Logging Settings and Procedures

March 30, 2017 | Views: 4173

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Logging procedures

Necessary information

The list indicates that the IT infrastructure that event logging is necessary if interpreted in the given system.

1. Successful and unsuccessful access attempts

2. Create and delete users

3. Users permissions changes

4. Create, delete, change roles

5. Software startup, shutdown

6. Changes in the configuration of logging subsystem

7. Reports, exports, imports making

8. Messages relating to infringement of rights

9. Start, stop, restart logging feature

10. Change logging options

11. Delete log files

12. Stopping and restarting the system

13. System events, system error

14. Create system files, modification, deletion, access

15. Configuration options that affect the operation of that system

16. Configuration log files, changing parameters

17. Check-in and check-out time, place and person

18. Direct database access, direct data modifications

19. Direct database changes are made

20. Application of entry and exit

21. Start or stop the application of each module

22. Failed to user actions

23. Application-level transactions (who, when, what, what changed it)

24. Setting and/or changing application-level parameters

25. Users to add, modify, delete user group

26. Change application-level software, software upgrades, installation or removal of existing modules, new modules

27. Sensitive file system integrity

28. Administrative integrity of sensitive data files

29. Privileged user creation permissions

30. Password change

31. Four-eyes principle processes

32. Outside the working time entries

Log Analysis

The list includes the events that handle the log analysis topic.

7. Reports, exports, imports making

31. Four-eyes principle processes

32. Outside the working time entries

In some cases, though not a service, but the underlying operating system is able to log an event type. In many cases logged by the operating system events of the service are irrelevant, because we want to log events related to the service.

Logged systems and devices

The list includes examples of the present IT infrastructure and logged system types.

  • Zorp firewall
  • Cisco ASA
  • Cisco switch
  • VMware vCenter
  • Linux server
  • Windows server
  • Active Directory
  • Apache server
  • Novell Groupwise
  • Jboss
  • McAfee EPO
  • Symantec Antivirus
  • Oracle database

Logged data of logged systems

The example is a list of logged data from the present IT infrastructure and logged system types.

Zorp firewall

The list includes those events, which are able to log the Zorp firewall as a service.

1. Successful and unsuccessful access attempts

9. Start, stop, restart logging feature

13. System events, system error

17. Check-in and check-out time, place and person

20. Application of entry and exit

21. Start or stop the application of each module

22. Failed to user actions

The list includes those events, which are able to log the firewall operating system level.

2. Create and delete users

3. Users permissions changes

4. Create, delete, change roles

5. Software startup, shutdown

6. Changes in the configuration of logging subsystem

8. Messages relating to infringement of rights

10. Change logging options

11. Delete log files

12. Stopping and restarting the system

14. Create system files, modification, deletion, access

15. Configuration options that affect the operation of that system

16. Configuration log files, changing parameters

24. Setting and/or changing application-level parameters

25. Users to add, modify, delete user group

26. Change application-level software, software upgrades, installation or removal of existing modules, new modules

27. Sensitive file system integrity

28. Administrative integrity of sensitive data files

30. Password change

Cisco ASA

The list includes those events, which are able to log the Cisco ASA.

1. Successful and unsuccessful access attempts

2. Create and delete users

3. Users permissions changes

4. Create, delete, change roles

6. Changes in the configuration of logging subsystem

10. Change logging options

11. Delete log files

12. Stopping and restarting the system

13. System events, system error

15. Configuration options that affect the operation of that system

16. Configuration log files, changing parameters

17. Check-in and check-out time, place and person

30. Password change

Cisco switch

The list includes those events, which are able to log the Cisco switch.

1. Successful and unsuccessful access attempts

2. Create and delete users

3. Users permissions changes

4. Create, delete, change roles

6. Changes in the configuration of logging subsystem

10. Change logging options

11. Delete log files

12. Stopping and restarting the system

13. System events, system error

15. Configuration options that affect the operation of that system

16. Configuration log files, changing parameters

17. Check-in and check-out time, place and person

30. Password change

VMware vCenter

The list includes those events, which are able to log the Vmware vCenter.

1. Successful and unsuccessful access attempts

2. Create and delete users

3. Users permissions changes

4. Create, delete, change roles

5. Software startup, shutdown

8. Messages relating to infringement of rights

11. Delete log files

12. Stopping and restarting the system

13. System events, system error

14. Create system files, modification, deletion, access

15. Configuration options that affect the operation of that system

16. Configuration log files, changing parameters

17. Check-in and check-out time, place and person

20. Application of entry and exit

21. Start or stop the application of each module

22. Failed to user actions

23. Application-level transactions (who, when, what, what changed it)

25. Users to add, modify, delete user group

27. Sensitive file system integrity

28. Administrative integrity of sensitive data files

29. Privileged user creation permissions

30. Password change

Linux server

The list includes those events, which are able to log the Linux server.

