The Hack FAQ

6.0 Logging Basics

This section contains information regarding logging basics.

6.1 Why do I care about auditing, accounting, and logging?

Auditing, accounting, logging -- call it what you will, these are things used to create permanent or semi-permanent records of events on a system. Unfortunately, these can record your intrusion activities, sometimes in explicit and evidence-worthy detail. Therefore, potential intruders should not only be aware of what record keeping is available (either as a regular feature of the system or as add-ons) and have possible methods for defeating such recordings.

Some types of logging include simple text files with entries showing logins and logouts, maybe failed logins. Others show what programs were accessed, which programs were attempted to be run and the request failed, or keep track of an individual's disk usage. All can reveal info that can allow an administrator to reconstruct an attack.

6.2 What are some different logging techniques used by Admins?

Admins generally prefer to use simple logging techniques so as not to pile onto their current workload. Logs take up space. Large log files are sometimes very difficult to sift through as sys admins are looking for problems. These logs are usually stored in directories generally protected from casual viewing, or at least editing.

6.3 Why should I not just delete the log files?

Typically log files do not disappear. This might lead a curious sys admin to poke around looking for problems, and the paranoid sys admin to look for intruders. The logs should be edited if possible, or the entries made into them made to look as normal as possible.

Top | Next: Miscellaneous Basics | Previous: Denial of Service Basics | Table of Contents