By Manish Tanwar
World Informatix Cyber Security
The 6th most important security check from SANS top 20 security checks is ‘System audit logs’. System Audit logs are the main key which keeps track of all system activities. If the system has been compromised by an attacker, using system logs incident response team can figure out about the attacker activities, such as whether the attacker tried to attack/login to other machines or exploited the system just to gather user info.
How System Audit logs helps
In OS, almost every service generates the log for its activity, from utility which creates new user accounts to utility which allows user to browse files on system. Let’s suppose a system is misconfigured or not patched, and one day a system user suspects the system for unknown activities. If the system is configured to log activities, log analysis team can figure out what actually attacker did in the system and from that the impact of the attack can be figured out.
Steps to minimize Risk
To be on safer side, following security measures can be helpful for configuring system audit logs and threat analysis model.
- There must be a machine which should be configured to gather logs from other devices, in case, breach happens, attacker took control of one machine and erased all the logs, in such scenario logs for the victim machine can be gathered from the centralized log collector machine.
- Maintain the same log time stamps on all devices in the network, connect them to a centralized time source (devices will retrieve time information from it). Having the same time stamp helps in log analysis greatly, because incident correlation is done by the time stamp of the event logs.
- During log setting configuration, make sure log collecting machine has enough disk space to store logs. If storage is insufficient, either try to extend it or connect some storage media so that logs can be saved for a long time.
- Log settings must be in such way so that during logging, the system is logging time stamp, source/destination IP, protocol and other info regarding the activity. Standard log format should be easy to understand and analyse. If logs generated in default format, then inspector needs to use log normalization tool which format them properly.
- All network boundary devices like proxies, firewalls, IDS, IPS etc must be configured to capture information regarding the incoming as well as outgoing traffic. During attack reorganization phase, logs from these devices can help a lot and reveals lots of information regarding the attack/attacker.
- Auditing of system audit logs must happen after a fix time period by log analysis experts which can help in spotting any unusual activity occurred on the machine/network. Sometimes, an attacker can gain access to a machine and maintain it silently. These things can be uncovered during frequent auditing of logs.
This is an introduction to SANS security check ‘System audit logs’ which helps in investigation purpose and like always, never consider your network/devices safe, just keep working to reduce the risk of security breach.