I agree it would be nice to get more granular alerts as to what
specifically changed, but from an audit point of view, it does serve as
a useful marker. I really believe that detecting change is much more
unique and useful than detecting activity.

I think it is useful to boil up all types of changes that occur on
systems, on the network, to user access, .etc to a high level. If things
break, you can go back and likely use these change events to find a root
cause. Also, if you have these "change" events in your system you may be
able to correlate them with successful attacks, compromise events.

I've blogged in the past about how we do this sort of thing with our
product line, but the concepts can be applied to many different systems:

http://blog.tenablesecurity.com/2007/03/detecting_chang.html
http://blog.tenablesecurity.com/2006/07/detecting_netwo.html

Ron Gula, CTO
Tenable Network Security

Justin Mitchell wrote:
>>From the CLI on Checkpoint, check out the fwaudit.log (fw log fwaudit.log),
> for GUI see SmartView Tracker -> Audit. Data is also retrievable via OPSEC
> (Audit Session).
>
> On Friday 01 June 2007 08:55, Dave Ellingsberg wrote:
>> - Changes to rulebase - However this seems impossible. People like
>> Checkpoint only say a new policy has been installed - They donot make
>> a log entry what change was made in the rulebase before ths install.
>>
>> I am yet to see any rulebase change logs in Firewalls like Netscreen
>> and CiscoPix which even captures that a rulebase has been installed or
>> what has been changed in the rulebase.
>>
>>

_______________________________________________
LogAnalysis mailing list
LogAnalysis (at) loganalysis (dot) org [email concealed]
http://www.loganalysis.org/mailman/listinfo/loganalysis

[ reply ]