search

wazuh / wazuh

Wazuh - The Open Source Security Platform. Unified XDR and SIEM protection for endpoints and cloud workloads.
https://wazuh.com/
Other
10.96k stars 1.67k forks source link

Feature request: RFC 3161 timestamping the logs #17290

Open zbalkan opened 1 year ago

zbalkan commented 1 year ago
Wazuh version Component Install type Install method Platform
4.3.1 Wazuh manager Manager N/A N/A

Summary

Current log rotation solution compresses the logs and then calculates checksums for files. However, the log files can be tampered, new checksums can be generated and mtime value also can be modified. In forensic evidence perspective, these checksums are not reliable.

Proposal

Implement RFC3161 Time-Stamp Protocol (TSP) for Wazuh log archives to ensure integrity.

However, the RFC 3161 is an old standard and is updated. For a greenfield improvement like this, RFC 5816 should also be considered to be able to use better algorithms other than SHA-1.

Also, for the sake of TSAs , it does not have to be a commercial service provider as free TSAs exist.

Creating a timestamp

image

Checking the timestamp

image

Images: https://en.wikipedia.org/wiki/Trusted_timestamping

ClementCastel commented 6 months ago

+1

cloudgitaware commented 2 months ago

I would say this is not just a feature, but a requirement. If you cannot trust your logs, there is no need to gather them. PLEASE put this on the featurelist asap. Btw: this does not need to be RFC 3161 timestamping, but any (external) signing of the logs will suffice.