IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
S 4.25 Use of Logging in UNIX Systems
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator
The logging options offered by the individual UNIX system must be used and,
where appropriate, be supplemented by programs or shell scripts.
The safeguards outlined below should be adopted.
- The log files must be evaluated regularly. Such an analysis should not
always be made at the same time, to prevent an aggressor from exploiting
this fact. If, for instance, the administrator reviews the system activities
every day at 5 p.m., an offender might get to work unnoticed at about 6
p.m.
- Depending on the type of data logged, it can be necessary to intervene as
quickly as possible. To ensure that the Administrator is informed
automatically of such events (e.g. log file too big, important server
processes terminated, multiple attempted root log-ins at unusual times of
the day etc.), semi-automatic log file parsers should be used to generate
alerts (e.g.swatch, logsurfer or checksyslog).
- To the extent required, log files should be backed up before they get too
big or are deleted by the system.
- Information from files like wtmp, utmp, wtmpx, utmpx, etc. should be
scrutinised especially carefully as these files are easy to tamper with.
- File attributes of the log files should be set in such a way that unauthorised
persons cannot make any changes to, or analyses of, the listings.
- As a minimum, the following log files should be generated and monitored:
log-ins (including unsuccessful log-in attempts), su calls, error listing files /
logging of important processes (errorlog), Administrator activities
(especially commands executed by root). Further information on this
subject will be found in S 4.106 Activation of system logging.
The last command displays log-in and log-out information such as the time
and terminal for each user. The Administrator should use this command to
check regularly whether any users have been logging on through an
unusual channel, e.g. over modem lines or via FTP.
If log data is generated on many systems, it is recommended that a dedicated
loghost which is specially secure is used. Forwarding of syslog messages on
this loghost must be activated in the syslog configuration file (see S 4.106
Activation of system logging).
The logged data generated must only be used in order to monitor the proper
use of the IT systems and not for any other purposes, especially not for the
purpose of creating user performance profiles (see also S 2.110 Data Privacy
Guidelines for Logging Procedures).
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000
Regular processing and
evaluation
Automatic alerting
Dedicated loghost