Legal log retention requirements?

older
RE: [nznog] Legal log retention...

Cameron Kerr

22 Mar 2004 22 Mar '04

11:18 a.m.

Hello all, I know that in some countries there are legal requirements for how long logs are meant to be held for. Are their such laws like that in NZ, and can anyone point me to any references? -- Cameron Kerr cameron.kerr(a)paradise.net.nz : http://nzgeeks.org/cameron/ Empowered by Perl!

Show replies by date

Rodger Donaldson

22 Mar 22 Mar

2:40 p.m.

On Tue, Mar 23, 2004 at 05:18:19PM +1200, Cameron Kerr wrote:

...

Hello all, I know that in some countries there are legal requirements for how long logs are meant to be held for. Are their such laws like that in NZ, and can anyone point me to any references?

It will depend on what you're doing. I know one of my clients retains logs for everything from their web servers on back for 7 years to comply with various acts around banking. -- Rodger Donaldson rodgerd(a)diaspora.gen.nz "We have cornered the market on senselessness and profited."

Robert McDonald

23 Mar 23 Mar

12:28 a.m.

If such a law exists its rather pointless unless for defending false claims. If you were to get hacked/unauthorised access and need to provide evidence surely the offender would have removed that from the logs, or the logs alltogether. Therefor puting you in a position of breaking the law? Or have I missed the point on keeping logs entirely. Cheers Rob On Tue, 2004-03-23 at 20:40, Rodger Donaldson wrote:

...

On Tue, Mar 23, 2004 at 05:18:19PM +1200, Cameron Kerr wrote:

...
Hello all, I know that in some countries there are legal requirements for how long logs are meant to be held for. Are their such laws like that in NZ, and can anyone point me to any references?

It will depend on what you're doing. I know one of my clients retains logs for everything from their web servers on back for 7 years to comply with various acts around banking.

-- Rodger Donaldson rodgerd(a)diaspora.gen.nz "We have cornered the market on senselessness and profited." _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

James Riden

2:59 a.m.

Robert McDonald writes:

...

If such a law exists its rather pointless unless for defending false claims. If you were to get hacked/unauthorised access and need to provide evidence surely the offender would have removed that from the logs, or the logs alltogether. Therefor puting you in a position of breaking the law?

Or have I missed the point on keeping logs entirely.

Don't keep the logs on the same box(es) you're monitoring. Otherwise, as you say, you can't trust them in the event of a compromise. There's a good paper by Schneier about how to make tamper-proof logs so you can detect unauthorised modifications, but it's easier to remote syslog to another server, one which doesn't do anything else. The truly paranoid will use a listen-only ethernet cable. cheers, Jamie -- James Riden / j.riden(a)massey.ac.nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ Tel: +64 6 3569099 ext. 7402

Edmund A. Hintz

3:16 a.m.

On Wed, Mar 24, 2004, James Riden thus spake:

...

else. The truly paranoid will use a listen-only ethernet cable.

Indeed. The Honeynet folks, besides having a hardened syslog server, also sniff syslog traffic off the wire as part of the Snort setup, so there's simply no point of entry to the syslog data from the compromised network. Other equally paranoid types have proposed various solutions of dumping to write-only media, such as cdr or a plain ol' paper printer. Anyway, if you're sufficiently motivated there are plenty of failsafe methods to ensure the logs aren't compromised (though internal compromise is still theoretically possible). Regards, Ed Hintz ed(a)hintz.org

Steve Wray

3:19 a.m.

On Wed, 24 Mar 2004 08:59, James Riden wrote:

...

Robert McDonald writes:

...
If such a law exists its rather pointless unless for defending false claims. If you were to get hacked/unauthorised access and need to provide evidence surely the offender would have removed that from the logs, or the logs alltogether. Therefor puting you in a position of breaking the law?

Or have I missed the point on keeping logs entirely.

Don't keep the logs on the same box(es) you're monitoring. Otherwise, as you say, you can't trust them in the event of a compromise.

A line printer kept in a locked room with lots and lots of fanfold paper. Seriously. Twink would be noticed even on casual inspection.

Joe Abley

3:23 a.m.

On 23 Mar 2004, at 15:59, James Riden wrote:

...

There's a good paper by Schneier about how to make tamper-proof logs so you can detect unauthorised modifications, but it's easier to remote syslog to another server, one which doesn't do anything else. The truly paranoid will use a listen-only ethernet cable.

The truly paranoid also won't use syslog :-) Has anybody seen an implementation of RFC3195 in the wild, by the way? Joe

Don Stokes

22 Mar 22 Mar

4:53 p.m.

Cameron Kerr wrote:

...

Hello all, I know that in some countries there are legal requirements for how long logs are meant to be held for. Are their such laws like that in NZ, and can anyone point me to any references?

In general, financial records need to be kept for 7 years, in accordance with tax and financial reporting legislation. It's something of a stretch to say web/email/traffic logs etc actually constitute financial records; typically it's only the actual financial documents (invoices etc) that need to be kept, not the raw data that these are based on. (Of course it may still be that one considers particularly sensitive log information to be worth keeping out of prudence, even if one isn't strictly required to.) That said, it's prudent to keep any logs that may be used to resolve a dispute for as long as it's likely that a dispute may arise. It may even be useful to place a limitation (e.g. three months) on disputing accounts in your terms & conditions, and base your log retention around that. -- don

7579

Age (days ago)

7580

Last active (days ago)

List overview

Download

7 comments

8 participants

participants (8)

Cameron Kerr
Don Stokes
Edmund A. Hintz
James Riden
Joe Abley
Robert McDonald
Rodger Donaldson
Steve Wray