<div dir="ltr"><div>Hi Andrew</div><div><br></div><div>(Obligatory disclaimer: I am neither a lawyer, nor a security professional. The following stems from my experience in general and cannot constitute advice.)<br></div><div><br></div><div><br></div><div>On the face of it, yes, if it is an independent professional auditor, they will need full access to the system, or for him to provide proof that everything he is doing meets their requirements. Generally, only full access can provide such proof.<br></div><div><br></div><div>Log files only provide minimal insight into what a system has done in the past ; it does not show how the system is configured, and what practices are in place, and whilst your friend's contact may in good faith believe he has a secure system and only his own processes are running on his computers, it is the auditor's responsibility to investigate it for themselves, first hand, and to possibly ferret out anything that was missed by the friend.</div><div><br></div><div>That is what an audit precisely is.<br></div><div><br></div><div>Conversely:<br></div><div><br></div><div>If he himself is concerned about their activities, he can seek out a lawyer to provide him with a proper Non Disclosure Agreement contract to have the auditor sign - I wouldn't know it is standard practice, but I think he would be within his rights to require this in turn.</div><div><br></div><div>If the computers in question are not being used directly to service the organisation or hold the organisation's data who is requiring the audit, there is a question mark over to what extent they can require the audit to be carried out. That's an entirely different question.<br></div><div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div><br></div><div><br></div><div><br></div><div>Tai<br></div><div><br>===<br>Tai Kedzierski<br></div><div>Linux Operations and Deployments Engineer<br></div><div><br></div><div><a href="https://www.redhat.com/rhtapps/services/verify?certId=170-060-834" target="_blank">RHCSA # 170-060-834</a><br></div><br><div><br></div><br><div dir="ltr"><span></span><font size="1"><br>I use <a href="https://www.libreoffice.org/" target="_blank">LibreOffice</a> , a free, Freedom-respecting replacement for MS Office<br><br><i>Open Source Free Software is a matter of liberty, not price.</i><br>
<a href="https://www.fsf.org/about/what-is-free-software" target="_blank">https://www.fsf.org/about/what-is-free-software</a><br></font><font size="2"><br></font></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, 19 Feb 2019 at 19:12, Edinburgh Linux Users Group <<a href="mailto:edlug@lists.edlug.org.uk">edlug@lists.edlug.org.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>I just received this email. Can anyone advise the OP on this
question ?</p>
<p>Andrew Ramage</p>
<div class="gmail-m_-129670435280581486moz-forward-container"><br>
<br>
-------- Forwarded Message --------
<table class="gmail-m_-129670435280581486moz-email-headers-table" cellspacing="0" cellpadding="0" border="0">
<tbody>
<tr>
<th valign="BASELINE" nowrap align="RIGHT">Subject:
</th>
<td>[Baen Baen's Bar] Cybersecurity</td>
</tr>
<tr>
<th valign="BASELINE" nowrap align="RIGHT">Date: </th>
<td>Tue, 19 Feb 2019 11:32:46 -0600vise</td>
</tr>
<tr>
<th valign="BASELINE" nowrap align="RIGHT">From: </th>
<td>piobair <a class="gmail-m_-129670435280581486moz-txt-link-rfc2396E" href="mailto:piobair@mindspring.com" target="_blank"><piobair@mindspring.com></a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap align="RIGHT">Reply-To:
</th>
<td><a class="gmail-m_-129670435280581486moz-txt-link-abbreviated" href="mailto:baens_bar@bar.baen.com" target="_blank">baens_bar@bar.baen.com</a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap align="RIGHT">Organization:
</th>
<td>Baen's Bar</td>
</tr>
<tr>
<th valign="BASELINE" nowrap align="RIGHT">To: </th>
<td><a class="gmail-m_-129670435280581486moz-txt-link-abbreviated" href="mailto:baens_bar@bar.baen.com" target="_blank">baens_bar@bar.baen.com</a></td>
</tr>
<tr>
<th valign="BASELINE" nowrap align="RIGHT">Newsgroups:
</th>
<td>Baen_Baens_Bar</td>
</tr>
</tbody>
</table>
<br>
<br>
<pre style="white-space:pre-wrap;font-family:Verdana,Geneva,Lucida,"Lucida Grande",Arial,Helvetica,sans-serif">The Board of Directors overseeing a friend of mine has decided that they need a security audit by an independent auditor. My friend's entire system is running on Linux with Linux servers and (mostly) thin clients.
He put out an RFP and, in his words, they want the keys to the front door in order to see if the china cabinet is locked.
Can an adequate audit be made from the /var/log files?</pre>
</div>
</div>
-- <br>
EdLUG mailing list<br>
<a href="mailto:EdLUG@lists.edlug.org.uk" target="_blank">EdLUG@lists.edlug.org.uk</a><br>
<a href="https://lists.edlug.org.uk/mailman/listinfo/edlug" rel="noreferrer" target="_blank">https://lists.edlug.org.uk/mailman/listinfo/edlug</a></blockquote></div>