Daily chained checksum of OSSEC alerts

Log integrity is critical for auditing and compliance reasons. You do not want your logs to be modified or tampered with.

And if they are, you want to be able to tell that it happened.

To solve this problem, OSSEC v1.2 will come with support for daily chained checksums enabled by default.

Basically, what it means is that at the end of each day, ossec will generate the md5/sha1 sum of the currently logs plus the md5/sha1 sum of the checksum from the logs of the previous day.

For example, on Apr 23, the following checksum will be created:

# pwd
# cat ossec-alerts-23.log.sum
Current checksum:
MD5 (/logs/alerts/2007/Apr/ossec-alerts-23.log) =
SHA1 (/logs/alerts/2007/Apr/ossec-alerts-23.log) =

Chained checksum:
MD5 (/logs/alerts/2007/Apr/ossec-alerts-22.log.sum) =
SHA1 (/logs/alerts/2007/Apr/ossec-alerts-22.log.sum) =

If you look at the checksum of Apr 22, it will have its own plus the one from the day 21 (and the same will happen back until the first day that the chain started).

What do we get from that? First, any modification on the old logs will require changing all the next checksums. Second, if you e-mail them to you every day (or post somewhere publicly), you can have a valid case to prove that they were not tampered.

If you want to try this feature, please check a pre-beta version of our snapshot.

Posted in   ossec     by Daniel Cid (dcid)

Coding for fun and profit. Often fun and little profit.