IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
S 5.9 Logging at the Server
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator
The logging possible on the network server should be activated to a sensible
degree. The Network Administrator must review the network server log files
at regular intervals. All security-relevant events should be logged. In this
context, the following occurrences are of particular interest:
- entry of an incorrect password for a user ID through to blocking of the user
ID when the maximum permitted number of unsuccessful attempts has
been reached,
- attempts to gain unauthorised access,
- power failure,
- data on network utilisation and network overload.
How many other events are logged will depend to a certain extent on the
protection requirements of the IT systems concerned. The greater the
protection requirement, the more information should be logged.
As log files can become very long over time, the intervals at which they are
evaluated should kept short. To enable appropriate analysis of the data, every
protocol entry should include the user ID or process number, terminal device
ID, date and time.
Additional controls:
- Who analyses the log files and at what intervals?
- Are the evaluations documented?
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000