Auditing Processes and Files

Most systems generate security logs and audit files of activity on the system. These files do absolutely no good if they are not periodically reviewed for unusual events. Many web servers provide message auditing, as do logon, system, and applications.

The amount and volume of information these files contain can be overwhelming. You should establish a procedure to review these files on a regular basis. These files may also be susceptible to access or modification attacks. These files often contain critical systems information including resource sharing, security status, etc. The attacker may be able to use this information to gather more detailed data about your network.

In an access attack, these files can also be deleted, modified, and scrambled to prevent systems administrators from knowing what happened in the system. A logic bomb could, for example, delete these files when it completes. Administrators may know that something has happened, but they will get no clues or assistance from the log and audit files.

You might want to consider periodically inspecting systems to see what software is installed and whether passwords are posted on sticky notes on the monitor or keyboard. A good way to do this without attracting suspicion is to clean all of the monitor faces. While you are cleaning the monitors, you can also verify that physical security is being upheld. If you notice a password on a sticky note, you can accidentally forget to put it back. You would also want to notify that user that this is an unsafe practice, and not to continue it.