Daily chained checksum of OSSEC alerts

Log integrity is critical for auditing and compliance reasons. You do not want your logs to be modified or tampered with.

And if they are, you want to be able to tell that it happened.

To solve this problem, OSSEC v1.2 will come with support for daily chained checksums enabled by default.

Basically, what it means is that at the end of each day, ossec will generate the md5/sha1 sum of the currently logs plus the md5/sha1 sum of the checksum from the logs of the previous day.

For example, on Apr 23, the following checksum will be created:

# pwd
/var/ossec/logs/alerts/2007/Apr
# cat ossec-alerts-23.log.sum
Current checksum:
MD5 (/logs/alerts/2007/Apr/ossec-alerts-23.log) =
7a275b2d07a5aac500c78c7af51de457
SHA1 (/logs/alerts/2007/Apr/ossec-alerts-23.log) =
af560a60bfb9fde5944c4bfc36fedfb16a1956d5

Chained checksum:
MD5 (/logs/alerts/2007/Apr/ossec-alerts-22.log.sum) =
2ab5d8637e9f63493d2f3f3a9b06b17f
SHA1 (/logs/alerts/2007/Apr/ossec-alerts-22.log.sum) =
6b1f3c29abc9e37ddb6b1a53ac83b0fe20830140



If you look at the checksum of Apr 22, it will have its own plus the one from the day 21 (and the same will happen back until the first day that the chain started).

What do we get from that? First, any modification on the old logs will require changing all the next checksums. Second, if you e-mail them to you every day (or post somewhere publicly), you can have a valid case to prove that they were not tampered.

If you want to try this feature, please check a pre-beta version of our snapshot.



Posted in   ossec     by Daniel Cid (dcid)

Coding for fun and profit. Often fun and little profit.