Re: Monitoring sys admins activities

[krymson () gmail com]

You will want to turn on file access auditing on your file servers. You will then want a log manager to hold and parse 
logs. Any SEIM/SIM should be able to do this. Just expect false positives and make sure whoever sees the alerts knows 
that there are plenty of benign reasons those sensitive files are touched (for instance whatever backs those files up 
and the account it runs under). Too many of these, and you'll need another technical person to interpret the 
noise...which may defeat the purpose.

Also, for completeness, you will want to think hard about how powerful your admins are. They are basically the gods of 
your network, and rightly so!! They could create a new account or reset the password on an existing account and use it 
to access that data. Or usurp the backup software account. Or use something generic like Local System. Likewise, they 
control the network so may be able to capture such data in transit. They have physical access so may be able to clone 
the hard disk (or virtual server) or walk backup tapes home. They have full rights to desktops and may be able to just 
watch over the owner's shoulder. They are paid to manage the servers, so will have admin rights to turn off logging 
agents, scrub logs, and turn them back on. You either need to log and lock down everything, or...

..tell the owner that he should also pursue very stringent hiring practices for such godlike persons, and make sure 
they have tight management such that they can spot and handle any trouble-signs of a bad admin. IMO, it is often not 
worth the trouble to watch your admins closely, as much as it is useful to manage them properly and watch/warn/handle 
trouble signs before they become disgruntled employees or have some external pressure (money or otherwise [your 
information gods better be paid competitively, as an aside*]) to start taking advantage of their access on the job.

I know it seems I'm making this very black and white in my above statements. "Either be perfect or screw it and get 
back to management practices." But really it's about managing expectations such that you can choose just how far to 
take this, but then explain that there are still holes and opportunities for abuse. The creative art of managing risk.


Very importantly, I want to highlight that the response of those admins should be applauded and mentioned. Far too 
often even well-intentioned admins (myself included) will resist such scrutiny as needless and may in fact be deeply 
offended and resentful. Their response is refreshing and should be encouraged and rewarded, and maybe be an indication 
that they may very well be solid employees.


* It might be a tengential discussion to think about generously paying your admins....or generously paying your 
security persons who oversee the admins...


<- snip ->
Hi Great list members !! 

I was hired to by an owner of a company, he gave me a task, he wants to monitor access to few folders on few file 
servers (windows) he has there some confidential information, the things gets a bite complicated couse he wants to 
monitor also and be alerted if the sys admins access the folders so Im looking for a solution (product/software??) that 
will read the logs of a server and export it say to a remote server where the admins dont have access to and also will 
send a mail to the owner of the company if someone access a specific folder in that server. the process should work so 
that the sys admins cant modify those logs, I know its problematic but I must find a solution, and also I can come with 
a solution that cost 1 million dollar couse the owner wont implement a thing. also any insights about that kind of a 
project are most welcomed ( gaps, how long it takes to implement, etc). 

also I talked to the sys admins in the site, there are not against this kind of project, they want to be monitored so 
if a problem happens they say that the logs will tell that they didnt were the guys that coused the problem. 

thanks for your help!!

Juan

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------