>>>>> On 30 Oct 2002 11:18:04 -0500, Paul Timmins <paulat_private> said: PT> Another option I've employed at one point is to direct security logs to PT> /dev/lp0 and throw a dot matrix printer with a continuous feed of paper PT> on the parallel port (I did this on Linux, I'm sure it works on other PT> OSs). PT> Once they get into the machine, there's no way they can delete the logs. PT> I mean, they can move the paper back a line or two with the epson PT> control sequences and try to print over it, but combined with a remote PT> logging server, you have evidence that is likely alot easier to prove PT> wasn't tampered with (IANAL). PT> My $0.02. PT> -Paul We used to do that. Way back when, e.g. 1994, we hooked up a DecWriter III (LA-120) to log all system logs that hit our loghost, to paper. As the volume picked up, we started only logging the authentication stuff. By 1996 or so, the volume was going through a box of fanfold or worse every shift. I've often wanted to build a box that did the functional equivalent with a CD-burner, e.g. burn log records to CD (or DVD?) in real time. -- Tom E. Perrine <tepat_private> | San Diego Supercomputer Center http://www.sdsc.edu/~tep/ | ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Nov 02 2002 - 08:30:29 PST