Log signing "is too specific" -- I'm not aware of any regulation/court that requires that today. But, at the same time -- you are collecting evidence TODAY, that will be used two years from today... and in that time the regulations will change. So, err on the side of caution, excessive log storage/retention, and comprehensive measures. Same goes for collecting more (everything) than you think is necessary... when reconstructing events, it's useful to have not-obviously-consequential logs, as they may prove 1) other things happening simultaneously, 2) general state of health of network at the time of an event, 3) the full (reconstructed) path of an intrusion. If you weren't worried about the usability/admissability [in the future] of the logs in the first place, then why collect them to begin with. TaO Anton Chuvakin wrote: >> Regarding log signing: is anyone aware of an actual regulatory or legal >> requirement for log signing? >> > > Isnt't that a bit too specific for most current regulations? I > personally haven't seen any direct regulatory mandate for log > signing... > > _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Thu Aug 31 2006 - 18:27:15 PDT