S 4.25 Use of Logging in UNIX Systems

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator

The logging options offered by the individual UNIX system must be used and, where appropriate, be supplemented by programs or shell scripts.

The safeguards outlined below should be adopted.

• The log files must be evaluated regularly. Such an analysis should not always be made at the same time, to prevent an aggressor from exploiting this fact. If, for instance, the administrator reviews the system activities every day at 5 p.m., an offender might get to work unnoticed at about 6 p.m.

• Depending on the type of data logged, it can be necessary to intervene as quickly as possible. To ensure that the Administrator is informed automatically of such events (e.g. log file too big, important server processes terminated, multiple attempted root log-ins at unusual times of the day etc.), semi-automatic log file parsers should be used to generate alerts (e.g.swatch, logsurfer or checksyslog).

• To the extent required, log files should be backed up before they get too big or are deleted by the system.

• Information from files like wtmp, utmp, wtmpx, utmpx, etc. should be scrutinised especially carefully as these files are easy to tamper with.

• File attributes of the log files should be set in such a way that unauthorised persons cannot make any changes to, or analyses of, the listings.

• As a minimum, the following log files should be generated and monitored: log-ins (including unsuccessful log-in attempts), su calls, error listing files / logging of important processes (errorlog), Administrator activities (especially commands executed by root). Further information on this subject will be found in S 4.106 Activation of system logging.

The last command displays log-in and log-out information such as the time and terminal for each user. The Administrator should use this command to check regularly whether any users have been logging on through an unusual channel, e.g. over modem lines or via FTP.

If log data is generated on many systems, it is recommended that a dedicated loghost which is specially secure is used. Forwarding of syslog messages on this loghost must be activated in the syslog configuration file (see S 4.106 Activation of system logging).

The logged data generated must only be used in order to monitor the proper use of the IT systems and not for any other purposes, especially not for the purpose of creating user performance profiles (see also S 2.110 Data Privacy Guidelines for Logging Procedures).

Additional controls:

• Are log files evaluated at regular intervals?

• Is logging still active and is there sufficient storage space available?

• Is the integrity of the configuration files for logging checked and logged regularly (e.g. with Tripwire or USEIT)?

• How are the log files archived and protected against tampering and unauthorised viewing?