Thank you to
Sakellaris Alexander
Todd V. Minnella
Jerome M Berkman
MC.Vialatte_at_custsv.univ-bpclermont.fr
Degerness, Mandell ITSD:EX
Richard Bond
lrs22_at_att.net
A special thank you goes to Kurt Carlson for pointing me to some of his DU
(or is it now T64U ;-) ) software:
ftp://raven.alaska.edu/pub/sois/Overview.html Useful stuff!
The biggest and best "Thank you" goes to Toni Harbaugh-Blackford. Toni gave
a presentation on auditing at DECUS just last week and was kind enough to
enclose a pointer:
ftp://ftp.ncifcrf.gov/pub/decusri . This directory
contains a PowerPoint presentation Toni wrote entitled "Using Audit Data to
Detect Possible Intruders." It's really a great example of what you can do
with audit and accounting information. The techniques Toni presents are
also very useful in general.
In an email exchange, Toni also pointed out a pitfall which I wasn't aware
of. I had assumed that the audit_id field in the audit system could only be
set once (usually at login) and was inherited unchanged by all children of
the setting process. Toni wrote:
"Unfortunately, the audit id IS NOT IMMUTABLE... The documentation is wrong,
and has been for a number of years. A priviledged user can change his/her
audit id using the setluid() call, but NOT without leaving a trail.
setluid() triggers a 'security' event, which has the NEW audit id as
an argument and the OLD audit id as a return value. I give an example of
this in my powerpoint presentation, but I don't know if I highlighted it
enough."
An important point well worth considering -- especially if you are using the
audit facility to detect intruders like Toni. Right now, I'm more
interested in building a trail of accountability as required by "The Powers
That Be," but I will definately remember this when I need to secure a box
on the Internet.
Thanks for all the useful information and tips. Most of my problems seem to
be a simple lack of familiarity with the DEC audit set up. Double shame on
me, since I worked for DEC for five years doing Unix support, but that was
five years ago. I've lost a lot of brain cells and gained a lot of grey
hair since then, so I guess I can be forgiven! ;-)
Cheers!
Frank
Received on Fri Jun 25 1999 - 20:15:08 NZST