Re: secure UNIX log server

From: Chopper (no.spam@for.me)
Date: 06/16/02 

From: Chopper <no.spam@for.me>
Date: Sun, 16 Jun 2002 01:44:43 GMT

rlhamil@smart.net (Richard L. Hamilton) wrote in
news:uf8d9ff3pero40@corp.supernews.com:

> In article <a969f45a.0205280957.2455e3c9@posting.google.com>,
> fannysaunders@yahoo.com (fanny) writes:
>> I am defining policy and procedures for my company to collect, store
>> and review UNIX logs. We are storing them a seperate UNIX "log
>> server" and locally on servers. The log server is physcially secured
>> and limited in who can log in but I am still concerned that the logs
>> could be erased by someone who compromised the root account or by a
>> UNIX administrators authorized to use the root acount.
>>
>> The only answer I have come up with is to take root away from the UNIX
>> administrators on the log server and give it to the Security team.
>> Then UNIX admins have root on individuals servers but not on the log.
>> Politically, taking root away from the UNIX admins, even on one
>> server, could be impossible. I could have all logs sent to a Windows
>> 2000 server instead. Do I have any other alternatives? Are there any
>> security engineers out there who have come up with a good solution to
>> this problem? thanks in advance,
>
>
> I suppose you could toss Linux or one of the free BSDs (whichever was
> different from anything else, so as to reduce the desire to fool with
> it) on the least expensive commodity PC that is reasonably reliable,
> and put the logging (and no other services and nothing else that anyone
> but the security folks would need to get at) on there. Using a system
> that was too different and low-end to be of interest to anyone else would
> help with the political angle, and an open-source system might better
> lend itself towards e.g. choosing the most reliable syslogd variant
> (or modifying syslogd as needed), etc. Also, at least some of those
> open-source systems include packet-level filtering software, so that
> access to the log server could be carefully tailored to only be exactly
> what was needed.
>

Hey yeah. that's what we've done. We've got this relaly low-end PC
running FreeBSD logging 3 AIX hosts and a router. Working very well. But
as everybody says the real trick is to get useful info from it. As a
newbie to freeBSD i have been impressed with the extra tools available like
swatch and snort and nessus. It's really added an extra dimension to our
security - most impressed. Oops I;'m starting to rave. Sorry. :)

Chop

Relevant Pages

  • RE: Access Denied message evenwhen loging in locallyafter joining
    ... -The other computers and the Unix box are in a workgroup. ... -The only problem is that I can not access the shared folders in the Unix ... So, as I said, I can connect to the Unix server to use the company's ... > Thank you for posting to the SBS Newsgroup. ...
    (microsoft.public.windows.server.sbs)
  • Re: secure UNIX log server
    ... Could always write to Cd-R rather than a file system. ... We are storing them a seperate UNIX "log ... The log server is physcially secured ... > UNIX administrators authorized to use the root acount. ...
    (comp.security.unix)
  • Re: secure UNIX log server
    ... Could always write to Cd-R rather than a file system. ... We are storing them a seperate UNIX "log ... The log server is physcially secured ... > UNIX administrators authorized to use the root acount. ...
    (comp.security.unix)
  • Re: My browser shuts down when attempting to view my website
    ... The Unix server vs. a Windows server issue is just a guess solution. ... Publisher sites don't work well in FF, so that isn't too viable either. ...
    (microsoft.public.publisher.webdesign)
  • Re: FP 2002 Extensions: Permissions Administration / Send an Invi
    ... You may wish to post in the Unix server extensions newsgroup, ... Microsoft MVP - FrontPage ... |> I imported a htaccess file into my frontpage and then onto my site. ...
    (microsoft.public.frontpage.extensions.windowsnt)