System Administration Guide
Chapter 5, Maintaining system security

Detecting system tampering

Detecting system tampering

No system can be considered completely secure. System penetration can be invited by something as simple as someone using an obvious password or leaving their terminal logged in overnight. The system is designed to identify and authenticate users properly. In addition, access to security-related data on the system is based on subsystem authorizations. If users have the proper authorization, then they can use system programs to modify the security databases (for example, the audit administrator can change the audit configuration, and the accounts administrator can change passwords).

The system prevents unauthorized users from making such changes, but identification and authentication is a critical step in this protection. These mechanisms are circumvented when users gain access to accounts having greater authorization than their own. After setting up your system to minimize the possibility of tampering, the remaining task is to discover whether any tampering has taken place. Tampering can result from: