ITBPM S 4.106 Activation of system logging

-->

S 4.106 Activation of system logging

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrator

The native Unix logging tool syslog is used to record information which is generated by the operating system or by application processes. It is important that security-relevant events, such as attempted logins and execution of the command su, are logged and available for processing and interpretation at a later time.

The required daemon syslogd is normally started automatically and configured via file /etc/syslog.conf. The granting of rights must be performed in such a way that only system administrators can change this file and that the log files contained in /var/log and /var/adm can only be read by system administrators. All changes made to /etc/syslog.conf must be documented. When making modifications to the existing IT system, at first everything should be logged. After that, individual areas can be deactivated in stages as required. The /var partition must be sufficiently large to accommodate the log files. The example of a configuration file set out below is based on a SunOS configuration and specifies a detailed logging procedure in various files.

#ident "@(#)syslog.conf 1.3 93/12/09 SMI" /* SunOS 5.0 */

# All messages are sent to a loghost which has to be defined in the # /etc/hosts file.

# TAB must be used as separator!

# Test: . Start syslogd with the option "-d"

# . Start syslogd with kill -HUP after each change to this file.

# . The log file must already exist prior to start-up / reboot.

# . Test messages can be generated for each facility and # priority with /usr/ucb/logger.

*.err;kern.warning;auth.err;daemon.err /dev/console

*.alert;kern.err;daemon.err operator

*.alert root

# Displays emerg messages on terminals (uses WALL).

*.emerg *

kern.info ifdef(`LOGHOST', /var/log/kernlog, @loghost)

user.info ifdef(`LOGHOST', /var/log/userlog, @loghost)

mail.info ifdef(`LOGHOST', /var/log/maillog, @loghost)

daemon.info ifdef(`LOGHOST', /var/log/daemonlog, @loghost)

auth.info ifdef(`LOGHOST', /var/log/authlog, @loghost)

lpr.info ifdef(`LOGHOST', /var/log/lprlog, @loghost)

news,uucp.info ifdef(`LOGHOST', /var/log/newslog, @loghost)

cron.info ifdef(`LOGHOST', /var/log/cronlog, @loghost)

## All other "local" messages, for own programs

local0,local1.info ifdef(`LOGHOST', /var/log/locallog, @loghost)

local2,local3,local4.info ifdef(`LOGHOST', /var/log/locallog, @loghost)

local5,local6,local7.info ifdef(`LOGHOST', /var/log/locallog, @loghost)

# All alarms and above are written to a separate file:

*.err ifdef(`LOGHOST', /var/log/alertlog, @loghost)

# Example of log levels:

# ------------------------------------

# 'su root' failed for .. auth.err

# ROOT LOGIN REFUSED ON ... auth.err

# 'su root' succeeded for.. auth.notice

Additional controls:

Are changes to /etc/syslog.conf documented?

Is the system administrator the only person who is able to change the configuration?

Is the system administrator the only person who is able to read the log files contained in /var/log and /var/adm?

last update:
Januar 2000

home