Re: secure UNIX log server
From: fanny (fannysaunders@yahoo.com)Date: 05/29/02
- Previous message: Iwo Mergler: "Re: IP address <--> Global Positioning System (GPS)"
- In reply to: Martin Hepworth: "Re: secure UNIX log server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: fannysaunders@yahoo.com (fanny) Date: 29 May 2002 14:29:19 -0700
thanks everyone, you have given me some good alternatives to consider.
I agree that logging is a horrible can of worms and there is very
little advice out there on what to monitor. maybe because it depends
so much on your company, what industry you work in and how many
skilled admins you have. we have decided to log repeated failed login
attempts, sudo use, su use and succesful logins.
A subset of these events willbe reviewed daily, others will only be
looked at as needed. Even this small amount of monitoring means a
fairly large increase in administrative overhead. For this reason I am
trying to push responsibility for reviewing SU to application id's
(such as oracle) to the Database teams or whoever "owns" the account.
only ROOT will be monitored by Security and UNIX admins.
We woudl very much like to monitor account management but have found
no satisfactory way to do it. We persauded our auditors that logging
file access would degrade system performance and produce too much data
to be useful. I keep pushing for tripwire but not yet succesfully.
I'm interested in hearing about other peoples experiences defining
auditing policies. Regards.
fanny
- Next message: Ryo Furue: "How to detect a trojan on a Unix server?"
- Previous message: Iwo Mergler: "Re: IP address <--> Global Positioning System (GPS)"
- In reply to: Martin Hepworth: "Re: secure UNIX log server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
