× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. January 2005

RE: Security Audit Journal receiver

The original request was ...the auditors want me to get the security journal
receiver data over to another system so that the administrators can't do
something sneaky, how do I do that...  TRANSLATION: How do you get 
auditors to quit making stupid requests to make it sound like they know
"security" ;-)   Moving the receiver data will not prevent someone with the
right amount of authority from doing whatever they want on a system.

To get the data off the system efficiently you must have a program that is
receiving the journal entries and sending them to the remote system.  How
hard do you think that will be to defeat - just end the monitor and delete
some receivers when you are done.       

All you are going to do is spend time and money on something that, for the
stated purpose, is useless.  The only good reason I can think of to remote
the security journal data is to feed into a host based intrusion detection
system.

Kurt


-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx
[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Patrick Botz
Sent: Tuesday, January 18, 2005 12:58 PM
To: Midrange Systems Technical Discussion
Subject: Re: Security Audit Journal receiver

David,

You said...
>Because journals are one of the main ways of detecting unauthorized
>activity it is very important that they are not the weak link. Getting
>journals off of the system also reduces the chance that someone will
>destroy your machine to cover their tracks.

You're making an assumption that they are a weak link today. Ok. Let's go
with that. My point is that your proposed solution doesn't necessarily
solve the problem. Since, in the end you have to rely on some number of
people not to delete the journal, you need to make sure that if it is
deleted, you can know who deleted it. Copying the journal OFF of the OS400
system removes your ability to know WHO deleted it.

We can certainly disagree about this, but my take is that losing that
ability at least offsets any value you might have derived by copying it.

Patrick Botz
Senior Technical Staff Member
eServer Security Architect
(507) 253-0917, T/L 553-0917
email: botz@xxxxxxxxxx

-- 
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.