SOX issue ... logging heightened access account activity 2

[bl1wilson]

Greetings,

I am consulting with a client and their external account firm has challenged them to log and monitor heightened access accounts (administrator and a select number of critical generic accounts) (for this discussion just UNIX)high risk activity.

First we must identify "high risk" functions. Then we must identify a managable method of tracking thes activities for the identified heightened access accounts.

Any background experiences, thoughts, feedback, comments (keep'm clean .

Thank you in advance.

Britt

 

[eyec]

you may want to check out either the Gartner Group, Guardium, or other company intimate with SOX compliance.

this is not an easy task due to the complexity of your request.

good luck

 

[reactornet]

It depends on your flavour of Unix... there's a lot of built in tools for Solaris for example (eg BART). Also shells themselves can often be configured to log actions and some do it by default.. for example bash's history files... The problem is that someone with sufficiently high privileges can always modify these logs of course, so its better if you have some way of ensuring that doesnt happen, or something that will tell you if it has happened.

If your flavour is Linux, look into something like auditd or process accounting.



Isaac Orr

http://www.reactornetworks.com/