8

I have a cool tool that displays my syslog and kernellog on my mac's desktop. This has me concerned about what is written in them - I'm staring to feel like they are creating a hole in my privacy. I have seen filenames from when I was looking around in finder; someone was generating thumbnails and logging the full filename; I have also seen names of servers I have connected to using smb.

So I have some questions:

  • Can I clean my logs or limit a program's use of them? How?
  • Are these logs used/read in computer forensics?
  • What can an attacker get out of them? i.e. passwords or exploited vectors
  • Are there any tools to extract the interesting data out of these files?
culix
  • 164
  • 1
  • 12
KilledKenny
  • 1,662
  • 4
  • 19
  • 28

1 Answers1

11

Seeing that you're using Mac, manipulating logs is as simple as elevating yourself to a root (admin) user, by using a command such as 'sudo -i' in your terminal, and then editing them as you like.

As far as I'm concerned, logs are a security professional's best friend. The more logs you have the more information you have to pull from (at the same time, there's more data to crawl through, which has more to do with your last question). Logs are one of many resources when dealing in forensics.

When it comes to attackers gaining access to logs, it's more of a concern about them modifying logs to cover their tracks. If an attacker has access to your log files, they already have your system, so there's not real reason to worry about them gaining direct information from logs. On the other hand, trending data can be used for other means. For instance, if an attacker can gain access to the logs on a workstation in a corporation, they may be able to deduce what the average working times of a user may be (which, again, seems to be a moot point for most cases seeing that they already have access to the box).

As for your last question, tools to correlate these logs are very helpful. The main tool you're looking for is a SIM/SEM. This is a tool which takes logs and, based on profiling and traditional attack trends, alerts the administrator/security professional running the tool of the potential issue. Some good example of a SIM/SEM or SIEM (which i guess is the more common term) are arcsight, loglogic, alienvult/ossim, and logrhythm.

I've never thought of logs as being anything but good. So please think twice before deleting logs or even removing any data from your logs. The more you mess with your logs the less valuable they become. I wasn't able to find a security incident/event manager designed for a Mac with my limited search, but it still can be done.

Reading back over my answer, my thoughts were fairly narrow minded, so I apologize if I missed some other log oriented tools that are possibilities. Let me know if you want clarification on anything I said, I'm still waking up :-).

Scott Pack
  • 15,217
  • 5
  • 62
  • 91
Ormis
  • 1,940
  • 13
  • 18
  • I believe you mean Mac, not MAC. – emtunc Jun 05 '11 at 10:51
  • In my mind a "mac" is a hardware address and an "ios" is an internetwork operating system. I've yet to decide if you were being sarcastic or if I should be impressed that you legitimately corrected my use of capitalization. – Ormis Jun 07 '11 at 17:55
  • you forgot Splunk! – Ori Jun 11 '11 at 18:42
  • I find it clearly worth getting the capitalization right - easier to read and evidence of clue. Thanks @emtunc! – nealmcb Jun 11 '11 at 23:19