Chapter 21. Auditing, Logging, and Forensics
After you have established the protection
mechanisms on your system, you will need to monitor them. You should
be sure that your protection mechanisms actually work. You should
also observe any indications of misbehavior or other problems. This
process of monitoring the behavior of the system is known as
monitoring
or
auditing.
It is part of a defense-in-depth strategy: doveryay, no
proveryay ("trust, but
verify"), a Russian proverb that was often recited
by former U.S. president Ronald Reagan.
There are many kinds of audits. Two of the most common on Unix
systems are spot inspections of file permissions and the systematic
review of the Unix log files. A log
file is a file that records one or more log
events—that is, a specific action, activity, or
condition that the author of a program thought might be worth
recording.
Log files are important building blocks of a secure system: they form
a recorded history, or audit
trail ,
of your computer's past, making it easier for you to
track down intermittent problems or attacks. Using log files, you may
be able to piece together enough information to discover the cause of
a bug, the source of a break-in, and the scope of the damage
involved. In cases where you can't stop damage from
occurring, at least you will have some record of it. Those logs may
be exactly what you need to rebuild your system, conduct an
investigation, give testimony, recover
insurance money, or get
accurate field service performed.
The information in log files is, for the most part, intentionally put
there as a result of a programmer's decision. But a
running Unix system records other information as well—similar
to the way that sand records footprints of animals that walk across a
beach. In recent years, there has been significant interest in
computer forensics, which is essentially the
art of reading the tracks that are left in a computer system.
|