|
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrator
The native Unix logging tool syslog is used to record information which is generated by the operating system or by application processes. It is important that security-relevant events, such as attempted logins and execution of the command su, are logged and available for processing and interpretation at a later time.
The required daemon syslogd is normally started automatically and configured via file /etc/syslog.conf. The granting of rights must be performed in such a way that only system administrators can change this file and that the log files contained in /var/log and /var/adm can only be read by system administrators. All changes made to /etc/syslog.conf must be documented. When making modifications to the existing IT system, at first everything should be logged. After that, individual areas can be deactivated in stages as required. The /var partition must be sufficiently large to accommodate the log files. The example of a configuration file set out below is based on a SunOS configuration and specifies a detailed logging procedure in various files.
#ident "@(#)syslog.conf 1.3 93/12/09 SMI" /* SunOS 5.0 */
# All messages are sent to a loghost which has to be defined in the # /etc/hosts file.
# TAB must be used as separator!
# Test: . Start syslogd with the option "-d"
# . Start syslogd with kill -HUP after each change to this file.
# . The log file must already exist prior to start-up / reboot.
# . Test messages can be generated for each facility and # priority with /usr/ucb/logger.
*.err;kern.warning;auth.err;daemon.err /dev/console
*.alert;kern.err;daemon.err operator
*.alert root
# Displays emerg messages on terminals (uses WALL).
*.emerg *
kern.info ifdef(`LOGHOST', /var/log/kernlog, @loghost)
user.info ifdef(`LOGHOST', /var/log/userlog, @loghost)
mail.info ifdef(`LOGHOST', /var/log/maillog, @loghost)
daemon.info ifdef(`LOGHOST', /var/log/daemonlog, @loghost)
auth.info ifdef(`LOGHOST', /var/log/authlog, @loghost)
lpr.info ifdef(`LOGHOST', /var/log/lprlog, @loghost)
news,uucp.info ifdef(`LOGHOST', /var/log/newslog, @loghost)
cron.info ifdef(`LOGHOST', /var/log/cronlog, @loghost)
## All other "local" messages, for own programs
local0,local1.info ifdef(`LOGHOST', /var/log/locallog, @loghost)
local2,local3,local4.info ifdef(`LOGHOST', /var/log/locallog, @loghost)
local5,local6,local7.info ifdef(`LOGHOST', /var/log/locallog, @loghost)
# All alarms and above are written to a separate file:
*.err ifdef(`LOGHOST', /var/log/alertlog, @loghost)
# Example of log levels:
# ------------------------------------
# 'su root' failed for .. auth.err
# ROOT LOGIN REFUSED ON ... auth.err
# 'su root' succeeded for.. auth.notice
Additional controls:
© Copyright
by Bundesamt für Sicherheit in der Informationstechnik |
last update: Januar 2000 |