1. Successful and unsuccessful access attempts

2. Create and delete users

3. Users permissions changes

4. Create, delete, change roles

5. Software startup, shutdown

6. Changes in the configuration of logging subsystem

8. Messages relating to infringement of rights

9. Start, stop, restart logging feature

10. Change logging options

11. Delete log files

12. Stopping and restarting the system

13. System events, system error

14. Create system files, modification, deletion, access

15. Configuration options that affect the operation of that system

16. Configuration log files, changing parameters

17. Check-in and check-out time, place and person

21. Start or stop the application of each module

27. Sensitive file system integrity

28. Administrative integrity of sensitive data files

30. Password change

Windows server

The list includes those events, which are able to log the Windows server.

1. Successful and unsuccessful access attempts

2. Create and delete users

3. Users permissions changes

4. Create, delete, change roles

5. Software startup, shutdown

6. Changes in the configuration of logging subsystem

8. Messages relating to infringement of rights

9. Start, stop, restart logging feature

10. Change logging options

11. Delete log files

12. Stopping and restarting the system

13. System events, system error

14. Create system files, modification, deletion, access

15. Configuration options that affect the operation of that system

16. Configuration log files, changing parameters

17. Check-in and check-out time, place and person

21. Start or stop the application of each module

27. Sensitive file system integrity

28. Administrative integrity of sensitive data files

30. Password change

Active Directory

The list includes those events, which are able to log the Active Directory as a service.

1. Successful and unsuccessful access attempts

2. Create and delete users

3. Users permissions changes

4. Create, delete, change roles

13. System events, system error

17. Check-in and check-out time, place and person

20. Application of entry and exit

22. Failed to user actions

23. Application-level transactions (who, when, what, what changed it)

24. Setting and/or changing application-level parameters

25. Users to add, modify, delete user group

29. Privileged user creation permissions

30. Password change

The list includes those events, which are able to log the Active Directory operating system level.

5. Software startup, shutdown

6. Changes in the configuration of logging subsystem

8. Messages relating to infringement of rights

10. Change logging options

11. Delete log files

12. Stopping and restarting the system

14. Create system files, modification, deletion, access

15. Configuration options that affect the operation of that system

16. Configuration log files, changing parameters

21. Start or stop the application of each module

26. Change application-level software, software upgrades, installation or removal of existing modules, new modules

27. Sensitive file system integrity

28. Administrative integrity of sensitive data files

Apache server

The list includes those events, which are able to log the Apache as a service.

6. Changes in the configuration of logging subsystem

11. Delete log files

14. Create system files, modification, deletion, access

15. Configuration options that affect the operation of that system

16. Configuration log files, changing parameters

21. Start or stop the application of each module

27. Sensitive file system integrity

28. Administrative integrity of sensitive data files

The list includes those events, which are able to log the Apache operating system level.

1. Successful and unsuccessful access attempts

2. Create and delete users

3. Users permissions changes

4. Create, delete, change roles

5. Software startup, shutdown

8. Messages relating to infringement of rights

10. Change logging options

12. Stopping and restarting the system

13. System events, system error

17. Check-in and check-out time, place and person

24. Setting and/or changing application-level parameters

25. Users to add, modify, delete user group

26. Change application-level software, software upgrades, installation or removal of existing modules, new modules

30. Password change

Novell Groupwise

The list includes those events, which are able to log the Novell Groupwise.

1. Successful and unsuccessful access attempts

5. Software startup, shutdown

12. Stopping and restarting the system

13. System events, system error

15. Configuration options that affect the operation of that system

16. Configuration log files, changing parameters

17. Check-in and check-out time, place and person

20. Application of entry and exit

21. Start or stop the application of each module

24. Setting and/or changing application-level parameters

Jboss

The list includes those events, which are able to log the Apache as a service.

1. Successful and unsuccessful access attempts

13. System events, system error

17. Check-in and check-out time, place and person

20. Application of entry and exit

The list includes those events, which are able to log the Jboss operating system level.

2. Create and delete users

3. Users permissions changes

4. Create, delete, change roles

5. Software startup, shutdown

6. Changes in the configuration of logging subsystem

8. Messages relating to infringement of rights

10. Change logging options

11. Delete log files

12. Stopping and restarting the system

14. Create system files, modification, deletion, access

15. Configuration options that affect the operation of that system

16. Configuration log files, changing parameters

24. Setting and/or changing application-level parameters

25. Users to add, modify, delete user group

26. Change application-level software, software upgrades, installation or removal of existing modules, new modules

27. Sensitive file system integrity

28. Administrative integrity of sensitive data files

McAfee EPO

The list includes those events, which are able to log the McAfee EPO as a service.

