Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!mailrus!csd4.csd.uwm.edu!uakari.primate.wisc.edu!ames!think!barmar
From: barmar@think.COM (Barry Margolin)
Newsgroups: comp.unix.questions
Subject: Re: A way to monitor your files
Keywords: UNIX
Message-ID: <29114@news.Think.COM>
Date: 9 Sep 89 19:16:32 GMT
References: <547@chem.ucsd.EDU> <1140@virtech.UUCP>
Sender: news@Think.COM
Distribution: usa
Organization: Thinking Machines Corporation, Cambridge MA, USA
Lines: 27

In article <1140@virtech.UUCP> cpcahil@virtech.UUCP (Conor P. Cahill) writes:
>This kind of access auditing is not available under vanilla UNIX.  As time
>goes on you will see the additions of different security features which will
>provide the kind of information you want (although the only person that should
>be allowed to review a security audit log is the system administrator or some
>"trusted" program).

This may not be much help in the kind of situation that prompted this
response.  The superuser would have control over the auditing
facility, and they are the ones that are the culprits.  A superuser
who wants to cover his tracks can do a reasonably complete job of it.
If the system is C2 secure or better he wouldn't be able to hide
completely, but you'd have a hard time pinning the particular
infraction on him; for instance, he could turn access auditing off and
on around his access to the file, but the operation of disabling
auditing would have to be audited (and a C2 system is not permitted to
allow even the superuser to disable this audit), so all you would know
is that he did something he wanted to hide during this time.

In general, it's very hard to protect oneself against omnipotent
beings.

Barry Margolin
Thinking Machines Corp.

barmar@think.com
{uunet,harvard}!think!barmar