Consider tamper resistant audit log #190
Comments
|
From manico.james@gmail.com on November 11, 2010 05:54:08 Labels: -Type-Defect Type-Enhancement |
|
From manico.james@gmail.com on May 28, 2012 20:24:45 Owner: chrisisbeef |
moya6
added a commit
to esapi-agh/esapi-java-legacy
that referenced
this issue
May 26, 2015
kwwall
referenced
this issue
in esapi-agh/esapi-java-legacy
Jun 1, 2015
|
Special note: By this, I am NOT referring to blockchain! There are other means such as described by Schneier and Kelsey (e.g., see https://www.schneier.com/academic/paperfiles/paper-auditlogs.pdf), which is what I had in mind and has much less overhead than blockchain. |
|
I am marking this as Milestone 3.0 because I don't think it is something that we want to tackle in ESAPI 2.x as we probably will want to wait until we have consolidated the logging where we are only using SLF4J. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
From manico.james@gmail.com on November 10, 2010 22:10:43
(From Kevin Wall)
Built utilities for tamper resistant audit logs.
Schneier and Kelsey have a good paper on how to do this using various crypto primitives. The advantage is that once an entry is made in a log file, it is possible to use cryptographic primitives to detect if these logs have been tampered with in any way. This can be something that is important with presenting audit logs as forensics evidence as you can have assurance that the logs were not tampered with.
Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=180
The text was updated successfully, but these errors were encountered: