Difference between revisions of "Log review and management"

From OWASP
Jump to: navigation, search
(Log Review Tips)
(Subactivity 2)
Line 34: Line 34:
 
8. Any account unlocked/password reset by system administrators without authorized forms?
 
8. Any account unlocked/password reset by system administrators without authorized forms?
  
==Subactivity 2==
+
== Log Standard ==
  
Describe the subactivity here
+
In fact, we are suffering various log format and standard from various systems even we are working in-house or act as a consultant. Why don't we produce a standard/guidelines to developer before they design the user administrative and audit trail functions to fulfill security control.
  
 +
Functions:-
 +
* Search - By date and time, by event type, by criticality, by account/user ID, by department
 +
 +
* Sorting - By date and time, by event type, by criticality, by account/user ID, by department
 +
 +
* Paging (Optional)
 +
 +
* Critical event is marked by "*"
 +
 +
* Show expired and inactive accounts (for example: 90 days)
 +
 +
 +
Mandatory Fields:-
 +
* User ID and Name
 +
 +
* Activity Date/Timestamp
 +
 +
* Activity Type and Description
 +
 +
* Terminal IP address and Location
 +
 +
 +
User Account List:-
 +
* User Info - Name, Department, Role
 +
 +
* Last Accessed Time
 +
 +
* Account Creation Date/Time
 +
 +
* Current Authority and Role
 +
 +
* Account authority and information change history
  
 
==Subactivity 3==
 
==Subactivity 3==

Revision as of 04:55, 17 March 2007

Contents

Overview

Purpose:

  • Communicate potential risks to stakeholder.
  • Communicate rationale for security-relevant decisions to stakeholder.

Role:

  • who typically does this

Frequency:

Log Review Tips

Critical systems require at least daily log review, however, what types of logs/activities should we pay attention to?

1. Consecutive login failure especially in non-office hour.

2. Login in non-office hour.

3. Authority change, addition and removal. Check them against with authorized application.

4. Any system administrator's activities

5. Any unknown workstation/server are plugged into the network?

6. Logs removal/log overwritten/log size is full

7. Pay more attention to the log reports after week-end and holiday

8. Any account unlocked/password reset by system administrators without authorized forms?

Log Standard

In fact, we are suffering various log format and standard from various systems even we are working in-house or act as a consultant. Why don't we produce a standard/guidelines to developer before they design the user administrative and audit trail functions to fulfill security control.

Functions:-

  • Search - By date and time, by event type, by criticality, by account/user ID, by department
  • Sorting - By date and time, by event type, by criticality, by account/user ID, by department
  • Paging (Optional)
  • Critical event is marked by "*"
  • Show expired and inactive accounts (for example: 90 days)


Mandatory Fields:-

  • User ID and Name
  • Activity Date/Timestamp
  • Activity Type and Description
  • Terminal IP address and Location


User Account List:-

  • User Info - Name, Department, Role
  • Last Accessed Time
  • Account Creation Date/Time
  • Current Authority and Role
  • Account authority and information change history

Subactivity 3

Describe the subactivity here