Host data

• Host-based audit trails
  • application and system logs, file attributes, syscall/process monitoring, kernel audit facilities

• Example systems
  • tripwire/synctree, swatch/logsurfer/Axent ITA, Solaris BSM post-processing IDSs

• Problems
  • can't trust audit trail from a compromised host - but cryptography can help [SK98]
  • performance impact of active monitoring on target systems
  • practical enterprise deployment?