|
As part of server hardening process, I would like to know the Best way of System Logging and Auditing. The following point should be taken into consideration: - Logging of critical events
Answer: Logging of critical events Normally, critical events for many (most) applications are written to syslog. If you want this to be secure, also log to a remote syslog server where access is limited. Burn syslog files to CDROM daily. Logging access to critical accounts Same here. Pipe log files to another, so you are logging locally and remotely. Burn files to CDROM daily. Secure storage and availability of logs In general, log both locally and to a remote server. Burn copies of log to CDROM daily (or more often, depending on application). Store CDs in a secure and fire proof area. Review of logs Review logs daily. Run against automated processes that look for both signatures and anomalies. Security of logs See above. Notes: Auditing Auditing is the monitoring of security related events, the writing of these events in an audit trail and the reporting and analysis of these audit events. Auditing should allow the actions of users to be monitored with a view to detecting abuse of the system. Auditing tools are different from system logging tools (which indicate system errors and help in solving system administration problems). Log Files A system administrator who regularly checks logs will learn a lot about how the system functions, can guarantee less downtime and at the same time should notice when security breaches occur, especially if alerts are used. Monitoring logs should not be regarded as a boring job, but a chance to understand the guts of the system!
Have a Unix Problem
Unix Books :-
Return to : - Unix System Administration Hints and Tips (c) www.gotothings.com All material on this site is Copyright.
|