Re: [logs] log review policies

From: John Rowan Littell (littejoat_private)
Date: Fri Oct 12 2001 - 09:56:57 PDT

  • Next message: Sweth Chandramouli: "Re: [logs] log review policies"

    Some off-the-head thoughts on this:  Going from where you left off in
    regards to keeping the IDS output on the loghost, I might suggest
    creating email accounts on the loghost to which you directly send the
    mails.  This wouldn't be any more difficult than sending them
    off-host.  Then you can dictate a login method of your favorite
    cryptographic protocol (ssh, imaps, what-have-you).  This shifts the
    (major) vulnerability point to the workstation from which the admins
    log in, but with a secure connection, this is a lot less troublesome.
    
    My other thought would be to use some sort of database to store the
    IDS output (local to the loghost) and have an https connection to it
    -- really no different from the above method in terms of vulnerability
    points.
    
      --rowan
    
    Lo, Jeff King and the coffee pot sang in unison:
    > 
    > I'm setting a log review policy for my network, and I just wanted to get
    > others' input. Specifically, I'm interested in the actual machines used
    > for reviewing logs.
    > 
    > Our setup is (I expect) pretty typical: servers log in real-time to a
    > central loghost (which is presumably secured since it does nothing but
    > accept log entries). All logs entries are stored, regardless of merit,
    > and IDS processing occurs on the central server. The results of the IDS
    > audit are mailed to the sysadmins.  The sysadmins review the mails, but
    > infrequently look at the full logs (usually only to investigate a
    > problem indicated by the mails).
    > 
    > For the most part, this works. However, you have a circular trust chain.
    > You don't trust the mail server to not get broken into, so you push its
    > logs off to a central logserver. However, you never look at the central
    > logserver; you trust the mail server to correctly display the contents
    > of the logserver to you. In the case of a malicious attack, deleting the
    > mailserver logs is on longer impossible; it's just harder (you have to
    > delete the logs *and* the mail).
    > 
    > Have people implemented policy to deal with this? Clearly, the most
    > secure thing is to cut the chain of trust down to the keyboard and
    > monitor on the logserver.  However, sitting on console on that box might
    > be inconvenient, especially if you want timely notices of leg entries
    > (if you have to physically go somewhere, you're likely to do it only
    > once a day). A reasonable compromise would be to keep the IDS output on
    > the logserver and have some way of logging in to view the output; policy
    > would dictate that it only be done from certain secured workstations (we
    > already have a policy dictating security levels of workstations).
    > 
    > What are people's thoughts on this?
    > 
    > -Jeff
    > 
    > 
    > 
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: loganalysis-unsubscribeat_private
    > For additional commands, e-mail: loganalysis-helpat_private
    
    -- 
    John "Rowan" Littell
    Systems Administrator
    Earlham College Computing Services
    http://www.earlham.edu/~littejo/
    
    
    



    This archive was generated by hypermail 2b30 : Fri Oct 12 2001 - 10:38:19 PDT