Chapter 21. Auditing, Logging, and Forensics

After you have established the protection mechanisms on your system, you will need to monitor them. You should be sure that your protection mechanisms actually work. You should also observe any indications of misbehavior or other problems. This process of monitoring the behavior of the system is known as monitoring or auditing. It is part of a defense-in-depth strategy: doveryay, no proveryay ("trust, but verify"), a Russian proverb that was often recited by former U.S. president Ronald Reagan.

There are many kinds of audits. Two of the most common on Unix systems are spot inspections of file permissions and the systematic review of the Unix log files. A log file is a file that records one or more log events—that is, a specific action, activity, or condition that the author of a program thought might be worth recording.

Log files are important building blocks of a secure system: they form a recorded history, or audit trail , of your computer's past, making it easier for you to track down intermittent problems or attacks. Using log files, you may be able to piece together enough information to discover the cause of a bug, the source of a break-in, and the scope of the damage involved. In cases where you can't stop damage from occurring, at least you will have some record of it. Those logs may be exactly what you need to rebuild your system, conduct an investigation, give testimony, recover insurance money, or get accurate field service performed.

The information in log files is, for the most part, intentionally put there as a result of a programmer's decision. But a running Unix system records other information as well—similar to the way that sand records footprints of animals that walk across a beach. In recent years, there has been significant interest in computer forensics, which is essentially the art of reading the tracks that are left in a computer system.