Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
centos7:4 [2017/05/04 15:40]
Piotr Kłoczewski created
centos7:4 [2017/05/06 13:18] (current)
Line 1: Line 1:
 ====== 4 Logging and Auditing ====== ====== 4 Logging and Auditing ======
 +==== List of content ====
 +{{indexmenu>​.:​4#​3 |context}}
 +==== Description ====
 The items in this section describe how to configure logging, log monitoring, and auditing, using tools included in most distributions. The items in this section describe how to configure logging, log monitoring, and auditing, using tools included in most distributions.
 It is recommended that ''​rsyslog''​ be used for logging (with ''​logwatch''​ providing summarization) and ''​auditd''​ be used for auditing (with ''​aureport''​ providing summarization) to automatically monitor logs for intrusion attempts and other suspicious system behavior. \\ It is recommended that ''​rsyslog''​ be used for logging (with ''​logwatch''​ providing summarization) and ''​auditd''​ be used for auditing (with ''​aureport''​ providing summarization) to automatically monitor logs for intrusion attempts and other suspicious system behavior. \\
 In addition to the local log files created by the steps in this section, it is also recommended that sites collect copies of their system logs on a secure, centralized log server via an encrypted connection. Not only does centralized logging help sites correlate events that may be occurring on multiple systems, but having a second copy of the system log information may be critical after a system compromise where the attacker has modified the local log files on the affected system(s). If a log correlation system is deployed, configure it to process the logs described in this section. \\ In addition to the local log files created by the steps in this section, it is also recommended that sites collect copies of their system logs on a secure, centralized log server via an encrypted connection. Not only does centralized logging help sites correlate events that may be occurring on multiple systems, but having a second copy of the system log information may be critical after a system compromise where the attacker has modified the local log files on the affected system(s). If a log correlation system is deployed, configure it to process the logs described in this section. \\
 Because it is often necessary to correlate log information from many different systems (particularly after a security incident) it is recommended that the time be synchronized among systems and devices connected to the local network. The standard Internet protocol for time synchronization is the Network Time Protocol (NTP), which is supported by most network-ready devices. See the ntpd(8) manual page for more information on configuring NTP. \\ Because it is often necessary to correlate log information from many different systems (particularly after a security incident) it is recommended that the time be synchronized among systems and devices connected to the local network. The standard Internet protocol for time synchronization is the Network Time Protocol (NTP), which is supported by most network-ready devices. See the ntpd(8) manual page for more information on configuring NTP. \\
-It is important that all logs described in this section be monitored on a regular basis and correlated to determine trends. A seemingly innocuous entry in one log could be more significant when compared to an entry in another log. \\+It is important that all logs described in this section be monitored on a regular basis and correlated to determine trends. A seemingly innocuous entry in one log could be more significant when compared to an entry in another log. \\ \\ 
 **Note on log file permissions**:​ There really isn't a "one size fits all" solution to the permissions on log files. Many sites utilize group permissions so that administrators who are in a defined security group, such as "​wheel"​ do not have to elevate privileges to root in order to read log files. Also, if a third party log aggregation tool is used, it may need to have group permissions to read the log files, which is preferable to having it run setuid to root. Therefore, there are two remediation and audit steps for log file permissions. One is for systems that do not have a secured group method implemented that only permits root to read the log files (''​root:​root 600''​). The other is for sites that do have such a setup and are designated as ''​root:​securegrp 640''​ where ''​securegrp''​ is the defined security group (in some cases ''​wheel''​). **Note on log file permissions**:​ There really isn't a "one size fits all" solution to the permissions on log files. Many sites utilize group permissions so that administrators who are in a defined security group, such as "​wheel"​ do not have to elevate privileges to root in order to read log files. Also, if a third party log aggregation tool is used, it may need to have group permissions to read the log files, which is preferable to having it run setuid to root. Therefore, there are two remediation and audit steps for log file permissions. One is for systems that do not have a secured group method implemented that only permits root to read the log files (''​root:​root 600''​). The other is for sites that do have such a setup and are designated as ''​root:​securegrp 640''​ where ''​securegrp''​ is the defined security group (in some cases ''​wheel''​).