-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rion,
Samba reportedly has some per-file-operation logging capabilities[1] which
I am planning on investigating for a client very soon. If that applies,
and you get to it before I do, it'd be great to hear what you find out.
On the DB side: what DB is it, and how detailed are its transaction logs? Do
all users access this DB with the same DB username? Do accesses come from fixed
(or otherwise easily-traceable) IP addresses? Are the client DB connections to
the server encrypted? (If so, packet analyzers will only help establish the
existence of a connection to the server, and probably its time and duration,
but not the content of its "conversation".)
HbIDS like Tripwire are great for knowing if a file changed, but I don't know
whether they are generally "triggerable" by file access alone. Most seem geared
towards squawking if a file changes. Can anyone else shed some light on this
aspect?
The big problem: this whole affair is complicated by the fact that, in most
cases, the very act of viewing data from a server via a given machine requires
that the data be copied from the server to the local box (even if the user
doesn't explicitly drag-and-drop the file from the server to their local
disk)*. From the perspective of using your captured/logged info as
evidence: is it easy to discriminate between joedokes' legitimate access
and illegitimate access, if he has been granted use of these data for the
purposes of doing his job?
* Lessig: "Enter the Internet. Every act is a copy, which means all of
these unregulated uses disappear."[2]
This would seem similar to the problems encountered by people building DRM
(digital rights management) systems for audio/video media files or e-books. The
best these folks can seem to come up with is to lock the users into the
controlled environment of a known, standardized player/viewer app, and hope
that the user's kung fu isn't good enough to make an end-run around the
protections in place.
As far as I can tell, unless you can guarantee the environment in which the
user interacts with the data to prevent them from taking the data with them
(i.e. control the box), there are not a ton of options. If you CAN control the
workstation and the viewing software they use to access the data (and, more
importantly, THEY can't), you can probably leverage SOME logging to your
advantage. Even then, I imagine you'd need VERY verbose filesystem logging on
the workstation end to get what you seem to be looking for.
Schneier and/or Bauer might say that this is one of those places where
(current) technology leaves off, and policy (read: NDA and insurance (as in,
"loss/liability coverage") must pick up the slack. If you're like me, though,
that's scant comfort when sensitive data go walking out the door. ;-)
[1]
http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/VFS.html#id2620862
[2] http://www.oreillynet.com/pub/a/policy/2002/08/15/lessig.html?page=2
Cheers,
- -sth
sam hooker|[EMAIL PROTECTED]|http://www.noiseplant.com
tail -f /var/llog/llama
On Wed, 12 Jul 2006, Chris Adams wrote:
Proof is actually somewhat difficult to prove in court but outside of the
legal aspects, using something like a network traffic analyzer and a host
based IDS such as tripwire would provide sufficient logs of suspicious
activity. You can also use MAC time information of the file (more difficult
if there are many users). Using several tools would be the best way, just
ensure the data from the tool is stored securely and that time is
synchronized on all systems to make comparisons easier. Network analysis
would require monitoring ALL traffic which can be very difficult to do but
some companies do it.
Chris
On 7/12/06, Rion D'Luz <[EMAIL PROTECTED]> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello all:
Any opinion on the best way to monitor the file transfers and|or
general activities ofa user w/out going to the extreme of keylogging
etc.?
What is|are the most effective and|or least intrusive options?
For instance:
joedokes works for acme.widget and has auth access to sensitive
information, both in file and db format; each accessed remotely from
servers
as such. What can be done to insure that if joe decides to x-fer the
company jewels to his local machine that it is audited and can be used
as proof?
TIA
RIon
- --
Beware when truth is called treason
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFEtYyj94WPEVwn1ncRAhboAJ9Hi3Z2QsWaVFMiAZm4BK9sd5xT0QCgh88/
zBGY+mcVMvdFxF1TZjoEcC8=
=MqUR
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)
iD8DBQFEtoEEX8KByLv3aQ0RApOsAKCmdTwgERk6ZVAzEdloa9UWqVVhzgCdG0/F
KuPzXK0u23DuQOWeOY2XiPc=
=bC+E
-----END PGP SIGNATURE-----
