logging & auditing-539_vishal

8/4/2019 Logging & Auditing-539_vishal

1/25

INTERNET SECURITY CASE STUDY


2/25

Systems and network device reporting is important to theoverall health and security of systems.

Every network device, Operating System or Applicationsprovide logging features.

Log provides a clear view of who owns the process, what

action was initiated, when it was initiated, where the actionoccurred and why the process ran? Thus, it is utmostimportant that most information should be logged in logfiles.


3/25

Log is a record of actions and events that takes placeon a computer system.

Logs are the primary record keepers of system andnetwork activity.

When security controls experience failures, logs areparticularly helpful.

Logging events can help us monitor our computer ornetwork and prevent a successful attack and can alsoprove very useful in determining how and when anattack occurred.


4/25

Auditing is the formal examination and review of actionstaken by system users.

Event auditing allows the reliable, fine-grained, andconfigurable logging of a variety of security-relevantsystem events, including logins, configuration changesand file & network access.

These log records can be invaluable for live system

monitoring, intrusion detection, and postmortem analysis.

The audit mechanisms and log management cangenerate, maintain, and protect an audit trails.


5/25

Essentially there are four categories of reasons why event datashould be logged on a given system :

Accountability Log data can identify what accounts are

associated with certain events. This information then can be usedto highlight where training and/or disciplinary actions are needed.

Reconstruction Log data can be reviewed chronologically todetermine what was happening both before and during an event.For this to happen, the accuracy and coordination of system clocks

are critical. To accurately trace activity, clocks need to be regularlysynchronized to a central source to ensure that the date/timestamps are in synch.


6/25

Intrusion Detection Unusual or unauthorized events can bedetected through the review of log data, assuming that the correctdata is being logged and reviewed. The definition of what

constitutes unusual activity varies, but can include failed loginattempts, login attempts outside of designated schedules, lockedaccounts, port sweeps, network activity levels, memory utilization,key file/data access, etc.

ProblemDetection In the same way that log data can be used to

identify security events, it can be used to identify problems thatneed to be addressed. For example, investigating causal factors offailed jobs, resource utilization, trending and so on.


7/25

Essentially, for each system monitored and likelyevent condition there must be enough data logged for

determinations to be made. At a minimum, we needto be able to answer the standard who, what andwhen questions.

The data logged must be retained long enough toanswer questions, but not indefinitely. Storage spacecosts money and at a certain point, depending on thedata, the cost of storage is greater than the probablevalue of the log data.


8/25

For the log data to be useful, it must be secured fromunauthorized access and integrity problems. This meansthere should be proper segregation of duties betweenthose who administer system/network accounts and thosewho can access the log data.

The idea is to not have someone who can do both or elsethe risk, real or perceived, is that an account can becreated for malicious purposes, activity performed, the

account deleted and then the logs altered to not showwhat happened. Bottom-line, access to the logs must berestricted to ensure their integrity. This necessitatesaccess controls as well as the use of hardened systems.


9/25

There are quite a few options in terms of where the logs should bewritten.

The basic requirement for a log location is that it be securable. Thisimplies that it have adequate access control to prevent unauthorized

tampering of the log file from outside the application for instance bydirectly editing the text file in a regular text editor.

With this in mind the general recommendation is that the log files beplaced on a different and dedicated log server possibly on a separateVLAN.

From a security perspective the advantage of doing this is that even ifthe attacker successfully compromises the application server he / shewould still need to get past another barrier to compromise the logs and/ or delete traces of the malicious activity.

All updates to the remote log server must then be performed over asecure channel to prevent tampering.


10/25

Firstly most programming frameworks and operating systems providesome level of access to at least the operating system logs.

On Unix systems the syslog API for instance or theSystem.Diagnostics.EventLog class in .NET provide access to the/var/log/messages and the NT Event Log respectively.

As mentioned above such logging capabilities comes with a number ofcaveats but it never the less represents an easily accessible option.

With .NET 2.0, an important new feature was health monitoring which

provides us with the rich capabilities of a built in logging subsystem buteliminates some of the traditional bottlenecks associated with suchsystems.

Health monitoring is tremendously configurable allowing even for definingparameters such as thresholds when logging and alerting should start andwhen they should stop.


