RE: Auditing / Logging

["Rob Shein" <shoten () starpower net>]

If you want the function of a keylogger without having to worry about
software/OS compatibility, simply use a Key Katcher (www.keykatcher.com)
between your keyboard and computer.  Just be sure to sed out any
password/login combinations to your own stuff that you use.  Oh, one thing;
I don't think it'll work on Sun hardware.

> -----Original Message-----
> From: Don Parker [mailto:dparker () rigelksecurity com] 
> Sent: Monday, January 12, 2004 6:18 PM
> To: R. DuFresne; Don Parker
> Cc: n30; security-basics () securityfocus com; pen-test () securityfocus com
> Subject: Re: Auditing / Logging
>
>
>
> Well, you raise a valid point as to the commands not being logged. 
> Again I would prefer simplicity, so just install a keylogger. 
> There is no need to overcomplicate things. Though a keylogger 
> will not work 
> on most *nix systems to my knowledge. Though all of this should be 
> negotiated with the client prior to the pen test being done ie: what 
> kinds of logs will be retained and the such. This is one thing which 
> should be spelt out clearly prior to any pen test actually 
> taking place.
>
> Cheers
>
> -------------------------------------------
> Don Parker, GCIA
> Intrusion Detection Specialist
> Rigel Kent Security & Advisory Services Inc 
> www.rigelksecurity.com ph :613.249.8340 fax:613.249.8319
> --------------------------------------------
>
> On Jan 12, "R. DuFresne" <dufresne () sysinfo com> wrote:
>
> On Mon, 12 Jan 2004, Don Parker wrote:
>
> > The simplest solution would be to simply log all activity using 
> > tcpdump in binary
> > format. This decreases the file size, is faster, and allows 
> you to manipulate it after. 
> > You can also input this binary log into any protocol 
> analyzer afterwards as well ie: 
> > ethereal, etherpeek nx and the such. 
> >
> > Doing the above also gives you and your client a copy of 
> exactly what 
> > it is you have
> > done during your pen test should there be any questions/complaints.
>
>
> Which s great on the data being obtained, yyet fails to 
> retain the nature of the exact command that retrieved the 
> data, so make sure one either tee's allcommands to a file 
> <date stamps can help here> or one runs script or something.  
> This helps if one has data results that are similiar and they 
> need to know which command applies to which data, as well as 
> make it possible to dupe scenarios.
>
> Thanks,
>
> Ron DuFresne
> -- 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>         admin & senior security consultant:  sysinfo.com
>                         <a 
> href='http://sysinfo.com&apos;>http://sysinfo.com</a>
>
> "Cutting the space budget really restores my faith in 
> humanity.  It eliminates dreams, goals, and ideals and lets 
> us get straight to the business of hate, debauchery, and 
> self-annihilation."
>                 -- Johnny Hart
>
> testing, only testing, and damn good at it too!
>
>
> --------------------------------------------------------------
> -------------
> Ethical Hacking at InfoSec Institute. Mention this ad and get 
> $720 off any 
> course! All of our class sizes are guaranteed to be 10 
> students or less. 
> We provide Ethical Hacking, Advanced Ethical Hacking, 
> Intrusion Prevention, 
> and many other technical hands on courses. 
> Visit us at <a 
> href='http://www.infosecinstitute.com/securityfocus&apos;>http://ww
> w.infosecinstitute.com/secur
> ityfocus</a> to get $720 off 
> any course!  
> --------------------------------------------------------------
> --------------
>
>
>
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------