S 4.106 Activation of system logging

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator

The integrated Unix logging syslog is used for recording of information generated by the operating system or by application processes. Security-relevant events such as login attempts or execution of the su command should be logged so that they are available for later evaluation.

The required syslogd daemon is usually started automatically and is configured via the /etc/syslog.conf file. Suitable allocation of rights must ensure that only system administrators may change this data, and that the log files in /var/log and /var/adm can only be read by system administrators. All changes of /etc/syslog.conf must be documented. When making the adjustments for the present IT system, everything should be logged; then, individual areas can be disabled gradually, if needed. Sufficient dimensioning of the /var partition ensures that sufficient space will be available for the log files. The following example of a configuration file has been created on the basis of a SunOS configuration and defines a comprehensive logging in various files.

#ident "@(#)syslog.conf 1.3 93/12/09 SMI" /* SunOS 5.0 */
#
# All notices are sent to a log host that must be
# defined in the file /etc/hosts.
#
# TAB must be used as separator!
#
# Test: . start syslogd with the option "-d"
# . start syslogd with kill -HUP after each change of this file
# . the log file must exist already before start/restart
# . /usr/ucb/logger can be used to generate test notices
# for each facility and priority
#
*.err;kern.warning;auth.err;daemon.err /dev/console
*.alert;kern.err;daemon.err operator
*.alert root
# shows emerg notices on terminals (uses WALL)
*.emerg *
#
kern.info ifdef(`LOGHOST', /var/log/kernlog, @loghost)
user.info ifdef(`LOGHOST', /var/log/userlog, @loghost)
mail.info ifdef(`LOGHOST', /var/log/maillog, @loghost)
daemon.info ifdef(`LOGHOST', /var/log/daemonlog, @loghost)
auth.info ifdef(`LOGHOST', /var/log/authlog, @loghost)
lpr.info ifdef(`LOGHOST', /var/log/lprlog, @loghost)
news,uucp.info ifdef(`LOGHOST', /var/log/newslog, @loghost)
cron.info ifdef(`LOGHOST', /var/log/cronlog, @loghost)
#

## all other "local" messages, for own programs
local0,local1.info ifdef(`LOGHOST', /var/log/locallog, @loghost)
local2,local3,local4.info ifdef(`LOGHOST', /var/log/locallog, @loghost)
local5,local6,local7.info ifdef(`LOGHOST', /var/log/locallog, @loghost)

#
# all alarms and higher are written into a separate file:
*.err ifdef(`LOGHOST', /var/log/alertlog, @loghost)

#
# Example log levels:
# ------------------------------------
# 'su root' failed for .. auth.err
# ROOT LOGIN REFUSED ON ... auth.err
# 'su root' succeeded for.. auth.notice

Review questions:

• Under Unix, are security-relevant events such as login attempts or execution of the su command logged?
• Is it ensured that the configuration file for logging (/etc/syslog.conf) can only be changed by the system administrator?
• Is it ensured that the log files (in /var/log or /var/adm) can only be read by the system administrator?
• Are all changes in the configuration file regarding logging (/etc/syslog.conf) documented in a comprehensible manner?
• Is it ensured that the partition for the log data is sufficiently dimensioned?