Tell me more ×
IT Security Stack Exchange is a question and answer site for IT security professionals. It's 100% free, no registration required.
up vote 10 down vote favorite
3

As part of my course project I'm trying to understand various security frameworks and best practices.

One of the very popular approach is to maintain Logs. My question is about the security of the log file itself. Since most of the logs provide a clear trace of how the application handles errors, how secure is a log file?

Can a hacker inject malicious code in a log file? What are the ways to secure a log file if it creates a vulnerability (May be encoding, but then how effective it can be)?

Lastly, is it worth spending huge amounts of time, energy and money on securing logs?

share|improve this question

2 Answers

up vote 16 down vote accepted

Yes, log file injection can be useful in the exploitation process. For example, here is an exploit that uses a PHP Local File Include vulnerability to execute PHP code within Apache's access_log file. This exploit pattern is common in the LAMP world.

Most systems lack protection against this attack pattern. Usually log files are protected by the operating systems file access controls. AppArmor and SELinux can prevent a process from accessing an arbitrary file or directory. PHP's open_base_dir can prevent PHP from including files outside of the application directory.

Remote Logging is a great solution to both Local File Include Attacks, as well as the threat posed by an attacker compromising the machine and manipulating the log file to hide her tracks.

share|improve this answer
Excellent answer - covered off the exploit bit, which I hadn't touched on. – Rory Alsop Aug 6 '12 at 19:27
up vote 15 down vote

This is a major problem when proving auditability, as IT folks tend to have access to servers and theoretically could alter logs.

A common solution is to write logs to somewhere inaccessible to IT/Sysadmins etc in addition to the core syslog servers, for example offsite or to a WORM drive (Write Once - Read Many)

This allows you to use your normal syslog servers for day to day troubleshooting, performance analysis etc., while retaining 'secure' logs for audit or investigation purposes.

Of course, a determined and skilled attacker could intercept traffic, but the aim is to make it difficult enough that some traces will be left.

As to how worthwhile it is to secure them - depends on the needs of the organisation. For banks and large corporations it can be essential/mandatory, whereas for a small 5 man organisation it may be far less of a priority.

share|improve this answer
+1 a piratical solution. – Rook Aug 6 '12 at 19:43

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.