Secure logging syslog-ng w i t h F o r w a r d i n t - - PowerPoint PPT Presentation
Secure logging syslog-ng w i t h F o r w a r d i n t e g r i t y a n d c o n f i d e n t i a l i t y o f s y s t e m l o g s S t e p h a n M a r w e d e l F O S D E M 2 0 2
S t e p h a n M a r w e d e l F O S D E M 2 2 S e c u r i t y D e v r
F
w a r d i n t e g r i t y a n d c
f i d e n t i a l i t y
s y s t e m l
s
F O S D E M 2 2 2
F O S D E M 2 2 3
M a k e t h e a t t a c k e r v i s i b l e I n s t r u me n t t h e s y s t e m P e r f
m c
t i n u
s l
a n a l y s i s
F O S D E M 2 2 4
F O S D E M 2 2 5
T i m e D a t a
S y s t e m l
f i l e
T i m e D a t a
S y s t e m l
f i l e S y s t e m l
h
t
A v e r i f i e r w i l l d e t e c t t h a t h a s b e e n t a m p e r e d w i t h
F O S D E M 2 2 6
T i m e D a t a
P r
e c t e d e n t r i e s L
t e n t r i e s
S y s t e m l
f i l e
T i m e
c
p r
i s e
p r
i s e a t m e a n s n
n t e g r i t y g u a r a n t e e f
e n t r i e s a r e s t i l l i n t e g r i t y p r
e c t e d f
w i t h w i t h
F O S D E M 2 2 7
h a r e k e y a n d c
p u t e
p u t e i n d i v i d u a l i n t e g r i t y t a g s p e r l
e n t r y
p u t e a g g r e g a t e d i n t e g r i t y t a g f
t h e w h
e l
f i l e :
e l e t e p r e v i
s a n d
T i m e D a t a I n t e g r i t y t a g
I n t e g r i t y p r
e c t e d s y s t e m l
f i l e
t t i m e
c
p r
i s e t h e a t t a c k e r h a s a c c e s s t
u t n
t
h e i n t e g r i t y t a g p r
e c t s t h e w h
e l
f i l e
F O S D E M 2 2 8
syslog-ng
Source
Source driver Source driver
Destination
Filter Filter Destination driver Destination driver Destination driver Destination driver Destination driver Destination driver Source driver Source driver
Destination Destination Source
Network OS
Source driver Source driver
Source
Application
Filter Filter Template Template Template Template
https://github.com/balabit/syslog-ng
F O S D E M 2 2 9
File Relay Network OS Application
syslog-ng
Source
Source driver Source driver
Destination
Filter Filter slog Template slog Template Destination driver Destination driver Destination driver Destination driver Destination driver Destination driver Source driver Source driver
Destination Destination Source
Database Relay Network OS
Source driver Source driver
Source
Application MAC MAC Key Key
Secure Logging
slogkey slogkey slogverify slogverify
Relay OS
F O S D E M 2 2 1
Relay Relay OS
D i e s i s t e i n e L
N a c h r i c h t U n d d i e s a u c h H i e r k
m t m a l e i n e l a e n g e r e N a c h r i c h t : D i e s i s t e i n e L
N a c h r i c h t 1 : U n d d i e s a u c h 2 : H i e r k
m t m a l e i n e l a e n g e r e N a c h r i c h t O F M B A A A A A A A = : L
I 2 v S f I J A u q 1 7 C j Q d B e q h 1 Y d g v w q F Y 9 R y x T c Q k 2 u y c + T q f m 1 4 O m O d U + L p C + a l J M n P n 3 a T / A = = O V M B A A A A A A A = : U W E h U d N 2 d + i A D s P t B F K V G B N B + n G R n m / D 3 m 2 3 / O M J / j p d p X d 6 S Q 5 c b 4 = O l M B A A A A A A A = : 4 r 5 H w 8 k y X y t l k F 5 z / n I W w d m 8 J 4 X O y l K x B Y 5 7 2 t l q O I N g v j A V D b O