1. Successful and unsuccessful access attempts

2. Create and delete users

3. Users permissions changes

4. Create, delete, change roles

5. Software startup, shutdown

6. Changes in the configuration of logging subsystem

8. Messages relating to infringement of rights

9. Start, stop, restart logging feature

10. Change logging options

11. Delete log files

12. Stopping and restarting the system

13. System events, system error

14. Create system files, modification, deletion, access

15. Configuration options that affect the operation of that system

16. Configuration log files, changing parameters

17. Check-in and check-out time, place and person

18. Direct database access, direct data modifications

19. Direct database changes are made

21. Start or stop the application of each module

24. Setting and/or changing application-level parameters

26. Change application-level software, software upgrades, installation or removal of existing modules, new modules

27. Sensitive file system integrity

28. Administrative integrity of sensitive data files

30. Password change

The list includes those events, which are able to log the McAfee EPO operating system level.

21. Start or stop the application of each module

25. Users to add, modify, delete user group

29. Privileged user creation permissions

Symantec AntiVirus

The list includes those events, which are able to log the Symantec Antivirus as a service.

5. Software startup, shutdown

12. Stopping and restarting the system

13. System events, system error

15. Configuration options that affect the operation of that system

16. Configuration log files, changing parameters

21. Start or stop the application of each module

22. Failed to user actions

24. Setting and/or changing application-level parameters

26. Change application-level software, software upgrades, installation or removal of existing modules, new modules

The list includes those events, which are able to log the Symantec Antivirus operating system level.

2. Create and delete users

3. Users permissions changes

4. Create, delete, change roles

8. Messages relating to infringement of rights

11. Delete log files

14. Create system files, modification, deletion, access

25. Users to add, modify, delete user group

27. Sensitive file system integrity

28. Administrative integrity of sensitive data files

29. Privileged user creation permissions

Oracle database

The list includes those events, which are able to log the Oracle database.

1. Successful and unsuccessful access attempts

2. Create and delete users

3. Users permissions changes

4. Create, delete, change roles

5. Software startup, shutdown

6. Changes in the configuration of logging subsystem

8. Messages relating to infringement of rights

10. Change logging options

11. Delete log files

12. Stopping and restarting the system

13. System events, system error

14. Create system files, modification, deletion, access

15. Configuration options that affect the operation of that system

16. Configuration log files, changing parameters

17. Check-in and check-out time, place and person

18. Direct database access, direct data modifications

19. Direct database changes are made

20. Application of entry and exit

21. Start or stop the application of each module

22. Failed to user actions

23. Application-level transactions (who, when, what, what changed it)

24. Setting and/or changing application-level parameters

25. Users to add, modify, delete user group

26. Change application-level software, software upgrades, installation or removal of existing modules, new modules

27. Sensitive file system integrity

28. Administrative integrity of sensitive data files

29. Privileged user creation permissions

30. Password change

Logging settings

The systems of logging required to perform the following settings.

Cisco ASA

Recommended log settings of the Cisco ASA:

config t

logging enable

logging timestamp

logging buffered informational

logging trap informational

logging asdm warnings

logging queue 2048

logging device-id hostname

show run interface

logging host INTERFACE_NAME SYSLOG_HOST_IP 6/1470

logging permit-hostdown

VMware vCenter

Recommended log settings of the VMware vCenter in CLI:

esxcli system syslog config set –loghost=udp://SYSLOG_HOST_IP:514 #or “tcp”

Recommended log settings of the VMware vCenter:

VMware Vcenter → Server settings → Logging options → Normal

Linux server

Standard log settings

Recommended settings in syslog:

*.info <IP-address_of_logserver>

Recommended settings in syslog-ng:

source s_local { unix-dgram(“/dev/log”); internal(); };

filter f_info { level(info); };

destination d_network {

network(“IP-address_of_logserver” transport(“udp”)); #or “tcp”

};

log { source(s_local); filter(f_info);destination(d_network);};

The above settings are all generated log entry in the central logserver

transmitted.

Log settings of integrity check

Integrity testing may be performed using with rkhunter.

The Rkhunter logs path is as follows:

/var/log/rkhunter.log*

Log settings of locale firewall

If IPTables local firewall is enabled, then set firewall logging rules for DROP.

Windows server

Standard log settings

The Windows operating system settings related to the audit log messages controlled by the group policy.

