The rocket-fast system for log processing

How to sign log messages through signature provider Guardtime

With rsyslog v7.3.9 we introduced the possibility to sign log messages through Guardtime, a signature provider. This method has been updated with the release of rsyslog v8.11.0. The process to enable this is relativey easy. And in the end you have your log files signed with a keyless signature that relies on hash functions through Guardtime. The signature functionality will be automatically loaded by omfile if so requested. It just requires that the signature provider itself is installed. For our RPMs and Ubuntu packages, it is available in the base packe. In the signature process a second file to your logfile will be created that has ".ksisig" as ending. This pair of files will later be needed to prove the integrity of your logfile. In addition to rsyslog 8.11.0 or above you need "libksi". The library is either available from Guardtime though github. If you installed rsyslog from our packages, libksi will be installed automatically.

When installing manually, you need to enable the signature function. The most basic configure command looks like this:

./configure --prefix=/usr --enable-gt-ksi

When rsyslog is installed, you can use the Guardtime signatures easily with a few additional configuration directives. For detailed information about the configuration directives, please review the manual. The correct action would look like this:

action(type="omfile" file="/var/log/logfile" sig.provider="ksi" sig.hashFunction="SHA2-256" sig.aggregator.uri="KSI Aggregator URL" sig.aggregator.user="KSI User" sig.aggregator.key="KSI Key" # Please contact Guardtime for authentication details sig.keepTreeHashes="on" sig.keepRecordHashes="on")

The directive sig.provider determines the provider that will be used. Currently, only Guardtime (ksi) is available, but other providers might be added in the future. Next, the directive sig.hashFunction determines the hash algorithm that will be used. There are various hash functions available, a full list is available on the manual page. Options 3-5 determine the log aggregator and login data. This information will be provided by Guardtime. The last two options control the granularity of signature hashes at the cost of disk space. Though, when trying to detect a security breach, it might come in handy as it enables you to spot the location of the security breach. You will receive two files, that share the same name, but have a different extension.

/var/log/logfile /var/log/logfile.ksisig

When having rsyslog installed you get a new tool called "rsgtutil". This will help you check the integrity of your logfile in conjunction with the signature file. By issuing

tools/rsgtutil --verify --show-verified /var/log/logfile

you can make an easy check if the logfile is matching the stored hash. If the check was successful you will see it directly. If not, you will be notified as well and further investigation will be necessary. Please note: The Guardtime KSI service has been upgraded to mitigate DOS attacks by adding user authentication. Please contact Guardtime for more information.