Configuration and Log Analysis
Configuration analysis involves the verification of machine and device configurations, including customization settings, installed options, etc. In configuration analysis, you examine the current state of the system, looking for ways to make it more secure. In effect, a configuration auditor follows a highly detailed checklist, comparing each element on the list with the object being audited, and noting where discrepancies exist.
Logging is the process of recording interesting system and network events. It can be used strictly for informational purposes, or for accounting charge backs or system/network performance and load analysis. For example, you can log accesses to web documents on any web server, user login attempts, accesses to certain files in Windows 2000, system startup/shutdown, security policy changes, user account administration or uses of the UNIX su command.
Where are these logs? On UNIX systems, many programs write logging information into the systems syslog (which may be present on that system, or may be on another system on the network).
On Windows systems, many programs write logging information into the Event Log (more properly, into the System, Security or Application event logs). Other programs, such as web servers, typically maintain their own logs created with special formats that can be read by tools specifically designed to easily mine the logs for information.
What and where should you monitor? You cannot monitor everything in a typical environment (such as the completion of every print job) because you become flooded in data. The chairman of IBM has in his office the motto: Think. As a general recommendation: Monitor the obvious. Anything less than obvious to monitor is outside any firewall. Create a baseline of normal activity outside and monitor so you have an idea of what an attack looks like before someone gets in. For example, you may not want to log successful accesses of a certain data file, but you might want to know about unsuccessful accesses, because those are likely to indicate someone trying to read data theyre not authorized to see.
A key point about logging as an audit tool is made very well in Real World Linux Security115 by Bob Toxen. If you can avoid it, never store a log where an attacker can get to it and especially never store it where an attacker can modify it and erase his tracks, invalidating the usefulness of the log. In the UNIX/Linux world, its useful to direct log entries to a syslog on another machine.
115. Toxen, Bob, Real World Linux Security, Prentice-Hall, November, 2000, http://www.nerdbooks.com/item.html?id=0130281875
116. Musaji, Yusufali Fl, Auditing and Security, John Wiley, February, 2001, http://www.nerdbooks.com/item.html?id=0471383716
117. Smith, Gordon E., Network Auditing, John Wiley, April, 1999, http://www.nerdbooks.com/item.html?id=0471179752
118. Cox, Philip, Tom Sheldon, Windows 2000 Security Handbook, Osborne, November, 2000, http://www.nerdbooks.com/item.html?id=0072124334
119. Wadlow, Thomas, The Process of Network Security, Addison-Wesley, February, 2000, http://www.nerdbooks.com/item.html?id=0201433176
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.