Security logs are invaluable for verifying whether the host's defenses are operating properly. Another reason to maintain logs is to ensure that forensics evidence is available when you need to figure out what happened, even if you already determined that something went wrong. Of course, each security safeguard is only as good as the actions taken upon it. A log file is of minimal value if you never look at it. As we discuss in Chapter 10, it is often wise to utilize software, such as host-based intrusion detection systems (IDSs), that can automatically notify the administrator when a suspicious event occurs. This helps provide effective responses to potential security threats.
A common alternative to having in-house staff monitor logs for signs of malicious activity is outsourcing this task to a company that provides security-monitoring services.
We devote Chapter 20, "Network Log Analysis," to the guidelines relevant to processing log entries from the network security device's perimeter. The following section looks at issues specific to Windows and UNIX hosts.
Windows Logging and Auditing
Windows offers built-in tools that help administrators capture security-related events and audit the resulting log files. By default, