Exactly how would an intruder remove themselves from a log written to a write on ly media. Or for that matter a laser printer?? ---------- From: Diane Davidowicz[SMTP:diane_d@sun1.wwb.noaa.gov] Sent: Monday, November 25, 1996 5:27 PM To: ids@uow.edu.au Subject: RE: Signs of an Intruder > Why not just log everything to write once media such as a Worm drive... This is on the right track and so is logging off to other systems as so many of us know. > > I also believe there is some help in using "security through obscurity", > whereby you place wrapper logs etc. in a logfile where a whole lot of > irrelevant logging goes too (for example, the ftp xferlog, or somesuch). > Wrong. The intruders with a clue know what to look for and remove themselves promptly. Nothing is sacred on a system once it has intruders. Keep checksums to detect what has changed and protect your logs by sending them off to a secured environment. Diane