IT Baseline Protection Manual - The Information Warfare Site
19.12.2012 Views
Share Embed Flag

IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection Manual - The Information Warfare Site

IT Baseline Protection Manual - The Information Warfare Site

SHOW MORE
SHOW LESS
ePAPER READ
DOWNLOAD ePAPER
iwar.org.uk

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

Safeguard Catalogue - Hardware & Software Remarks<br />

____________________________________________________________________ .........................................<br />

S 4.25 Use of logging in UNIX systems<br />

Initiation responsibility: Head of <strong>IT</strong> Section, <strong>IT</strong> Security Management<br />

Implementation responsibility: Administrators<br />

<strong>The</strong> logging options offered by the individual UNIX system must be used and,<br />

where appropriate, be supplemented by programs or shell scripts.<br />

<strong>The</strong> following safeguards should be taken:<br />

- <strong>The</strong> log files must be evaluated regularly. Such an analysis should not<br />

always be made at the same time in order to prevent an aggressor from<br />

exploiting this fact. If, for instance, the administrator reviews the system<br />

activities every day at 5 p.m., an offender might get to work unnoticed at<br />

about 6 p.m.<br />

- Depending on the type of data logged, it can be necessary to intervene as<br />

quickly as possible. To ensure that the Administrator is informed<br />

automatically of such events (e.g. log file too big, important server<br />

processes terminated, multiple attempted root log-ins at unusual times of<br />

the day etc.), semi-automatic log file parsers should be used to generate<br />

alerts (e.g.swatch, logsurfer or checksyslog).<br />

- To the extent required, log files should be backed up before they get too<br />

big or are deleted by the system.<br />

- <strong>Information</strong> from files like wtmp, utmp, wtmpx, utmpx, etc. should be<br />

scrutinised especially carefully as these files are easy to tamper with.<br />

- File attributes of the log files should be set in such a way that unauthorised<br />

persons cannot make any changes to, or analyses of, the listings.<br />

- As a minimum, the following log files should be generated and monitored:<br />

log-ins (including unsuccessful attempts), su call-up, error listing files /<br />

logging of important processes (errorlog), administrator activities<br />

(especially commands executed by root). Further information on this<br />

subject will be found in S 4.106 Activation of system logging.<br />

<strong>The</strong> last command displays log-in and log-out information such as the time<br />

and terminal for each user. <strong>The</strong> Administrator should use this command to<br />

check regularly whether any users have been logging on through an<br />

unusual channel, e.g. over modem lines or via FTP.<br />

If log data is generated on many systems, it is recommended that a dedicated<br />

loghost which is specially secure is used. Forwarding of syslog messages on<br />

this loghost must be activated in the syslog configuration file (see S 4.106<br />

Activation of system logging).<br />

____________________________________________________________________ .........................................<br />

<strong>IT</strong>-<strong>Baseline</strong> <strong>Protection</strong> <strong>Manual</strong>: Oktober 2000<br />

Regular processing and<br />

evaluation<br />

Automatic alerting<br />

Dedicated loghost

logo

products

Resources

Company

Terms of service
Privacy policy
Cookie policy
Cookie settings
Imprint
Change language
Made with love in Switzerland
© 2024 Yumpu.com all rights reserved

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!