Re: Signs of an Intruder

Glenn C. Everhart 603 881 1497 (everhart@star.zko.dec.com)
Tue, 26 Nov 1996 08:57:36 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Mike Kienenberger: "searching logs for key phrases"
Previous message: IO ERROR: "Re: Audit trails"

Logging to write once media is a wonderful thing...if you can get it to
work. However, a file structure on WORM tends to need the ability to 
cache on normal disk at first in order to make a file structure. (Some
work like tapes, and can be handled though.) In general sending the
log down a one-way data-only pipe to, say, a PC that has no control
connections on the machine logged is security wise the same thing. Even
a quite old PC can be used...8088 machines, or 8086 or maybe 80286
are perfectly adequate in such an app, and dirt cheap (I see them at
the dump!).

On the other hand, a software WORM can be concocted also, as I pointed
out in VMS Magic at DECUS maybe 4 years ago now. Just disable the delete
function, and encrypt the underlying file so that one must go through
the virtual disk abstraction to get at data. Someone can corrupt it
(if priv'd) easily enough, but making any changes that don't
leave traces can be much harder. The driver must of course check for 
overwrite and disallow it. I built one some years ago too; was somewhat
useful as a place to put logs that could not be tracelessly tampered
with. I presume such a thing could be done on other OSs, but also the
less base OS security you have, the harder it is to get this sort of
thing right and the easier it becomes to attack. My driver could check
who was accessing it...but the infrastructure for finding this out
may be lacking in more primitie OSs.
Glenn Everhart

Next message: Mike Kienenberger: "searching logs for key phrases"
Previous message: IO ERROR: "Re: Audit trails"