Slide 16 of 21
Notes:
Some of the system logs on the hacked systems appeared to have been erased or otherwise interfered with after the hacker got in. This could be embarrassing. We are seriously considering having a very secure machine whose only job is to act as a night safe to which any of our systems could make syslog requests to create entries that a hacker could not subsequently interfere with.
Such a host would run a syslog daemon but would offer otherwise almost no network services. Even terminal logons can be limited to the machines own console and to a small subset of administrators.
Such a host would not need to be a powerful machine (even if the hacker managed to identify it and deluge it with network traffic it would presumably have already logged enough information to be useful).
This could also maybe be a secure home for the Tripwire databases; it could make them available via read-only mountable filesystems or via a carefully configured TFTP service(?)