Monitoring Information

Once a hacker has gained access to your system, he will want to know if you are aware of his presence. He will focus his interest on any information that indicates that the system is suspected of being compromised. He will be as interested in the activities of the system administrators as they will be in him.

Administrator's Mailbox

A hacker, with appropriate permissions, will read root's e-mail. This will allow him to keep current with what the system administrator knows . Most of the time, the system administrator does not discover a hacker's presence by himself; usually a regular user notices that his response time is slower, or a loss of available disk space, or someone using his login. Communications from users, possibly through e-mail, may be the first indication to the system administrator that there is a problem. The appropriate procedures to report suspected security incidents should be defined in the security policy and should be well understood by all computer users.

System Console

The system console is where it all happens. Most of the systems log errors to the system console, so this is where you see problems and alerts. Anyone who logs on to the system console is probably a system administrator since he or she has physical access to the system. A skilled hacker will always keep an eye on the system console in order to see log messages and what the system administrators are doing.

There are a number of ways to monitor the system console. One such way is to access the console via a program that attaches itself to the data stream that is going to and from the console device. One such program is xconsole. This program is an X windows program that will create a window on an X windows display that will contain all the input and output that comes to and from the system console. This program is used by many system administrators so they can monitor the system console without having to be in the computer room.

All the convenient programs you have to monitor the system can also be used by hackers to monitor the system as well. You must keep this in mind when you install system management tools. They may have more value to a hacker than they do to you.

Another method of monitoring the system console is to utilize the features of the console terminal itself. If the console is a smart terminal, then it is likely that the information stored in the terminal's memory can be read. A number of programs specific to a wide range of smart terminals have been written and are available on numerous hacker bulletin boards and electronic periodicals.

You may be able to reduce the risk of a smart terminal attack by configuring your terminal to emulate an older, dumber terminal. Another approach is to remove the read and write permissions to the terminal when no one is logged on. The use of the console terminal should be limited to only those activities which require system console access.

System Logs

System logs are a system manager's best friend. If activated and properly configured, they can record most things of interest that happen on the system. There are logs for accounting, auditing, network traffic, logins and logouts, and dozens more. Most systems come out of the box without the logging turned on, so as the system administrator you have to start logging. The hacker will attempt to find these logs so he can avoid the actions that will cause log entries, disable the logs, or falsify the log entries.

It is common for hackers to try to locate log files by using the find command to locate files which contain the characters "log" in their name or to run some commands that would be logged on a quiet system and look for files that have changed.

Since these are common procedures for hackers to locate logs, it is a good idea to create log files that do not contain the word "log" in their names and to put them in a protected and possibly hidden directory to make locating them as difficult as possible. It would be best if the system were to log to another system, a very secure system, or to a nonerasable media such as a printer or a WORM device.

It is also advisable to have a process that logs a heartbeat, that is, an entry in the log at regular intervals, so that the health of the logging process can be monitored .