Re: Monitoring sys admins activities

[Fred Concklin <fredconcklin () gmail com>]

Hey Josiah, 

saw this on the securityfocus mailing list and thought it might be of some interest to you moving forward with pitus or 
other student run machines. 

Basically, assume a zero trust relationship with machine sysadmins. Modification of certain files/directories by 
sysadmins needs to be monitored and logged
in a manner where the sysadmin under watch can't spoof/modify changes to or contents of a directory. 

My thoughts were an sshfs mount of a directory and doing diffs/logging on a remote machine sysadmins don't have access 
to. 

-- Fred

Posts from mailing list below:

On Tue, 14 Sep 2010, krymson () gmail com wrote:

> You will want to turn on file access auditing on your file servers. You will then want a log manager to hold and 
> parse logs. Any SEIM/SIM should be able to do this. Just expect false positives and make sure whoever sees the alerts 
> knows that there are plenty of benign reasons those sensitive files are touched (for instance whatever backs those 
> files up and the account it runs under). Too many of these, and you'll need another technical person to interpret the 
> noise...which may defeat the purpose.
>
> Also, for completeness, you will want to think hard about how powerful your admins are. They are basically the gods 
> of your network, and rightly so!! They could create a new account or reset the password on an existing account and 
> use it to access that data. Or usurp the backup software account. Or use something generic like Local System. 
> Likewise, they control the network so may be able to capture such data in transit. They have physical access so may 
> be able to clone the hard disk (or virtual server) or walk backup tapes home. They have full rights to desktops and 
> may be able to just watch over the owner's shoulder. They are paid to manage the servers, so will have admin rights 
> to turn off logging agents, scrub logs, and turn them back on. You either need to log and lock down everything, or...
>
> ..tell the owner that he should also pursue very stringent hiring practices for such godlike persons, and make sure 
> they have tight management such that they can spot and handle any trouble-signs of a bad admin. IMO, it is often not 
> worth the trouble to watch your admins closely, as much as it is useful to manage them properly and watch/warn/handle 
> trouble signs before they become disgruntled employees or have some external pressure (money or otherwise [your 
> information gods better be paid competitively, as an aside*]) to start taking advantage of their access on the job.
>
> I know it seems I'm making this very black and white in my above statements. "Either be perfect or screw it and get 
> back to management practices." But really it's about managing expectations such that you can choose just how far to 
> take this, but then explain that there are still holes and opportunities for abuse. The creative art of managing risk.
>
>
> Very importantly, I want to highlight that the response of those admins should be applauded and mentioned. Far too 
> often even well-intentioned admins (myself included) will resist such scrutiny as needless and may in fact be deeply 
> offended and resentful. Their response is refreshing and should be encouraged and rewarded, and maybe be an 
> indication that they may very well be solid employees.
>
>
> * It might be a tengential discussion to think about generously paying your admins....or generously paying your 
> security persons who oversee the admins...
>
>
> <- snip ->
> Hi Great list members !! 
>
> I was hired to by an owner of a company, he gave me a task, he wants to monitor access to few folders on few file 
> servers (windows) he has there some confidential information, the things gets a bite complicated couse he wants to 
> monitor also and be alerted if the sys admins access the folders so Im looking for a solution (product/software??) 
> that will read the logs of a server and export it say to a remote server where the admins dont have access to and 
> also will send a mail to the owner of the company if someone access a specific folder in that server. the process 
> should work so that the sys admins cant modify those logs, I know its problematic but I must find a solution, and 
> also I can come with a solution that cost 1 million dollar couse the owner wont implement a thing. also any insights 
> about that kind of a project are most welcomed ( gaps, how long it takes to implement, etc). 
>
> also I talked to the sys admins in the site, there are not against this kind of project, they want to be monitored so 
> if a problem happens they say that the logs will tell that they didnt were the guys that coused the problem. 
>
> thanks for your help!!
>
> Juan
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------

Attachment: signature.asc
Description: Digital signature