Successful and unsuccessful login attempts for each network service panel and console

1) Computer → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy → Audit logon events → Success, Failure

2) Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policy Configuration → Audit Policy → Logon/Logoff → Audit Logon → Success, Failure

Create and delete users, and change password

4) Computer → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy → Audit account management → Success, Failure

5) Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policy Configuration → Audit Policy → Account Managment → Audit User Account Managment → Success, Failure

6) Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policy Configuration → Audit Policy → Account Managment → Audit Other Account Managment → Success, Failure

Create, Delete and Change Role (rights groups)

8) Computer → Policies → Windows Settings → Security Settings AdvancedAudit Policy Configuration → Audit Policy → Account Managment → Audit Application Group Managment → Success, Failure

9) Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policy Configuration → Audit Policy → Account Managment → Audit Distribution Group Managment → Success, Failure Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policy Configuration → Audit Policies → Account Managment → Audit Security Group Managment → Success, Failure

System start, shutdown and restart

11) Computer → Policies → Windows Settings → Security Settings → Local Policies → Audit Policies → Audit system events → Success, Failure

12) Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policies Configuration → Audit Policies → System → Audit Security state Change → Success, Failure

13) Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policies Configuration → Audit Policies → System → Audit Other System Events → Success, Failure

Configuration of logging subsystem start, stop, restart and change

14) Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policies Configuration → Audit Policies → Policy Change → Audit Audit Policies Change → Succes, Failure

Software start and stop

These settings can generate large amounts of log entries.

15) Computer → Policies → Windows Settings → Security Settings → Local Policies → Audit Policies → Audit process tracking→ Success, Failure

16) Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policies Configuration → Audit Policies → Detailed Tracking → Audit Process Creation→ Success, Failure

17) Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policies Configuration → Audit Policies → Detailed Tracking → Audit Process Termination→ Success, Failure

If a local firewall is enabled, then set firewall logging rules for DENY.

18) Computer → Policies → Windows Settings → Security Settings → Windows Firewall with Advanced Security → Properties → Logging→ Customize…

The logs to file (not event log).

Apache server

The default settings are meet the logging procedures.

The Apache logs path is as follows:

/var/log/apache/

Jboss

The default settings in log4j.xml are meet the logging procedures.

McAfee EPO

The default settings are meet the logging procedures.

The McAfee EPO logs path is as follows:

ePolicy OrchestratorServerLogs

ePolicy OrchestratorApache2Logs

Symantec Antivirus

Configure logfiles to logging system.

Admin → Servers → Configure External Logging

The Symantec Antivirus logs path is as follows:

Configure in Log Filter tab:

Managment Server Logs

System Administrative Log → Warning

System Enforcer Activity Log

Audit Log

System Server Activity Log → Warning

Compliance Logs

Enforcer Client Log

Enforcer Server Log → Warning

Clients Logs

Client Activity Log → Error

Security Log → Minor

Traffic Log → Crictical

Control Log –> Major

Scan Log

Risk Log

SONAR Protection Log

Oracle database

Configure audit logs of all database:

Ţ audit session;

Ţ audit alter table;

Ţ audit alter user;

Ţ audit create role;

Ţ audit create user;

Ţ audit create session;

Ţ audit drop any procedure;

Ţ audit drop any table;

Ţ audit grant any privilege;

Ţ audit grant any role;

Ţ audit all on sys.aud$ by access;

Configure audit logs of all DBA event:

SQL> AUDIT ALL BY <username_of_admin> ;

SQL> AUDIT ALL PRIVILEGES BY <username_of_admin> ;

SQL> AUDIT SELECT TABLE, UPDATE TABLE, INSERT TABLE, DELETE TABLE BY <username_of_admin> BY ACCESS;

SQL> AUDIT EXECUTE PROCEDURE BY <username_of_admin> BY ACCESS;

Resource issues

You need to consider before performing the recommended settings that may cause any resource problems. The resource problems mainly affect the storage space, memory, and processor. Most systems do not cause resource problems correctly configure the logging. After the settings, using the monitoring system is generally easy to identify resource issues. If we know a logged systems, then shown in the resource problems before to the settings.

Oracle databases

Storage problems are expected on database servers, therefore storage space required for expansion.

Required information flow

The system settings are IT administration tasks. The settings of logging system is an IT security task requiring the mutual information flow. If the IT infrastructure or only one system is changed, then required the communication.

 

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
6 Comments
  1. Very thorough! Great Work Dear! +10

  2. Good job thank you

  3. Awesome, Tamas!!!

    Thank you so much and have a great day and a wonderful weekend!!

    ladyhacker
    🙂

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel