[logs] Unix privileged access logging
Tom Le
dottom at gmail.com
Wed May 16 23:48:23 PDT 2007
Jim wrote:
> The native audit subsystem produces such a large volume of data,
> parsing said data is not practical. Although sudo logs all
> administrative access, it seems many admins lack the discipline
> to use sudo on a routine basis other than to sudo su -.
You have to use the native OS audit capability otherwise your auditing is
incomplete and easily circumvented. Users can compile or upload any binary
to run any set of commands.
The key is to identify what specific activity you are interested in
auditing, then modify the audit parameters such that the native OS auditing
has minimal impact.
Also keep in mind that even native OS audit capability by itself can be
circumvented with modest effort. Generally speaking, if the user does not
know auditing is occurring, the user is less likely to obfuscate activity.
The only way to properly audit activity in a Unix environment is to use a
combination of:
- native OS auditing
- acl/facl's or sudo to limit user's ability to circumvent auditing
- tripwire like capability for critical files (I prefer a home grown Perl
based "tripwire light" application to track changes and diffs).
The last component is important because you may be auditing specific
commands but how do you know what was the result of those commands? It's
also essential if you need to identify trojan activity (this gets into
security event monitoring vs. auditing). Identifying trojan
activity has different use cases than auditing normal user or administrator
activity.
Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.loganalysis.org/pipermail/loganalysis/attachments/20070516/612346e4/attachment-0001.html
More information about the LogAnalysis
mailing list