 
Security Basics mailing list archives
Re: Monitoring sys admins activities
From: Ali Demiröz <demirozali () gmail com>
Date: Wed, 15 Sep 2010 09:52:42 +0300
You can give NtSyslog (http://sourceforge.net/projects/ntsyslog/) a try. It is a bit outdated open source project which creates a service that parses your system logs and send them over syslog to a server. But I have no idea how to prevent sysadmin not to close such a service. On Tue, Sep 14, 2010 at 10:47 PM, <krymson () gmail com> wrote:
You will want to turn on file access auditing on your file servers. You will then want a log manager to hold and parse logs. Any SEIM/SIM should be able to do this. Just expect false positives and make sure whoever sees the alerts knows that there are plenty of benign reasons those sensitive files are touched (for instance whatever backs those files up and the account it runs under). Too many of these, and you'll need another technical person to interpret the noise...which may defeat the purpose. Also, for completeness, you will want to think hard about how powerful your admins are. They are basically the gods of your network, and rightly so!! They could create a new account or reset the password on an existing account and use it to access that data. Or usurp the backup software account. Or use something generic like Local System. Likewise, they control the network so may be able to capture such data in transit. They have physical access so may be able to clone the hard disk (or virtual server) or walk backup tapes home. They have full rights to desktops and may be able to just watch over the owner's shoulder. They are paid to manage the servers, so will have admin rights to turn off logging agents, scrub logs, and turn them back on. You either need to log and lock down everything, or... ..tell the owner that he should also pursue very stringent hiring practices for such godlike persons, and make sure they have tight management such that they can spot and handle any trouble-signs of a bad admin. IMO, it is often not worth the trouble to watch your admins closely, as much as it is useful to manage them properly and watch/warn/handle trouble signs before they become disgruntled employees or have some external pressure (money or otherwise [your information gods better be paid competitively, as an aside*]) to start taking advantage of their access on the job. I know it seems I'm making this very black and white in my above statements. "Either be perfect or screw it and get back to management practices." But really it's about managing expectations such that you can choose just how far to take this, but then explain that there are still holes and opportunities for abuse. The creative art of managing risk. Very importantly, I want to highlight that the response of those admins should be applauded and mentioned. Far too often even well-intentioned admins (myself included) will resist such scrutiny as needless and may in fact be deeply offended and resentful. Their response is refreshing and should be encouraged and rewarded, and maybe be an indication that they may very well be solid employees. * It might be a tengential discussion to think about generously paying your admins....or generously paying your security persons who oversee the admins... <- snip -> Hi Great list members !! I was hired to by an owner of a company, he gave me a task, he wants to monitor access to few folders on few file servers (windows) he has there some confidential information, the things gets a bite complicated couse he wants to monitor also and be alerted if the sys admins access the folders so Im looking for a solution (product/software??) that will read the logs of a server and export it say to a remote server where the admins dont have access to and also will send a mail to the owner of the company if someone access a specific folder in that server. the process should work so that the sys admins cant modify those logs, I know its problematic but I must find a solution, and also I can come with a solution that cost 1 million dollar couse the owner wont implement a thing. also any insights about that kind of a project are most welcomed ( gaps, how long it takes to implement, etc). also I talked to the sys admins in the site, there are not against this kind of project, they want to be monitored so if a problem happens they say that the logs will tell that they didnt were the guys that coused the problem. thanks for your help!! Juan ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Monitoring sys admins activities Juan B (Sep 14)
- Re: Monitoring sys admins activities Rolf Huisman (Sep 15)
 - <Possible follow-ups>
- Re: Monitoring sys admins activities krymson (Sep 14)
- Re: Monitoring sys admins activities Fred Concklin (Sep 15)
- Re: Monitoring sys admins activities Ali Demiröz (Sep 15)
- Re: Monitoring sys admins activities Champ Clark III [Softwink] (Sep 16)
 
 
 


