Embed Size (px)
Citation preview
Maintaining Host Security Logs
Maintaining Host Security Logs
Security logs are invaluable for verifying whether the host's
defenses are operating properly.
Another reason to maintain logs is to ensure that forensics evidence
is available when you need to figure out what happened, even if you
already determined that something went wrong.
Of course, each security safeguard is only as good as the actions
taken upon it. A log file is of minimal value if you never look at it.
Windows Logging and Auditing
Windows offers built-in tools that help administrators capture
security-related events and audit the resulting log files.
By default, Windows logs only general system events aimed at
resolving system and application faults.
To capture security-related information, you must enable auditing
through the Local Security Policy editor (on a standalone system) or
Group Policy (when using Active Directory).
You can use the Event Viewer program to examine security log
entries collected by the Windows auditing facility.
Windows Logging and Auditing
Windows Logging and Auditing
Previous Figure illustrates reasonable settings for a Windows
workstation, although the specifics of the configuration will depend on
your organization's requirements.
As you can see, Windows allows you to log successful and failed
actions associated with several categories of events. T
he more event types you choose to log, the more thorough your
understanding will be of what takes place on the system.
On the other hand, excessive auditing can degrade the host's
performance, fill up its file system, and overwhelm you with
superfluous log entries.
Windows Logging and Auditing
Striking the right balance for event logging may require several
different settings until you achieve the desired configuration.
UNIX Logging and Auditing
Like Windows, UNIX can gather detailed information regarding
security events on the system, such as logon and logoff times,
occurrences of failed logons, the use of privileged accounts, and
even the commands users execute.
The configuration of UNIX logging facilities is flexible and varies
across UNIX flavors. However, here are some of the more standard
log files as given ahead:
UNIX Logging and Auditing
1. utmp Maintains a snapshot listing of users who are currently
logged in. Viewable using the who and users commands.
2. wtmp Maintains a historical record of users' login and logout
activity. Viewable using the who and last commands.
3. btmp Maintains a historical record for failed user logins. Viewable
using the lastb command.
A UNIX system stores event records in these log files using a
binary format. As a result, you need to use the appropriate tools,
specified in the preceding list, to view their contents.
UNIX Logging and Auditing In addition to maintaining the binary log files just mentioned, UNIX
systems rely on the Syslog facility to centralize logging of security and
other system events.
Syslog typically uses the /etc/syslog.conf configuration file to determine
what types of events to log and where to store the log files.
Depending on how you configure it, Syslog can record messages from the
kernel, user processes, the mail system, locally defined events, and so on.
Syslog stores its records in text-based log files, which can be examined by
regular text file viewers as well as through the use of the automated
monitoring tools.
