Auditing File Changes
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Mon Jul 10 20:38:02 UTC 2006
On Mon, 10 Jul 2006 14:56:47 CDT, LC Bruzenak said:
> Security guy: Please deliver system with maximum security.
At this point, we already know the request is a crock. Even fascist
military-style security recognizes that there exist tradeoffs (which is
why "Secret" and "Top Secret" have different requirements to prevent
disclosure, and so on).
> System guy (me): What do you need to know?
> Security guy: Any and all changes to security-relevant files.
You missed the obvious questions here:
Do you need the exact change, or is the fact that an unauthorized change
happened sufficient (you can always just get the over version off backups
and diff them)?
Do you need to know about unexplained failed attempts as well?
> System guy: Which ones are those?
> Security guy: All of 'em.
*all* files are security relevant? Yowza. :)
There's not much that the audit code can do to support an unrealistic
design. There may not be much it can do to support a *realistic* one that
has certain requirements - but at least at that point we can point you
at other tools to address the issues...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060710/8f78ac71/attachment.sig>
More information about the Linux-audit
mailing list