Re: [logs] firewall logging and rulesets

From: Brian Ford (brford@private)
Date: Fri Oct 24 2003 - 14:39:34 PDT

  • Next message: Raffael Marty: "Re: [logs] firewall logging and rulesets"

    Tina,
    
    I think I got it.   You look for :
    
    >Host OS messages as applicable
    We only have the one OS in PIX and we log what's happening.
    
    >Configuration changes
    Yes.  We log when ever the configuration is changed and who did it.
    
    >Adds/deletes/changes of admin accounts
    If the account is defined locally then that would be a configuration change.
    
    >Administrative traffic from .unexpected. locations (like the Internet)
    Hmm.  We have the concept of a management interface.  If someone tries to 
    get at management from a non-management interface we don't allow the 
    connection.  I don't know off the top if we issue a log message.  I recall 
    a debate about creating a DOS if we did.  I'll check.
    
    >Connection logs (start/stop/amt of data)
    We got that.  It's in multiple messages and requires off box analysis.
    
    and you wanted to know:
    >questions to the list:
    >
    >1) what kinds of noteworthy firewall events have i missed?
    
    When you said "Host OS messages as applicable"; the way I interpret that is 
    there are three buckets into which I throw messages.  Messages that are 
    issued as part of the normal operation go in one bucket.  Messages that are 
    issued irregularly when defined things happen go into another bucket.   And 
    then there are messages that signal a problem that go into a "red" 
    bucket.  So for my three "buckets" I do this:
    
    - I like to count the normal operations messages and make sure that I 
    create some baseline (between x-y per hour or y-z per day).  This baseline 
    is a kind of load gauge for the device.
    - The "irregular" messages usually require correlation with other 
    conditions or events.  If someone were auditing what I was doing they would 
    ask about those.  I should have an explanation.  How often I do that 
    depends on what I can get away with (audit interval).
    - The "problem" messages are the ones that I want to be paged 
    about.  Things will soon or have already gone pear shaped and something 
    needs to be done soon.
    
    >2) for the default logging config on <insert name of your fave firewall
    >here), which of these events get logged?  which don't?
    
    Inserting PIX:
    We log events that fall into all these buckets.  Some functionality (like 
    failover) is amazingly well logged and can fall into multiple categories.
    
    Most of the time I talk to people about this they ask me to tell them about 
    "events".    Analyzing log data I can put most people to sleep telling you 
    about this, that, and the other events.  The challenge here is for someone 
    to come up with a really good list of events that we should tell everyone 
    about.  The ICSA Firewall program folks have done a decent job of heading 
    down that road.
    
    >3) is the logging config controlled anywhere other than in
    >/etc/syslog.conf?
    
    In PIX the logging configuration is controlled by what's in the local 
    configuration file.
    
    >4) if stuff's not in syslog or equiv, where is it and how can i grab it?
    
    The only stuff that isn't in the syslog is stored in a (pcap) file.  The 
    PIX can also capture traffic,  store it locally (so what you can capture is 
    based on memory in your PIX), and then push that file over to a TFTP server 
    for further analysis.
    
    >5) can you contribute sample data, with details of non-standard logging
    >configs, for any of these events?
    
    Yes.
    
    Liberty for All,
    
    Brian
    
    
    At 10:26 PM 10/21/2003 -0700, Tina Bird wrote:
    
    >so here's my list of events on a firewall i'd like to keep track of:
    >
    >Host OS messages as applicable
    >Configuration changes
    >Adds/deletes/changes of admin accounts
    >Administrative traffic from .unexpected. locations (like the Internet)
    >Connection logs (start/stop/amt of data)
    >
    >on FW-1, config changes from the GUI are stored in a text file called
    >$FWDIR/logs/cpmgmt.aud -- which i can clearly grab and push to syslog.
    >config changes from the command line are written to syslog directly.  new
    >users with root privs are logged to syslog.  user deletes and changes are
    >harder to track.  connection logs can be grabbed in a variety of ways and
    >are easier to handle if i name them in obvious ways (and figure out a way
    >to get the number-to-name mapping into the logs directly) (i don't know if
    >it's possible to get fw-1 to log with rule names rather than numbers).
    >
    >questions to the list:
    >
    >1) what kinds of noteworthy firewall events have i missed?
    >2) for the default logging config on <insert name of your fave firewall
    >here), which of these events get logged?  which don't?
    >3) is the logging config controlled anywhere other than in
    >/etc/syslog.conf?
    >4) if stuff's not in syslog or equiv, where is it and how can i grab it?
    >5) can you contribute sample data, with details of non-standard logging
    >configs, for any of these events?
    
    
    Brian Ford
    Consulting Engineer, Security & Integrity Specialist
    Office of Strategic Technology Planning
    Cisco Systems Inc.
    http://www.cisco.com/go/safe/
    
    The opinions expressed in this message are those of the author and not 
    necessarily those of Cisco Systems, Inc.
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Fri Oct 24 2003 - 15:32:54 PDT