Re: secure UNIX log server
From: Martin Hepworth (martinh@ATsolid-state-logicoOIspammerNO.com)Date: 05/29/02
- Next message: Eirik Seim: "Re: Bridging Firewalls"
- Previous message: Dave Pimlott: "Re: Bridging Firewalls"
- In reply to: fanny: "secure UNIX log server"
- Next in thread: fanny: "Re: secure UNIX log server"
- Reply: fanny: "Re: secure UNIX log server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Martin Hepworth <martinh@ATsolid-state-logicoOIspammerNO.com> Date: Wed, 29 May 2002 10:39:34 +0100
Hi
Could always write to Cd-R rather than a file system. Of course you'd
have to put in controls/procedures for changing the CD-R etc, but I've
this used before.
You still have to worry about availability of the logs - when to rotate,
Raid-ed filesystem and (tape)backup etc whatever you do.
Also how long do you keep the logs - 1 year, 10 years?
Now the fun starts - how do you review events from one machine to the
next? What events will you be looking for and how will you trail the
logs for these events. Having the data is one thing, but what are you
going to use it for - forensics after the event, or more pro-active
reporting?
Also what exactly are you logging - alot of applications may not even
log to a syslog compliant service (Oracle login etc)!
You also to need to make sure that once a log level is set it's not
changed - tripwire or similar on the machines may be a way of doing this.
(sound of can of worms opening :-)
-- Martin Hepworth Senior Systems Administrator Solid State Logic Ltd +44 (0)1865 842300fanny wrote: > I am defining policy and procedures for my company to collect, store > and review UNIX logs. We are storing them a seperate UNIX "log > server" and locally on servers. The log server is physcially secured > and limited in who can log in but I am still concerned that the logs > could be erased by someone who compromised the root account or by a > UNIX administrators authorized to use the root acount. > > The only answer I have come up with is to take root away from the UNIX > administrators on the log server and give it to the Security team. > Then UNIX admins have root on individuals servers but not on the log. > Politically, taking root away from the UNIX admins, even on one > server, could be impossible. I could have all logs sent to a Windows > 2000 server instead. Do I have any other alternatives? Are there any > security engineers out there who have come up with a good solution to > this problem? thanks in advance, > > Fanny
- Next message: Eirik Seim: "Re: Bridging Firewalls"
- Previous message: Dave Pimlott: "Re: Bridging Firewalls"
- In reply to: fanny: "secure UNIX log server"
- Next in thread: fanny: "Re: secure UNIX log server"
- Reply: fanny: "Re: secure UNIX log server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
