[Owasp-appsensor-project] Additional Detection Points - Violation of Security Log Integrity
colin.watson at owasp.org
Thu Jun 10 03:59:18 EDT 2010
> Any real world examples for this case?
1. special characters embedded in logged data cause the data to
overwrite a previous log entry
2. direct access to a logging database (e.g. SQLi, direct connect to
management interface, compromised host, access by DBA) allows someone
to delete some previous records
3. as above, but a record modified (e.g. a user ID changed)
4. as above, but fake entries added
5. a file log is deleted (e.g. using command injection or by direct
Remember "attackers" might be insiders too.
By giving a unique ID, time-stamping and building in integrity checks
of each record (e.g. a message digest) and its relationship with the
previous record (another message digest?) allow additions, deletions
and alterations to be identified.
a) NIST SP 800-92 Guide to Security Log Management,
b) Tamper Detection in Audit Logs,
c) Forensic Tamper Detection in SQL Server,
On 10 June 2010 03:51, John Melton <jtmelton at gmail.com> wrote:
> Take a peek at
> which does replacing of CR and LF characters to prevent log forging as a
> simple common example.
> On Wed, Jun 9, 2010 at 10:42 PM, giri vara prasad nambari
> <girinambari at gmail.com> wrote:
>> Hi Jhon/Colin,
>> Any real world examples for this case?
>> Thank you,
>> On Wed, Jun 9, 2010 at 9:52 PM, John Melton <jtmelton at gmail.com> wrote:
>>> +1 for me
>>> On Wed, Jun 9, 2010 at 10:39 AM, Colin Watson <colin.watson at owasp.org>
>>> > John
>>> > On 9 June 2010 15:29, John Melton <jtmelton at gmail.com> wrote:
>>> >> is this presumably to catch log forging attempts?
>>> > Yes preventing insertion of entries and corruption of the log, but
>>> > also prevention of record deletion and detection of changes to log
>>> > entries. AppSensor will rely on the accuracy of "log" data to make
>>> > decisions when thresholds are reached, and therefore I thought
>>> > protecting this source data is important - a bit of self-protection.
>>> > Colin
>>> Owasp-appsensor-project mailing list
>>> Owasp-appsensor-project at lists.owasp.org
>> Sun Certified Java Prorgammer
More information about the Owasp-appsensor-project