On Tuesday 20 December 2005 13:17, Alvin Oga wrote:
logs should be time stamped and gpg signed to minimize tampering
worst still, what if they admins turn off all logging on the
machines so there is zero-ized log files ... silly admins forgot to
check that syslogd is running or other that /var/log exists
/var/log typically get moved to a remote loghost .. that may or
may not be writable by that host
Whether logs are legal evidence or have any meaning in a court of
justice or even in a less formal environment like an HR office that's
a very different kind of story. EU directives and Member States Laws
ask us to retain them for a certain period of time. Period. How to
use them for what purpose is somebody else's issue.
To us techies is very clear that logs are just.... logs. Text files
with lines of rubbish one after the other that maybe are genuine
maybe are not, and that can easily be tampered with a simple text
editor. Depending on who you are dealing with logs may be the the
source of truth, nothing at all, or anything in between....
--
Alessandro Bottonelli
CISSP, BS7799 LA
http://www.axis-net.it
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------
