× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. January 2005

RE: Security Audit Journal receiver

> Copying the journal OFF of the OS400
>system removes your ability to know WHO deleted it.

Perhaps more intriguing -- A system that includes programs to retrieve or 
receive audit journal entries and then to transmit them across the network to 
some other system introduces many points where trouble can be increased.

Consider any other program connecting to the remote replication facility and 
entering bogus journal entries. Or a proxy that modifies entries as they go 
across. Or simply ending the source program before doing unauthorized actions 
and then deleting receivers.

Replication can make it easier to obscure what happened if someone wants to. 
Anyone who can break the OS/400 authority to mess up audit journals can 
certainly mess up replication to the point of hopelessly confusing the issue. 
If breaking authority is unnecessary because sufficient authority already 
exists, then the problem is already out of hand. And anyone likely to mess up 
audit journals is also likely to know more than enough about a replication 
process.

Tom Liotta

midrange-l-request@xxxxxxxxxxxx wrote:

>   9. Re: Security Audit Journal receiver (Patrick Botz)
>
>You said...
>>Because journals are one of the main ways of detecting unauthorized
>>activity it is very important that they are not the weak link. Getting
>>journals off of the system also reduces the chance that someone will
>>destroy your machine to cover their tracks.
>
>You're making an assumption that they are a weak link today. Ok. Let's go
>with that. My point is that your proposed solution doesn't necessarily
>solve the problem. Since, in the end you have to rely on some number of
>people not to delete the journal, you need to make sure that if it is
>deleted, you can know who deleted it. Copying the journal OFF of the OS400
>system removes your ability to know WHO deleted it.
>
>We can certainly disagree about this, but my take is that losing that
>ability at least offsets any value you might have derived by copying it.
>
>Patrick Botz
>Senior Technical Staff Member
>eServer Security Architect
>(507) 253-0917, T/L 553-0917
>email: botz@xxxxxxxxxx

-- 
Tom Liotta
The PowerTech Group, Inc.
19426 68th Avenue South
Kent, WA 98032
Phone  253-872-7788 x313
Fax    253-872-7904
http://www.powertech.com


__________________________________________________________________
Switch to Netscape Internet Service.
As low as $9.95 a month -- Sign up today at http://isp.netscape.com/register

Netscape. Just the Net You Need.

New! Netscape Toolbar for Internet Explorer
Search from anywhere on the Web and block those annoying pop-ups.
Download now at http://channels.netscape.com/ns/search/install.jsp

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.