Auditing and logging should be used to help detect suspicious activity such as footprinting or possible password cracking attempts before an exploit actually occurs. It can also help deal with the threat of repudiation . It is much harder for a user to deny performing an operation if a series of synchronized log entries on multiple servers indicate that the user performed that transaction.
Top auditing and logging related threats include:
User denies performing an operation
Attackers exploit an application without leaving a trace
Attackers cover their tracks
The issue of repudiation is concerned with a user denying that he or she performed an action or initiated a transaction. You need defense mechanisms in place to ensure that all user activity can be tracked and recorded.
Countermeasures to help prevent repudiation threats include:
Audit and log activity on the Web server and database server, and on the application server as well, if you use one.
Log key events such as transactions and login and logout events.
Do not use shared accounts since the original source cannot be determined.
System and application-level auditing is required to ensure that suspicious activity does not go undetected.
Countermeasures to detect suspicious activity include:
Log critical application level operations.
Use platform-level auditing to audit login and logout events, access to the file system, and failed object access attempts.
Back up log files and regularly analyze them for signs of suspicious activity.
Your log files must be well-protected to ensure that attackers are not able to cover their tracks.
Countermeasures to help prevent attackers from covering their tracks include:
Secure log files by using restricted ACLs.
Relocate system log files away from their default locations.