m j s h 4 L H s w E q W / x C J S b i u 9 6 Q F F X q F y q a x c
L
me s s a g e s O u t p u t
s u c c e s s f u l l
v e r i f i c a t i
O r i g i n a l i n p u t a t s
r c e
F O S D E M 2 2 1 1
s
r c e s _ n e t w
k { n e t w
k ( t r a n s p
t ( " u d p " ) p
t ( 5 1 4 ) # N O T E : S e c u r e l
g i n g r e q u i r e s t h i s fl a g t
e s e t fl a g s ( s t
e
a w
e s s a g e ) ) ; ) ; # S e c u r e l
g i n g t e m p l a t e w i t h k e y a n d M A C fi l e l
a t i
s t e m p l a t e t _ s l
{ t e m p l a t e ( " $ ( s l
/ v a r / s l
/ h
t . k e y
/ v a r / s l
/ m a c . d a t $ R A W M S G ) \ n " ) ; } ; # D e s t i n a t i
t h a t u s e s t h e s e c u r e l
g i n g t e m p l a t e d e s t i n a t i
d _ l
a l { fi l e ( " / v a r / l
/ m e s s a g e s . s l
" t e m p l a t e ( t _ s l
) ) ; } ; l
{ s
r c e ( s _ n e t w
k ) ; d e s t i n a t i
( d _ l
a l ) ; } ;
Relay Network OS Relay OS
F O S D E M 2 2 1 2
Relay Network OS Relay OS
n e w s
r c e f i l e s t
y s l
g
e w d e p e n d e n c i e s w e r e i n t r
u c e d
l l c r y p t
r a p h i c
e r a t i
s r e l y
O p e n S S L
x c e l l e n t p e r f
m a n c e w h e n u s i n g A E S
I
n t e l C
e i 7 6
t h
G e n @ 2 . 2 G H z 9 l
e n t r i e s / s
y p i c a l l
h
t w i t h 2 ∙ 1
5
e n t r i e s i n 2 4 h
r s
. 3 ∙ 1
7
l
e n t r i e s d u r i n g 1 y e a r
e r a t i
e y d e r i v a t i
i n < 1 s
F O S D E M 2 2 1 3
Relay Network OS Relay OS
s y s t e m b e h a v i
u n d e r l
d
y s l
g i n t e r n a l A P I p
l y d
u m e n t e d
y s l
g d e v e l
e r s g u i d e a v a i l a b l e
p l e x b u i l d s y s t e m
a c k a g i n g f
t a r g e t p l a t f
m m u s t b e p e r f
m e d m a n u a l l y
r
a t i
F O S D E M 2 2 1 4
SIEM
i r b
n e s e g me n t
Airport
K
e y d e r i v a t i
L
r e c
d c r e a t i
L
r e c
d r e l a y
L
r e c
d a n a l y s i s G r
n d s e g me n t
F O S D E M 2 2 1 5
Relay Network OS Relay OS
A c h i e v e m e n t s
a m p e r e v i d e n t s e c u r e l
s y s t e m w i t h e a s y i n t e g r a t i
i n t
x i s t i n g s y s l
g i n s t a l l a t i
s
e r f
m a n c e
l
h
t s u p e r i
t
y s t e m d f
w a r d s e c u r e s e a l i n g
f f i c i e n t
f l i n e l
f i l e v e r i f i c a t i
v e r i f i c a t i
c a n b e i n t e g r a t e d i n t
x i s t i n g S I E M s
u t i
n d u s t r i a l r e a d i n e s s
F u t u r e w
k
r a s h r e c
e r y : R e s t
e l
e n t r i e s t h a t m i g h t h a v e b e e n l
t d u r i n g a s y s t e m c r a s h
Airbus Operations GmbH
Stephan Marwedel
Product Security Engineer
Airbus Engineering – Aircraft Security Kreetslag 10, 21129 Hamburg – Germany E-Mail: stephan.marwedel@airbus.com Phone: +4940-743-85635
Stephan Marwedel
Product Security Engineer
Airbus Engineering – Aircraft Security Kreetslag 10, 21129 Hamburg – Germany E-Mail: stephan.marwedel@airbus.com Phone: +4940-743-85635