RFC1244 - Page 29

• Title: Site Security Handbook
• Author: J.P. Holbrook, J.K. Reynolds
• Date: July 1, 1991

Page Navigation:

1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50  51  52  53  54  55  56  57  58  59  60  61  62  63  64  65  66  67  68  69  70  71  72  73  74  75  76  77  78  79  80  81  82  83  84  85  86  87  88  89  90  91  92  93  94  95  96  97  98  99  100  101 

Printable Version: RFC1244.PDF

RFC 1244                 Site Security Handbook                July 1991


         been made to the system.

         Still other tools are available from third-party vendors and
         public software distribution sites.  Section 3.9.9 lists
         several sources from which you can learn what tools are
         available and how to get them.

      3.6.2.3  Other Tools

         Other tools can also be used to monitor systems for security
         violations, although this is not their primary purpose.  For
         example, network monitors can be used to detect and log
         connections from unknown sites.

   3.6.3  Vary the Monitoring Schedule

      The task of system monitoring is not as daunting as it may seem.
      System administrators can execute many of the commands used for
      monitoring periodically throughout the day during idle moments
      (e.g., while talking on the telephone), rather than spending fixed
      periods of each day monitoring the system.  By executing the
      commands frequently, you will rapidly become used to seeing
      "normal" output, and will easily spot things which are out of the
      ordinary.  In addition, by running various monitoring commands at
      different times throughout the day, you make it hard for an
      intruder to predict your actions.  For example, if an intruder
      knows that each day at 5:00 p.m. the system is checked to see that
      everyone has logged off, he will simply wait until after the check
      has completed before logging in.  But the intruder cannot guess
      when a system administrator might type a command to display all
      logged-in users, and thus he runs a much greater risk of
      detection.

      Despite the advantages that regular system monitoring provides,
      some intruders will be aware of the standard logging mechanisms in
      use on systems they are attacking.  They will actively pursue and
      attempt to disable monitoring mechanisms.  Regular monitoring
      therefore is useful in detecting intruders, but does not provide
      any guarantee that your system is secure, nor should monitoring be
      considered an infallible method of detecting unauthorized use.

3.7  Define Actions to Take When Unauthorized Activity is Suspected

      Sections 2.4 and 2.5 discussed the course of action a site should
      take when it suspects its systems are being abused.  The computer
      security policy should state the general approach towards dealing
      with these problems.




Site Security Policy Handbook Working Group                    [Page 29]