Well Maintained logging is essential!

All organizations with information systems need to know what’s happening on, and between those systems. This is where a comprehensive logging setup can be very beneficial. It shows you what has happened and when it happened. Make sure we protect these logs from being altered or destroyed, and that admin access to the logs is monitored should also be considerations.. Finally making sure your time is synchronized across your estate ensures you can build an accurate timeline of events when things go wrong.

 

Security category – 12.4. Logging and monitoring

12.4.1. Event logging.

On any system that processes information we should ensure we have auditing and logging in place. We must also ensure that it cannot be tampered with by the users of that system.

One way to accomplish this goal is to use rsyslog to store logs remotely, away from the clutches of a compromised local system. This control is important for any event that requires investigating and can help us find the cause of problems quickly and accurately. The level of logging should also be tailored to what is useful and what is useful depends on the type of information and purpose of this server. Too high of a logging level will lead to important log entries being overlooked due to the “noise” of excessive logging or even the servers hard disk filling up causing a crash or for older log entries to be overwritten. Too low of a logging level can lead to important event information not being recorded. Reviews of logs should be regularly carried out and logs should be kept according the retention period decided by what your organization deems necessary for investigations.

 

12.4.2. Protection of log information.

Logs are only as useful as they are accurate. Steps should be taken to ensure users cannot alter log entries, either maliciously or accidently. Enough storage space should be available to reduce the risk of excessive log files being generated to overwrite previous, important, entries. In addition, only authorized staff should be able to view logs. Ways to ensure logs have not been tampered with include storing logs remotely and ensuring integrity is maintained using file hashes.

 

12.4.3. Administrator and operator logs.

Who watches the watcher? The age-old question can give security teams sleepless nights. The system owners, administrators, often have root or administrator privileges. To protect against abuse any use of these privileges should be recorded and reviewed. Likewise, the audit trail kept should be stored in a way that the administrator cannot tamper with.

 

12.4.4. Clock synchronization.

As important as logs are they can simply add to the confusion if an organizations logs don’t follow a standardized data/time format and time zone throughout the various time zones the company operates in. While this may not be an issue for organizations based in the one time zone best practice dictates the organization decides on a time zone and format to follow and enforces that on all its assets and logs. This is known as your reference time. In many cases organizations settle on UTC for their reference time

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s