11/25

Third party libraries such as the log4Js family and the .NET Enterprise Libraryprovide another option.

These libraries provide full function logging capabilities and are tremendouslyconfigurable.

Further, the can easily integrate with different application types includingthick clients, web applications, services and even controls. Especially in thecase of the Apache Logging Project, logging API are available in a wide varietyof languages from Java and .NET to C++ and PHP.

These logging API also allow for a variety of log sinks including the moretraditional file system, database or syslog to message queues and systemmanagement software solutions.

One important feature that most third party logging solutions support is thenotion of log levels. Log levels, typically Informational, Debug, Warning, Erroror Fatal, can help control the level and volume of information that is logged.Production systems should by default only log Warnings and higher, unless a

problem is being debugged in production.


12/25

1.Open Network Connections

2.Click the connection on which Internet Connection Firewall(ICF) is enabled, and then, under Network Tasks, click Change

se

ttings of this conne

ction. 3.On the Advanced tab, click Settings.

4.On the Security Logging tab, under Logging Options, selectone or both of the following options:

To enable logging of unsuccessful inbound connection attempts,select the Log dropped packets check box.

To enable logging of successful outbound connections, select the Log

succe

ssful conne

ctions check box.


13/25


14/25

1.Open Network Connections

2.Click the connection for which Internet Connection Firewall isenabled, and then, under Network Tasks, click Change

settings of this connection.

3.On the Advanced tab, click Settings

4.On the Security Logging tab, under Log file options, underName, clickBrowse.

5.Scroll to pfirewall.log, right-click pfirewall.log, and then clickOpen.

6.Double-click the log file to open it, and view the contents.


15/25


16/25

One of the most important uses of log files from a security perspectiveis in forming the audit trail.

An audit trail represents a record of a users activity as he / she usesthe system.

Consider the scenario where a user logs into his / her online bankingaccount and then transfers $100 from one account to another.

An audit trail must be designed in this case to make it hard for thatuser to deny he / she performed the transaction after the fact.

This is just a simple example and in reality there are many other eventsthat should and would be logged in this case. In fact in most systemswe would like to get in more expansive and maintain an audit trail ofwhen the system is restarted or users are added and deleted,


17/25

Essentially an audit trail is intended to provide

for accountability, non-repudiation and both of

these as mentioned above are valuable amongother things for their evidentiary value.

Besides this however audit trails are also useful

in identifying which parts of your system aremost frequently used for instance or wherein

the bottlenecks lie.


18/25

Log monitoring as one would expect can be done intwo ways: manual or automated.

Manual approaches have the advantage of mostoften being highly accurate and focused.

Automated analysis is becoming increasingly morecommon and the tools in the space are maturing.

The major area of research for the tool makerscenters around elimination of false positives andfalse negatives.


19/25

In practice a commonly used third option is to use asemi-automated approach.

Typically this involves designating a specific individualwith performing log analysis but performing him / herwith tools such as log parsers and analyzers that canconvert the raw log into a form that is more easilyhumanly readable and that allows for the use of post

processing techniques such as trend analysis.


20/25

Click on Start Click on Control Panel Click on Performance and Maintenance Click on Administrative Tools Select Local Security Policy Click on the + next to Local Policies to expand

the tree Select Audit Policy For each option in the right panel you can

double-click on it to select Success or Failure

logging


21/25


22/25

Smart Inspect is an advanced .NET logging, Javalogging tool for debugging and monitoring softwareapplications.

It helps to identify bugs, find solutions to user-reported issues and gives a precise picture of howyour software performs in different environments.

It generates end-user log files to provide bettersolutions and workarounds to customers in recordtime.


23/25


24/25

http://www.codesecurely.org/Wiki/view.aspx/Security_Code_Reviews/Logging__Auditing

http://www.microsoft.com/resources/documentation/windo

ws/xp/all/proddocs/en-us/hnw_enable_security_logging.mspx?mfr=true

http://netsecurity.about.com/cs/tutorials/ht/ht040503.htm

CERT-In Security Guideline CISG-2008-01 (Guidelines for Auditing and Logging)

Screenshots of Windows XP & Smart Inspect ProfessionalConsole


25/25

logging & auditing-539_vishal

Documents