$Id: README,v 1.3 1998/06/22 02:17:59 lucio Exp $
==============================================================================
                         Secure Syslog package
                             README file
								
                 (C)1998 Core-SDI. Buenos Aires, Argentina.
==============================================================================

This is a beta pre-release version of Secure Syslog v1.2.
we think a couple of questions will be raised, and we will try to answer
them here, in this README file.

PLEASE DO NOT READ THIS FILE UNTIL YOU HAVE SUCCESSFULLY COMPILED AND EXECUTED
SSYSLOG. :-)

1. What is Secure Syslog?

  Secure Syslog (ssyslog) is a daemon intended to replace the traditional 
syslog daemon present on most UNIX-like operating systems. It takes adventage
of advanced cryptographic protocols to make system logs auditable in a 
secure way.
  It also implements a network protocol that allows centralized
auditing of system logs.
  For the scheme behind ssyslog to be complete, a trusted remote
machine is needed, this machine will called be auditing machine.


2. What is wrong with old syslog?

  Old Syslog stores system logs in local files. If an intruder gains
root privileges on a given machine, she can modify or erase any of the
logs; if she is carefull enough she can do this so nobody will ever
notice the logs where modified. From the perspective of security this
is wrong. The auditing of system logs is not possible under this
circumstances.
  Most versions of syslog can be configured so that system logs are
transmited and logged in a loghost, but this generates a lot of
traffic in the network.
  Secure Syslog avoids this problems by implementing a protocol that
allows the future authentication of system logs and permits the log
transfer to be done as requested by the auditor (in the loghost) and in
hours of low network traffic. 


3. What makes the SECURE part of Secure syslog secure?

  The cryptographic protocol used for log authentication, called
PEO-1, is designed so that a trusted auditor can check if any of the
logs where adulterated. Using this protocol the append-only property
of system logs is assured.
  The communications with the auditor are encrypted using Blowfish (a
symmetric cryptography block algorithm), and the auditor is authenticated
using a challenge-response protocol.
	Ssyslog uses sha-1 as the one way hash function needed for PEO-1.


4. Where can I find more about PEO-1?

  In http://www.core-sdi.com/ssyslog are links to the original papers
describing PEO-1, and other related documents.


5. Do I really need that remote trusted machine?

  The PEO-1 protocol works with a secret initial state (K0) that
should be known only by the auditor, this is why we need the auditor
to be on a remote machine, because the initial state (K0) can't be
stored on the same system we are trying to audit for it would became
accesible to the attackers.
  The remote machine is not really needed, you can run this protocol
securely if you make a bootable disk for your plataform with the
audlog command and the ssyslogd daemon. For checking the authenticity
of the logs you will then boot from the diskette and run:

audlog -c localhost


6. Where do i get the latest version of ssyslog?

To find the latest version of ssyslog you have to point your web
browser to http://www.core-sdi.com/ssyslog.


7. on feedback issues

  If you find any bugs, have any comments or questions, feel free to
contact us at:
				ek@core-sdi.com,
				futo@core-sdi.com

If you are reporting bugs, please verify first that the version of
ssyslog you are running is the latest version. Please include as much
information as you can.


8. Installing, compiling...

  For information on installing and compiling ssyslog refer to the file
INSTALL that should be located in this same directory.

