Detecting system tampering
No system can be considered completely secure.
System penetration can be invited by something as
simple as someone using an obvious password or leaving their
terminal logged in overnight.
The system is designed to identify and authenticate
users properly. In addition, access to security-related data on the system
is based on subsystem authorizations. If users
have the proper authorization, then they can use
system programs to modify the security databases (for example,
the audit administrator can change the audit configuration, and
the accounts administrator can change passwords).
The system prevents unauthorized users from making such changes, but identification and authentication is a critical step in this protection. These mechanisms are circumvented when users gain access to accounts having greater authorization than their own. After setting up your system to minimize the possibility of tampering, the remaining task is to discover whether any tampering has taken place. Tampering can result from: