Re: Exam revision - audit security problems

From: ToxicSeahorse (like@yea.right)
Date: 01/15/03 

From: "ToxicSeahorse" <like@yea.right>
Date: Wed, 15 Jan 2003 00:49:34 +0000 (UTC)

"Nick Maclaren" <nmm1@cus.cam.ac.uk> wrote in message
news:b00gbi$hii$1@pegasus.csx.cam.ac.uk...
>
> In article <thvv-044E41.23423913012003@news.comcast.giganews.com>,
> Tom Van Vleck <thvv@multicians.org> writes:
> |> "ToxicSeahorse" wrote:
> |> > Audit as a logging mechanism can be used to monitor security issues.
Can the
> |> > audit process itself pose any security-related problems on the
system?
> |> >
> |> > Off the top of my head, I came up with spoofing the audit logs or
directly
> |> > hacking them - although I think there is probably a much more logical
> |> > explanation. Do any of you UNIX gurus have any input?
> |>
> |> What happens when there are a lot of audit events?
> |> Eventually something fills up. What do you do then?
> |> - stop, so as not to lose anything
> |> - forget something, if so, what
> |>
> |> What happens if audit events come more rapidly than your
> |> log can write them out?
> |>
> |> Perennial problems.
>
> You can also ensure that hacking attempts are not logged by crashing
> the system that way! An old trick :-)
>
> There is also information leakage - by monitoring the audit data,
> even the file size, you can see when other subsystems are active.
>
> This is particularly serious when you have a decent security system
> (i.e. not 'root' and 'the rest'), because the auditor has read-only
> privileges beyond even the system administrator, and you have to be
> careful that he cannot make use of that to get administrator
> privileges.

Thanks very much for the replies,

Cheers,

Ted

Relevant Pages

  • Exam revision - audit security problems
    ... Having looked at a past paper, I came accross this ... Audit as a logging mechanism can be used to monitor security issues. ...
    (comp.security.unix)
  • Re: Exam revision - audit security problems
    ... |>> Audit as a logging mechanism can be used to monitor security issues. ... This is particularly serious when you have a decent security system ... University of Cambridge Computing Service, ...
    (comp.security.unix)
  • Re: Exam revision - audit security problems
    ... > Audit as a logging mechanism can be used to monitor security issues. ... > audit process itself pose any security-related problems on the system? ... What happens if audit events come more rapidly than your ...
    (comp.security.unix)
  • Re: privileged IDs and non-privileged IDs
    ... >security, and thus, wants us to differentiate IDs or usernames for admin ... I'd say that the convention is to use 'sudo', ... account to the account with just the needed privileges, ... Also, how to audit ...
    (comp.security.unix)
  • Re: Trying to AUDIT file creation failure
    ... Isn't the audit only limited to security related issues? ... (aka: create ... failure beause you don't have privileges, ...
    (comp.os.vms)
Loading