Say I have a server set-up for processing sensitive data. The few authorised users of the system are instructed not to copy any of the sensitive data out of the platform, but could in principle do so using scp etc. This is similar to my car being able to drive about 200km/h although I am not allowed to do so anywhere around where I live.
Now can I somehow detect and log (preferably via auditd, but could be other tools) if a user somehow copies data out of the system?
I suppose I could explicitly monitor the use of commands such as scp, rsync, ftp, sftp etc., but then again there may be other tools I am not monitoring, users' own programs, malicious users' renamed copies of common copying tools etc.
I imagine some things might be more reliably detected at the network level, but still: would a sufficiently determined malicious user not be able to for example sneak data out through an encrypted network connection where I cannot monitor what is being transferred?
Asked
Active
Viewed 35 times
0
Thomas Arildsen
- 111
- 3
-
1This may be a better question for [security](https://security.stackexchange.com/), although as it stands the question is a bit broad and can only receive broad answers anyway. – anx Oct 07 '20 at 15:05
-
Your answer is **not *all* attempts**. A suffciently skilled & determined user can & will find ways to have his actions not logged, not recognized in logs or removed from logs. Your protection will at best be *good enogh for your threat model*. – anx Oct 07 '20 at 15:10
-
Can you recommend any examples of measures for particular threat models? My primary concern here is detection of unintentional violation of policy by legitimate users or intentional violation by possibly malicious, legitimate users. Securing the system against intruders is assumed taken care of by other means. – Thomas Arildsen Oct 07 '20 at 15:12