This section is from the book "Computer Security Threat Monitoring And Surveillance", by James P. Anderson.
The penetration issue is one which can be played measure - countermeasure through what appears to be endless variations* What is really at the heart of the difficulty of "defense" is the fact that the penetrator has a myriad of places to effect operating system changes that permit penetration. At a high level of sophisitcationf the penetrator could temporarily alter the operating system to suppress audit recording of what he's doing. Depending on a number of factors, this is virtually impossible to detect purely by analysis of the internal audit records. It involves in looking for what isn't present. However, if the operating system changes for the penetration are only temporary, the changes could be detected, if the operating system code is continuously compared in some fashion with a reference version.
The security audit data is dependent to a large extent on the integrity of the origins of the audit trail records. The audit trails are a centralized recording of information originally designed to support billing and other accounting functions. To support security surveillance, the ideal situation would be to provide independent audit trails for each major component of the machine, preferably by a micro or other computer element associated with the device or devices supporting the use of the system.
Independent audit trails for each major component or function of a machine is dervived from the experience of auditing in networks. It is clear that the suppression of audit records in a network where a number of points must be traversed through the network in order to affect the desired penetration, is virtually impossible unless one subverted every component of the network from the point of entry to the target and possibly back again. In sophisticated networks involving a transport layer, one or more systems as access systems1 and then server hosts, total control of all use recording of all such affected elements would not be possible. Under any circumstance, the distribution of recording among a number of points in a system greatly compounds the difficulty for the penetrator. In fairness, it must be pointed out that it also compounds the work for the compilers and users of audit trail data.