|
Pat, Collaboration is extremely difficult to guard against and at some level impossible so auditors often overlook conspiracy theories. With one system administrator it seems pretty straight forward to determine who deleted the receiver. However, on many systems, multiple system administrators, lax security policies, honest mistakes, or lack of expertise when setting up system security leave open the possibility that a journal could be deleted or tampered with. In many cases, it would be impossible to tie that event to a single individual or could go undetected. Because journals are one of the main ways of detecting unauthorized activity it is very important that they are not the weak link. Getting journals off of the system also reduces the chance that someone will destroy your machine to cover their tracks. David Morris >>> botz@xxxxxxxxxx 01/14/05 4:52 PM >>> > What Audit team are looking is to prevent the System admin which have > all the God rights on system from ding anything bad. If System > security receivers are somehow replicated online to some other system > like Unix then one can know as what had happened I agree that copying it to another system where the OS400 admin does not have an ID with authority to delete it adds a layer of defense. But it does not reomve the issue -- it just makes it harder. What if the sys admins on the two systems are the same, or friends, or co-conspirators? The point I'd like to make is that at some point you have to rely on a policy that says something like "if you ever delete the audit journal (or copies of it) without authorization, we'll know and we'll fire you." Once you have this policy in place and the admins know about it, then making a copy gives you an extra layer of defense. Without a policy which addresses the deletion of the audit journal or copies of it, you can't hold anyone accountable. Making a copy does not prevent all copies from being deleted nor does it provide accountability. Now, if you have this policy in place, I might argue that the value of making a copy of the audit journal to another system might not provide that much more additional benefit. But that would be your call to make. Patrick Botz Senior Technical Staff Member eServer Security Architect (507) 253-0917, T/L 553-0917 email: botz@xxxxxxxxxx
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
