On Mon, 2 Feb 2004, Greg Freemyer wrote:
> "Rob created a flat file export of the Customer Database on Dec 15, 03.
> He accessed this flat file at 2pm, Feb 2, 04. This is 2 hours after he
> was notified that he was being fired, so it is possible that he was
> making an improper copy to use outside the company."
I do know of one such use of atime by a friend of mine while tracking an
errant user. The problem (as I see it) is that a knowledgable user who
owns the file or has root access (all too common on many boxes) will use
/bin/touch to hide their tracks so I've long believed the usefulness of
atime in this way was limited. Maybe I'm over-estimating errant users ;)
> I guess what I'm saying is, if you are maintaining valuable info on a
> computer and the possibility of having to litigate about its use exists,
> then having access times available to a computer forensic examiner is a
> good idea.
Fair point.
This reminds me of discussions relating to system optimization (eg, use of
hdparm). If I really care about a system being rock solid and am not so
worried about performance, I'm going to be much more conservative with
hdparm optimizations. I suppose this could be said to be similar - being
more conservative with a performance optimization (noatime) because I'd
like the extra auditability.
Cheers,
Rob
--
Robert Brockway B.Sc. email: robert@xxxxxxxxxxxxxxxxx, zzbrock@xxxxxxxxxxxxx
Linux counter project ID #16440 (http://counter.li.org)
"The earth is but one country and mankind its citizens" -Baha'u'llah
|