Nowadays, all major audit tools use a proxy to audit system administrators actions.
The sysadmin logs on a target server via a proxy server which acts as a security bastion, managing accesses, managing privileges, and logging all the sysadmin actions.
This principle seems to work great, but think about these points:
- There is probably a sysadmin managing the bastion. This guy can erase the logs and all footprints.
- What about insider threats? A sysadmin could modify the bastion to log in a sensitive server, hack the server, then restore the configuration and erase his traces.
- What happens when he goes around the bastion? He can hack into the server, then restore the configuration and erase his tracks. He becomes clearly invisible!
Blockaudit adds a new step in security to your system.
Blockaudit do not replace proxies and bastions, but harden these machines and all sensitive servers.
Now with Blockaudit solution
The Blockaudit agent is deployed on every sensitive server.
The blockchain is deployed on every sysadmin laptop/desktop plus some dedicated servers.
The agent reacts to events that are previously configured, like accessing a specific file, like running specific commands. When a sysadmin or a hacker touch this file or runs this command, the Linux kernel send an event to the agent, which store it in the blockchain.
Once in the blockchain, no one can hide or remove his footprints.
The blockchain is distributed among a few sysadmin, making the footprints impossible to erase or to modify by a unique sysadmin!