One of a Linux system manager’s worst nightmares is when the auditors come in and they start asking questions. One of the questions they’re bound to ask in these compliance-ridden days is “Do you track root level activity?” How do you track root’s activity? Sudo and process accounting aren’t enough for the purposes of compliance, change management, auditing, and incident response. As Larry Wall, the inventor of Perl said, “There’s more than one way to do it.” We’ll explore the several Open Source ways to track root’s activity and get the auditors off our backs (at least on this instance).

Gary Smith is a Cyber Security Analyst with the Pacific Northwest National Laboratory. Gary started out his professional career as a chemist/materials engineer. His start down the path to the Dark Side of Computing began when he wrote a program to design an optimal extruder screw rather than face thousands of calculations with a slide rule (yes, a slide rule.) Since then, he’s done a lot of different things in computing: microprocessor cross assemblers and simulators, disk device drivers, communication device drivers, TCP/IP hacking and multi-threaded printer spoolers. Always a glutton for punishment, he wrote his own sendmail.cf from scratch. Around 1993, Gary started doing computer security when the semiconductor company he was working for was forced to get on the Internet to send/receive Integrated Circuit designs faster and a firewall/Internet gateway was needed. Since then, Gary’s been involved in firewalls, intrusion detection and analysis, vulnerability assessments, system and application hardening, and anti-spam filters. Gary really does computer security to support his bicycling habit. He has more bikes than most other people have computers. And they’re a lot more expensive. Gary says “Bikes are like computers: both can crash, sometimes with disastrous results to the user.”

His presentation is Got Root Presentation

———-

As always, there will be dinner sponsored by Silicon Mechanics. Check them out at http://www.siliconmechanics.com/

There will also be several CACert assurers present.

The meeting will be at the Electrical Engineering building on the
University of Washington Campus, aka EE1. Directions are linked to the
EE Department’s web site above. Parking is $5 after 5pm.