S 2.64 Checking the log files

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Persons responsible for individual applications, Auditor

Keeping records of security-relevant events is only effective as a safeguard if the recorded data is evaluated by an Auditor at regular intervals. If it is not possible either for technical or personnel reasons to implement the role of an independent Auditor of log files, they can also be evaluated by the Administrator. If this is the case, it should be noted that it is difficult to monitor the Administrator's activities. The result of the evaluation should therefore be passed to the IT Security Officer, the person responsible for IT or another, specifically named person.

Regular checks followed by deletion of the logged data also ensure that the volume of log files does not grow to an inordinate size. Depending on the type of logged data, it may be appropriate to archive it to external data media.

As log files usually contain personal data, steps must be taken to ensure that this data is only used for the purposes of monitoring adherence to data protection requirements, data backup or ensuring that operations are being carried out in the proper manner (see § 14 Para 4 of the Federal Data Protection Act (BDSG) and S 2.110 Data protection guidelines for logging procedures). The scope of logging and the criteria used in evaluating log files should be documented and agreed within the organisation.

There may be either statutory minimum periods for which logged data has to be kept or alternatively there may be statutory upper limits on the length of time for which logged data can be retained. Thus, it might be the case that deletion is required in order to comply with data protection legislation (see also S 2.110 Data protection guidelines for logging procedures).

On the other hand, for certain types of logged data there may be statutory minimum periods for which the data must be kept, e.g. where it provides information about business processes. These legal stipulations must be adhered to in every case. Prior to deleting any logged data it is therefore necessary to check carefully whether there are any such legal requirements which have to be complied with and, if so, what retention periods result from these. The legal department should be involved here.

The following evaluation criteria are intended as examples to assist detection of any security gaps, manipulation attempts or other irregularities:

• Are the log-on and log-off times outside of normal working times (suggesting a tampering attempt)?
• Is the number of incorrect log-on attempts increasing (suggesting an attempt to guess a password)?
• Is the number of unauthorised attempts at access increasing (suggesting tampering attempts)?
• Are there any particularly long periods of time when no log data were recorded (suggesting the records could have been deleted)?
• Is too much information recorded (long log files make it more difficult to detect irregularities)?
• Are there any particularly long periods of time when the user has not changed (suggesting that logging-off is not being consistently carried out when a user finishes work)?
• Are there any unusually long periods during which a connection with a public network has been maintained (see T 4.25 Still active connections)?
• Have unusually high network loads or an interruption in network operations been detected in individual network segments or throughout the network (suggesting that there have been attempts to obstruct or impair network services or that the network has been inappropriately designed or configured)?

When evaluating the log files, particular attention should be paid to all accesses which have been carried out using an Administrator ID.

If extensive log files are to be evaluated on a regular basis, it is sensible to use an evaluation tool. This tool should allow evaluation criteria to be selected and highlight especially critical entries (e.g. repeated failed attempts to log-on).

The guidelines stated above also apply to the gathering of auditing data, because in principle, this involves the logging of security-critical events.

Review questions:

• Is there a person responsible for evaluation of log data?
• Are the results of the evaluation submitted to the IT Security Officer or another, specifically named person?
• Does a concept exist that defines the scope of logging and the evaluation of the logs?
• Are the statutory requirements for log data meet?