Security Basics mailing list archives

RE: Auditing / Logging

From: "eeefm" <eeefm () singnet com sg>
Date: Tue, 13 Jan 2004 22:29:19 +0800

It really depends on what kind of things you want to log. If the
environment has already installed with IDSes (Network and/or host), they
can be your good tools for auditing/forensic that are usually come with
the product. You can do network and host logging/capture pentest
activities with Network and Host IDS respectively.


Cheers

-----Original Message-----
From: Don Parker [mailto:dparker () rigelksecurity com] 
Sent: Tuesday, 13 January, 2004 7:18 AM
To: R. DuFresne; Don Parker
Cc: n30; security-basics () securityfocus com; pen-test () securityfocus com
Subject: Re: Auditing / Logging



Well, you raise a valid point as to the commands not being logged. 
Again I would prefer simplicity, so just install a keylogger. There is
no need to overcomplicate things. Though a keylogger will not work 
on most *nix systems to my knowledge. Though all of this should be 
negotiated with the client prior to the pen test being done ie: what 
kinds of logs will be retained and the such. This is one thing which 
should be spelt out clearly prior to any pen test actually taking place.

Cheers

-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc www.rigelksecurity.com ph
:613.249.8340 fax:613.249.8319
--------------------------------------------

On Jan 12, "R. DuFresne" <dufresne () sysinfo com> wrote:

On Mon, 12 Jan 2004, Don Parker wrote:

The simplest solution would be to simply log all activity using 
tcpdump in binary
format. This decreases the file size, is faster, and allows you to

manipulate it after.

You can also input this binary log into any protocol analyzer

afterwards as well ie:

ethereal, etherpeek nx and the such. 

Doing the above also gives you and your client a copy of exactly what 
it is you have
done during your pen test should there be any questions/complaints.



Which s great on the data being obtained, yyet fails to retain the
nature of the exact command that retrieved the data, so make sure one
either tee's allcommands to a file <date stamps can help here> or one
runs script or something.  This helps if one has data results that are
similiar and they need to know which command applies to which data, as
well as make it possible to dupe scenarios.

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        <a
href='http://sysinfo.com&apos;>http://sysinfo.com</a>

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!


------------------------------------------------------------------------
---
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
any 
course! All of our class sizes are guaranteed to be 10 students or less.

We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention, 
and many other technical hands on courses. 
Visit us at <a 
href='http://www.infosecinstitute.com/securityfocus&apos;>http://www.infoseci
nstitute.com/secur
ityfocus</a> to get $720 off 
any course!  
------------------------------------------------------------------------
----




------------------------------------------------------------------------
---
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off
any 
course! All of our class sizes are guaranteed to be 10 students or less.

We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion
Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720
off 
any course!  
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------

Current thread:

Re: Auditing / Logging Don Parker (Jan 12)
- Re: Auditing / Logging R. DuFresne (Jan 12)
- <Possible follow-ups>
- Re: Auditing / Logging Don Parker (Jan 12)
  - RE: Auditing / Logging eeefm (Jan 13)
  - Re: Auditing / Logging Frank Knobbe (Jan 13)
  - Re: Auditing / Logging Mike Hoskins (Jan 13)
  - RE: Auditing / Logging Rob Shein (Jan 19)
    - *warning* student question Aaron Scribner (Jan 19)
    - RE: *warning* student question David Gillett (Jan 20)
    - RE: *warning* student question Aaron Scribner (Jan 20)
    - Re: *warning* student question Karma (Jan 20)
    - RE: Auditing / Logging Steve Armstrong (Jan 19)
    - RE: Auditing / Logging Rob Shein (Jan 19)