[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Auditing File Changes



On Mon, 2006-07-10 at 15:42 -0400, Valdis Kletnieks vt edu wrote:
...
> 
> Probably depends on what actual problem he's trying to solve by recording
> all the changes.

Most likely the same one I have been working on all my career:

Security guy: Please deliver system with maximum security.
System guy (me): What do you need to know?
Security guy: Any and all changes to security-relevant files.
System guy: Which ones are those?
Security guy: All of 'em.

Basically my plan is this:
As Steve Grubb said, instrument the processes with trusted access.
Have file watches which note when certain "critical" files are opened
for write/append.
Have an audit analysis program which compares the trusted accesses to
the total accesses; the delta shows potentially interesting mods.

LCB.

-- 
LC Bruzenak
lenny bruzenak com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]