Chapter 21. Auditing, Logging, and Forensics
After you have established the protection mechanisms on your system, you will need to monitor them. You should be sure that your protection mechanisms actually work. You should also observe any indications of misbehavior or other problems. This process of monitoring the behavior of the system is known as monitoring or auditing . It is part of a defense-in-depth strategy: doveryay, no proveryay (“trust, but verify”), a Russian proverb that was often recited by former U.S. president Ronald Reagan.
There are many kinds of audits. Two of the most common on Unix systems are spot inspections of file permissions and the systematic review of the Unix log files. A log file is a file that records one or more log events—that is, a specific action, activity, or condition that the author of a program thought might be worth recording.
Log files are important building blocks of a secure system: they form a recorded history, or audit trail , of your computer’s past, making it easier for you to track down intermittent problems or attacks. Using log files, you may be able to piece together enough information to discover the cause of a bug, the source of a break-in, and the scope of the damage involved. In cases where you can’t stop damage from occurring, at least you will have some record of it. Those logs may be exactly what you need to rebuild your system, conduct an investigation, give testimony, recover insurance money, or get accurate field ...
Get Practical UNIX and Internet Security, 3rd Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.