Logging
Use it but don't lose it
Ok, you've spent some time making syslog as paranoid as possible.
Your partition fills up regularly and nothing escapes your notice.
Time to kick back have a camel[1] and an espresso right?
Wrong! A simple Rule: If you think you are safe and secure, then
you are not.
The first thing any intelligent[2] intruder will do is to modify the
logging files to remove all trace of their actions.
There are two simple ways around this
- 1.) Remote Logging Machine
- It is easy to dedicate and secure a seperate remote machine to store
audit records. However, this may be out of the price range of some users.
- 2.) Line Printer
- A cheap printer can be purchased which will be used to print out
security critical audit records. It is also possible to set up a floor
printer (dorm folks) that everyone could send log print requests to.
It is also useful to use a network time protocol to maintain synchronization
of the machines audit records for later play back.
[1] - ACM and Argus Systems Group do not make any implied statement about
caffeine and tabacco products
[2] - ACM and Argus Systems Group do not make any implied statement about
the intelligence level of intruders or their desire for caffeine[1]
