S 4.25 Use of logging in Unix systems

Initiation responsibility: Head of IT, IT Security Officer

Implementation responsibility: Administrator

The logging options offered by the individual UNIX system must be used and, where appropriate, be supplemented by programs or shell scripts.

The safeguards outlined below should be adopted:

• The log data must be evaluated regularly. Such an analysis should not always be made at the same time, to prevent an aggressor from exploiting this fact. If, for instance, the administrator reviews the system activities every day at 5 p.m., an offender might get to work unnoticed at about 6 p.m.

• Depending on the type of event logged, it may be necessary react quickly. To ensure that the Administrator is informed automatically of such events (e.g. log file too big, important server processes terminated, multiple attempted root log-ins at unusual times of the day etc.), semi-automatic log file parsers should be used to generate alerts (e.g.swatch, logsurfer or checksyslog).
• To the extent required, log files should be backed up before they get too big or are deleted by the system. It must be examined which legal or contractual retention periods have to be observed.
• Information from files like wtmp, utmp, wtmpx, utmpx, etc. should be scrutinised especially carefully as these files are easy to tamper with.
• File attributes of the log files should be set in such a way that unauthorised persons cannot make any changes to, or analyses of, the listings.
• As a minimum, the following log files should be generated and monitored: log-ins (including unsuccessful log-in attempts), su calls, error listing files / logging of important processes (errorlog), Administrator activities (especially commands executed by root). Further information on this subject can be found in S 4.106 Activation of system logging.
  
  The last command displays log-in and log-out information such as the time and terminal for each user The Administrator should use this command to check regularly whether any users have been logging on through an unusual channel, e.g. over modem lines or via FTP.

If log data is generated on many systems, it is recommended that a dedicated loghost which is specially secure is used. Forwarding of syslog messages on this loghost must be activated in the syslog configuration file (see S 4.106 Activation of system logging).

The logged data generated must only be used in order to monitor the proper use of the IT systems and not for any other purposes, especially not for the purpose of creating user performance profiles (see also S 2.110 Data Privacy Guidelines for Logging Procedures).

Review questions:

• Are there rules for the definition of events to be logged (e. g. successful log-in attempts, unsuccessful log-in attempts, su calls, logging of important processes, errorlog, administrative activities / commands executed by root)?
• Are the log files evaluated regularly?
• Are tools (log file parsers) used for semi-automatic analysis and triggering an alarm in case of logged events?
• Is compliance with the legal or contractual retention periods for log files ensured?
• Is a dedicated loghost which is specially secure used for log data?
• Are the log data of the systems transmitted to the loghost by means of the push procedure?
• Does logging comply with the applicable data protection regulations?