tags:

views:

23

answers:

1
+1  Q: 

Best practices in logging the station that did something

I've seen too many incidents of someone having a password they shouldn't have. Thus I want to log the station from where the command came as well as who was logged in at the time. What is the best way to log the machine identity? I was thinking the MAC address except there can be multiple such addresses on a machine. IP won't work because of DHCP.

What's should I be recording to ensure the machine can be identified in the future?

A: 

Your problem is that MAC addresses can be spoofed.

If you use 802.1X authentication, this is no longer a problem. Provided that either you are using dot-1X or you don't care about MAC spoofing, then you need to record four things:

  • The IP address of the access
  • The time of the access
  • Your DHCP logs listing which IP address was assigned to which MAC address when
  • Who was logged in to which computer when

With these four pieces of information, and a list mapping MACs to computers, you can figure out which user was logged in to the perpetrating machine.

Note: to avoid IP spoofing, you must also use DHCP snooping and IP Source Guard to prevent users from giving themselves static IP addresses.

Second NB: this is operating under the assumption that all equipment connected to the network is company equipment. If this is not true, I suggest reading and logging the IP-to-port mappings from your switches, and recording them. That way you can tell where a computer was physically located.

Borealid  2010-08-16 03:16:53
Note that a MAC address only helps if the user's machine is on the same network segment as the server.
Jeff  2010-08-16 03:22:13
@Jeff: False. MAC addresses are global identifiers and are (initially) assigned by the factory manufacturing a NIC. The user *will* expose (some) MAC address to the DHCP server, which is where it is logged. As I said, without dot-1X, MAC address spoofing is an issue, but with it the MAC address **will** identify a machine or user (depending on which credentials were used) uniquely for a given time range.
Borealid  2010-08-16 03:23:53
The problem is that this requires reading info from the DHCP system, something I do not want to do, nor is it even available--it's possible to be running on a partial dataset on a unconnected system which will then later sync back changes. I'm not particularly worried about hackers, the main concern is employees trying to game the system.
Loren Pechtel  2010-08-16 13:46:10
@Loren Pechtel: If you do not have the DHCP logs, the most you can know about someone is which switch port they were on, because IP address tells you nothing reliable. Use SNMP to read the switch forwarding table.
Borealid  2010-08-16 13:59:31

related questions

What's the PostgreSQL equivalent of MSSQL's CONTEXT_INFO?
What's the best way to audit log DELETEs?
A Scheduler framework for Audit - Balance and Control of the software processes
Audit Logging Strategies
Tool to Compare/Analyze/Audit Different Versions of SVN Repository
What reporting is available for svn?
Maintaining audit log for entities split across multiple tables
Tool to Audit Code Moves to production Web Servers?
How to test that I configured Subversion Path Based Authorization in the right way?
SQL Server 2005 Change Auditing
Script or tool to enumerate windows users and groups
Implementing Audit Trail for Objects in C#?
SQL Server: Modifying the "Application Name" property for auditing purposes
Audit trails and implementing SOX/HIPAA/etc, best practices for sensitive data
Audit Schema Mapping with Hibernate and AOP
How should I audit changes in a MySQL table (using MySQL 4)?
How to audit when a user leaves an ASP.NET app
best design for a changelog / auditing database table?
Counting the number of deleted rows in a SQL Server stored procedure
How do you implement audit trail for your objects (Programming) ?
Good pattern or framework for adding auditing to an existing app?
How to Audit Database Activity without Performance and Scalability Issues?
What is the best implementation for DB Audit Trail?
Data Auditing in NHibernate and SqlServer
Suggestions for implementing audit tables in SQL Server?