Re: secure UNIX log server

From: Richard L. Hamilton (rlhamil@smart.net)
Date: 05/29/02

  • Next message: Walter Dnes: "Re: IP address <--> Global Positioning System (GPS)" 

    From: rlhamil@smart.net (Richard L. Hamilton)
Date: Wed, 29 May 2002 01:55:59 -0000

    In article <a969f45a.0205280957.2455e3c9@posting.google.com>,
            fannysaunders@yahoo.com (fanny) writes:
    > I am defining policy and procedures for my company to collect, store
    > and review UNIX logs. We are storing them a seperate UNIX "log
    > server" and locally on servers. The log server is physcially secured
    > and limited in who can log in but I am still concerned that the logs
    > could be erased by someone who compromised the root account or by a
    > UNIX administrators authorized to use the root acount.
    >
    > The only answer I have come up with is to take root away from the UNIX
    > administrators on the log server and give it to the Security team.
    > Then UNIX admins have root on individuals servers but not on the log.
    > Politically, taking root away from the UNIX admins, even on one
    > server, could be impossible. I could have all logs sent to a Windows
    > 2000 server instead. Do I have any other alternatives? Are there any
    > security engineers out there who have come up with a good solution to
    > this problem? thanks in advance,

    I suppose you could toss Linux or one of the free BSDs (whichever was
    different from anything else, so as to reduce the desire to fool with
    it) on the least expensive commodity PC that is reasonably reliable,
    and put the logging (and no other services and nothing else that anyone
    but the security folks would need to get at) on there. Using a system
    that was too different and low-end to be of interest to anyone else would
    help with the political angle, and an open-source system might better
    lend itself towards e.g. choosing the most reliable syslogd variant
    (or modifying syslogd as needed), etc. Also, at least some of those
    open-source systems include packet-level filtering software, so that
    access to the log server could be carefully tailored to only be exactly
    what was needed. 

    -- 
mailto:rlhamil@mindwarp.smart.net  http://www.smart.net/~rlhamil

    Relevant Pages

    • RE: Access Denied message evenwhen loging in locallyafter joining
      ... -The other computers and the Unix box are in a workgroup. ... -The only problem is that I can not access the shared folders in the Unix ... So, as I said, I can connect to the Unix server to use the company's ... > Thank you for posting to the SBS Newsgroup. ...
      (microsoft.public.windows.server.sbs)
    • Re: secure UNIX log server
      ... Could always write to Cd-R rather than a file system. ... We are storing them a seperate UNIX "log ... The log server is physcially secured ... > UNIX administrators authorized to use the root acount. ...
      (comp.security.unix)
    • Re: secure UNIX log server
      ... Could always write to Cd-R rather than a file system. ... We are storing them a seperate UNIX "log ... The log server is physcially secured ... > UNIX administrators authorized to use the root acount. ...
      (comp.security.unix)
    • Re: secure UNIX log server
      ... We are storing them a seperate UNIX "log ... The log server is physcially secured ... >> UNIX administrators authorized to use the root acount. ... >> administrators on the log server and give it to the Security team. ...
      (comp.security.unix)
    • Re: secure UNIX log server
      ... We are storing them a seperate UNIX "log ... The log server is physcially secured ... >> UNIX administrators authorized to use the root acount. ... >> administrators on the log server and give it to the Security team. ...
      (comp.security.unix)