[Owasp-appsensor-project] Additional Detection Points - Violation of Security Log Integrity

Colin Watson colin.watson at owasp.org
Thu Jun 10 03:59:18 EDT 2010


Giri

> Any real world examples for this case?

Some possibilities:

1.  special characters embedded in logged data cause the data to
overwrite a previous log entry
2.  direct access to a logging database (e.g. SQLi, direct connect to
management interface, compromised host, access by DBA) allows someone
to delete some previous records
3.  as above, but a record modified (e.g. a user ID changed)
4.  as above, but fake entries added
5.  a file log is deleted (e.g. using command injection or by direct
server access)

Remember "attackers" might be insiders too.

By giving a unique ID, time-stamping and building in integrity checks
of each record (e.g. a message digest) and its relationship with the
previous record (another message digest?) allow additions, deletions
and alterations to be identified.

See also:

a) NIST SP 800-92 Guide to Security Log Management,
http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf

b) Tamper Detection in Audit Logs,
http://www.cs.toronto.edu/vldb04/protected/eProceedings/contents/pdf/RS13P1.PDF

c) Forensic Tamper Detection in SQL Server,
http://www.sqlsecurity.com/images/tamper/tamperdetection.htm

Colin

On 10 June 2010 03:51, John Melton <jtmelton at gmail.com> wrote:
> Giri,
> Take a peek at
> http://code.google.com/p/owasp-esapi-java/source/browse/trunk/src/main/java/org/owasp/esapi/reference/Log4JLogFactory.java
> which does replacing of CR and LF characters to prevent log forging as a
> simple common example.
> John
>
> On Wed, Jun 9, 2010 at 10:42 PM, giri vara prasad nambari
> <girinambari at gmail.com> wrote:
>>
>> Hi Jhon/Colin,
>>
>> Any real world examples for this case?
>>
>> Thank you,
>> Giri
>>
>> On Wed, Jun 9, 2010 at 9:52 PM, John Melton <jtmelton at gmail.com> wrote:
>>>
>>> +1 for me
>>>
>>> On Wed, Jun 9, 2010 at 10:39 AM, Colin Watson <colin.watson at owasp.org>
>>> wrote:
>>> > John
>>> >
>>> > On 9 June 2010 15:29, John Melton <jtmelton at gmail.com> wrote:
>>> >> is this presumably to catch log forging attempts?
>>> >
>>> > Yes preventing insertion of entries and corruption of the log, but
>>> > also prevention of record deletion and detection of changes to log
>>> > entries.  AppSensor will rely on the accuracy of "log" data to make
>>> > decisions when thresholds are reached, and therefore I thought
>>> > protecting this source data is important - a bit of self-protection.
>>> >
>>> > Colin
>>> >
>>> _______________________________________________
>>> Owasp-appsensor-project mailing list
>>> Owasp-appsensor-project at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-appsensor-project
>>
>>
>>
>> --
>> Giri
>> Sun Certified Java Prorgammer
>
>


More information about the Owasp-appsensor-project mailing list