On Monday, July 21, 2003, at 01:09 PM, Mark A. Hershberger wrote:
> "Alex McKenzie" <alex@boxchain.com> writes:
>
>> I was under the impression that this was for an automated backup
>> situation, which is what (I believe) passphraseless keypairs are meant
>> for. I was also assuming a limited backup account, but it can work
>> both
>> ways.
>
> Glad to see we agree!
I'm fascinated that the semi-to-fully professional opinions on this
list a> agree fairly well on what's secure and what isn't but b> have
very different emphases on what's important in security.
>
>> Auditing logs is one of the most useful, and easiest, security tasks
>> you
>> can do.
>
> Of course, but I think we were talking past each other.
>
> I have accounts on a number of machines. It would be tedious for me
> to audit each account simply because I chose to use a passwordless
> keypair.
One technique I've adopted for log audits is called "artificial
ignorance." It essentially amounts to building filters for your logs
and reporting (via email, say) any log events that aren't filtered.
Since expected events tend to recur, and problem events tend to be
anomalous, this solution tends to be very straightforward and
effective. Of course, random checks of the logs, and occasional review
of the filters is still important, but it definitely adds a certain
level of piece of mind. I imagine it would work especially well with a
syslog server. Finally, there's the added benefit that, if an abnormal
event does occur, the notification can leave the network entirely,
putting outside the reach (hopefully) of an intruder; and most
intruders, (even insiders) won't have enough of a grasp of the entire
system to shut it down completely before it can get out a complaint.
___________________
Nolug mailing list
nolug@nolug.org
Received on 07/22/03
This archive was generated by hypermail 2.2.0 : 12/19/08 EST