× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Pat,

Collaboration is extremely difficult to guard against and at some level
impossible so auditors often overlook conspiracy theories. With one
system administrator it seems pretty straight forward to determine who
deleted the receiver. However, on many systems, multiple system
administrators, lax security policies, honest mistakes, or lack of
expertise when setting up system security leave open the possibility
that a journal could be deleted or tampered with. In many cases, it
would be impossible to tie that event to a single individual or could go
undetected.

Because journals are one of the main ways of detecting unauthorized
activity it is very important that they are not the weak link. Getting
journals off of the system also reduces the chance that someone will
destroy your machine to cover their tracks.

David Morris

>>> botz@xxxxxxxxxx 01/14/05 4:52 PM >>>
> What Audit team are looking is to prevent the System admin which have
> all the God rights on system from ding anything bad. If System
> security receivers are somehow replicated online to some other system
> like Unix then one can know as what had happened

I agree that copying it to another system where the OS400 admin does not
have an ID with authority to delete it adds a layer of defense.  But it
does not reomve the issue -- it just makes it harder.   What if the sys
admins on the two systems are the same, or friends, or co-conspirators?

The point I'd like to make is that at some point you have to rely on a
policy that says something like "if you ever delete the audit journal
(or
copies of it) without authorization, we'll know and we'll fire you." 
Once
you have this policy in place and the admins know about it, then making
a
copy gives you an extra layer of defense. Without a policy which
addresses
the deletion of the audit journal or copies of it,  you can't hold
anyone
accountable. Making a copy does not prevent all copies from being
deleted
nor does it provide accountability.

Now, if you have this policy in place, I might argue that the value of
making a copy of the audit journal to another system might not provide
that
much more additional benefit. But that would be your call to make.

Patrick Botz
Senior Technical Staff Member
eServer Security Architect
(507) 253-0917, T/L 553-0917
email: botz@xxxxxxxxxx

As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.