Re: lastlog stuff
Jas (matt@uts.edu.au)
Sun, 28 Aug 1994 16:16:02 +1000 (EST)
*Hobbit* wrote this...
>
> Lastlog, process accounting, utmp/wtmp/utmpx/wtmpx, and maybe even syslog
> is useless if an intruder has taken steps to "vanish" properly. Kernel
> accounting, if transferred soon enough to some secured receiver site, may
> still be intact. Comments on other non-destroyable user-authentication
> records, anyone?
>
> _H*
>
real time tracking of utmp/wtmp/utmpx/wtmpx to another secure machine can
normally by trusted. especially if it is logged to a worm drive. that way
the hacker can mod the file entry, but they cant destory anything on the
worm dirve. IMHO worm drives are prefect devices for keeping log files,
they are big (anyone ever seen a small log file?), and they are write once
which means you log files are physically protected.
Matt
--
Matthew Keenan
Systems Programmer Information Technology Division
University of Technology Sydney
www: http://milliways.itd.uts.edu.au/~matt/
email: matt@uts.edu.au
phone: +61 2 330 1390 "Don't murder a man who is about
fax: +61 2 330 1999 to commit suicide."
home: +61 2 416 5722 -- Machiaveli
GCV 2.1 GAT/M/CS d--(-+) H-- s++:-- g+ p? !au a-(?) w+++ v+ C+++$ UVS++++$
P+>+++ L- 3+++ E-(++) N++ K W--- M+ V-- -po+(+) Y+ t+ !5>++ jx R+
G? !tv b+++ D++ B e+ u--(**) h- f+(*) r n- !y