I'm setting a log review policy for my network, and I just wanted to get others' input. Specifically, I'm interested in the actual machines used for reviewing logs. Our setup is (I expect) pretty typical: servers log in real-time to a central loghost (which is presumably secured since it does nothing but accept log entries). All logs entries are stored, regardless of merit, and IDS processing occurs on the central server. The results of the IDS audit are mailed to the sysadmins. The sysadmins review the mails, but infrequently look at the full logs (usually only to investigate a problem indicated by the mails). For the most part, this works. However, you have a circular trust chain. You don't trust the mail server to not get broken into, so you push its logs off to a central logserver. However, you never look at the central logserver; you trust the mail server to correctly display the contents of the logserver to you. In the case of a malicious attack, deleting the mailserver logs is on longer impossible; it's just harder (you have to delete the logs *and* the mail). Have people implemented policy to deal with this? Clearly, the most secure thing is to cut the chain of trust down to the keyboard and monitor on the logserver. However, sitting on console on that box might be inconvenient, especially if you want timely notices of leg entries (if you have to physically go somewhere, you're likely to do it only once a day). A reasonable compromise would be to keep the IDS output on the logserver and have some way of logging in to view the output; policy would dictate that it only be done from certain secured workstations (we already have a policy dictating security levels of workstations). What are people's thoughts on this? -Jeff --------------------------------------------------------------------- To unsubscribe, e-mail: loganalysis-unsubscribeat_private For additional commands, e-mail: loganalysis-helpat_private
This archive was generated by hypermail 2b30 : Fri Oct 12 2001 - 09:40:30 PDT