RFC1244 - Page 28

• Title: Site Security Handbook
• Author: J.P. Holbrook, J.K. Reynolds
• Date: July 1, 1991

Page Navigation:

1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75  76  77  78  79  80  81  82  83  84  85  86  87  88  89  90  91  92  93  94  95  96  97  98  99  100  101 

Printable Version: RFC1244.PDF

RFC 1244                 Site Security Handbook                July 1991


      vigil can you expect to detect security violations in time to
      react to them.

   3.6.2  Tools for Monitoring the System

      This section describes tools and methods for monitoring a system
      against unauthorized access and use.

      3.6.2.1  Logging

         Most operating systems store numerous bits of information in
         log files.  Examination of these log files on a regular basis
         is often the first line of defense in detecting unauthorized
         use of the system.

            - Compare lists of currently logged in users and past
              login histories.  Most users typically log in and out
              at roughly the same time each day.  An account logged
              in outside the "normal" time for the account may be in
              use by an intruder.

            - Many systems maintain accounting records for billing
              purposes.  These records can also be used to determine
              usage patterns for the system; unusual accounting records
              may indicate unauthorized use of the system.

            - System logging facilities, such as the UNIX "syslog"
              utility, should be checked for unusual error messages
              from system software.  For example, a large number of
              failed login attempts in a short period of time may
              indicate someone trying to guess passwords.

            - Operating system commands which list currently executing
              processes can be used to detect users running programs
              they are not authorized to use, as well as to detect
              unauthorized programs which have been started by an
              intruder.

      3.6.2.2  Monitoring Software

         Other monitoring tools can easily be constructed using standard
         operating system software, by using several, often unrelated,
         programs together.  For example, checklists of file ownerships
         and permission settings can be constructed (for example, with
         "ls" and "find" on UNIX) and stored off-line.  These lists can
         then be reconstructed periodically and compared against the
         master checklist (on UNIX, by using the "diff" utility).
         Differences may indicate that unauthorized modifications have



Site Security Policy Handbook Working Group                    [Page 28]