Government Audit Requirements and Backups
Novell Cool Solutions: Trench
By David Dean, Lindsey Johnstone
Digg This -
Posted: 7 Feb 2002
We asked Advisory Board members Lindsey Johnstone and David Dean to respond to a new issue that some of our readers are dealing with. These particular readers have been asked to comply with a new regulation that deals with backups and the "last accessed by" file attribute.
Here's what they're asking:
We have this growing problem as our department begins adapting the state mandated IS audit requirements.
The issue is around the "last accessed by" file attribute. It works great until we backup the data and then the "last accessed by" attribute becomes the backup software ID. We have a requirement to hold on to the last real user. Can anyone give us some advice about how to comply with this regulation?
Here are some ideas straight from the Board:
Lindsey: It really depends on the backup software you're using. Some programs specifically leave this field alone (good) and others insist on changing it (bad, very bad). Look in the configuration settings of the backup software you're using. The major vendors like Tivoli Storage Manager and Veritas Back Up Exec all have this as a setting.
David: Lindsey is correct. But there's something else to consider. Some programs are misbehaved and arbitrarily change attribute data.
For example, reading a directory's contents with MS explorer touches and opens EVERY file in the directory. This skews all of the information about last access. So, even if the backup software is leaving the attribute alone it is likely that the REAL information about those properties is NOT accurate either.
Lindsey: You are absolutely correct. That's why I use tools such as Treesize Pro to view file dates without disturbing the last access date. There are other tools, such as Calypso, that allow viewing without changing that field.
David: Yes, up there are ways to leave the file attributes alone. Most the ManageWise and ZENworks functions behave well. NDIR leaves file attributes alone too.
The problem is that unless you force the use of those methods on the user base, the information is probably tainted. The real question is how useful the information is. I have been in directories and run nlist and found all files accessed 5 min before I looked, ALL of them accessed at the same time, that kind of information is less than useless to managing drive systems.
For those that are faint of heart at command line power and speed and/or with DOS, on the Cool Solutions site there is a Windows NDIR type tool. It could be tested to see if it leaves this alone or not.
NDIR for Windows:
If you have ideas to add, please, throw them on over.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com