IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
The following events should also be logged:
- Hardware errors which might lead to the failure of an IT system
- Impermissible changes to the IP address of an IT system (in a TCP/IP
environment)
Auditing can be performed online or offline. During online auditing,
categorised events are reported directly to the auditor, who can initiate
measures immediately, if required. These events must be assigned to suitable
categories, so that the responsible administrator or auditor can retain a clear
perspective and respond to important events immediately without being
overwhelmed by a flood of information. During offline auditing, data from log
files or special auditing files are prepared with the help of a tool and then
examined by the auditor. In this case, measures for maintaining or restoring
security can only be initiated after a time delay. Generally it is advisable to
employ a mixture of online and offline auditing. During online auditing,
security-critical events are filtered and reported to the auditor immediately.
Events of a less critical nature are analysed offline.
Standard management protocols such as SNMP and RMON (which is based
on SNMP) as well as specific protocols of the employed network management
product can be used for logging and auditing.
On no account should user passwords be collected as part of auditing or
logging! A high security risk would arise if unauthorised access were gained
to this data. Incorrect password entries should not be logged either, as they
usually differ from the corresponding, correct passwords only by one
character or two interchanged characters.
A stipulation is also required as to who will analyse the logs and audit data. A
suitable distinction must be made here between the originator of events and
the evaluator of events (e.g. administrator and auditor). Regulations
concerning data privacy must also be adhered to. Earmarking in accordance
with § 14 of the BDSG must be observed in particular for all gathered data.
Log files and audit files must be analysed at regular intervals. Such files can
quickly grow to large proportions. To keep the size of log files and audit files
within a useful range, the evaluation intervals should not be impractically
short, but short enough to allow a clear examination.
Additional controls:
- Are the recorded log files and audit files examined at regular intervals?
- Are the possible consequences of security-critical events analysed?
- Are user passwords logged?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000