Difference between revisions of "Log review and management"

From OWASP
Jump to: navigation, search
(Log Review Tips)
(Log Review Tips)
Line 18: Line 18:
 
Critical systems require at least daily log review, however, what types of logs/activities should we pay attention to?
 
Critical systems require at least daily log review, however, what types of logs/activities should we pay attention to?
 
1. Consecutive login failure especially in non-office hour.
 
1. Consecutive login failure especially in non-office hour.
 +
 
2. Login in non-office hour.
 
2. Login in non-office hour.
 +
 
3. Authority change, addition and removal. Check them against with authorized application.
 
3. Authority change, addition and removal. Check them against with authorized application.
 +
 
4. Any system administrator's activities
 
4. Any system administrator's activities
 +
 
5. Any unknown workstation/server are plugged into the network?
 
5. Any unknown workstation/server are plugged into the network?
 +
 
6. Logs removal/log overwritten/log size is full
 
6. Logs removal/log overwritten/log size is full
 +
 
7. Pay more attention to the log reports after week-end and holiday
 
7. Pay more attention to the log reports after week-end and holiday
 +
 
8. Any account unlocked/password reset by system administrators without authorized forms?
 
8. Any account unlocked/password reset by system administrators without authorized forms?
  

Revision as of 04:39, 17 March 2007

Contents

Overview

Purpose:

  • Communicate potential risks to stakeholder.
  • Communicate rationale for security-relevant decisions to stakeholder.

Role:

  • who typically does this

Frequency:

Log Review Tips

Critical systems require at least daily log review, however, what types of logs/activities should we pay attention to? 1. Consecutive login failure especially in non-office hour.

2. Login in non-office hour.

3. Authority change, addition and removal. Check them against with authorized application.

4. Any system administrator's activities

5. Any unknown workstation/server are plugged into the network?

6. Logs removal/log overwritten/log size is full

7. Pay more attention to the log reports after week-end and holiday

8. Any account unlocked/password reset by system administrators without authorized forms?

Subactivity 2

Describe the subactivity here


Subactivity 3

Describe the subactivity here