS126 new source files to syslog-ngNo new dependencies were introducedAll cryptographic operations rely on OpenSSLExcellent performance when using AES-NI Intel Core i7 6th Gen @ 2.2GHz 9000 log entries/s Typical log host with 2 105 entries in 24 hours 7.3 107 log entries during 1 year of operation Key derivation in 1sFOSDEM 2020RelayRelay
Challenges Network OSOS Log system behavior under loadsyslog-ng internal API poorly documentedNo syslog-ng developers guide availableComplex build systemPackaging for target platform must be performed manuallyNo log rotationRelayRelay13FOSDEM 2020
Example scenarioAirborne segmentGround segmentAirport 14Key derivationLog record creation FOSDEM 2020Log record relayLog record analysisSIEM
SummaryAchievements Network OSOS Tamper evident secure log system with easy integration intoexisting syslog-ng installationsPerformance on log host superior to systemd forward securesealingEfficient offline log file verificationLog verification can be integrated into existing SIEM solutionIndustrial readinessFuture work 15Crash recovery: Restore log entries that might have beenlost during a system crashFOSDEM 2020RelayRelay
Fragen?Questions?Perguntas?Frågor? שאלות Airbus Operations GmbHStephanStephan MarwedelMarwedelProductProduct SecuritySecurity EngineerEngineerAirbusAirbus EngineeringEngineering ––AircraftAircraft SecuritySecurityKreetslagKreetslag 10,10, 2112921129 HamburgHamburg –– GermanyGermanyE-Mail:E-Mail: .comPhone:Phone: 4940-743-85635 4940-743-85635
with syslog-ng Forward integrity and confidentiality of system logs. 2 FOSDEM 2020 The security cycle. 3 FOSDEM 2020 Security monitoring objective Make the attacker visible Instrument the system Perform continuous log analysis. 4 FOSDEM 2020 Secure logging threat model
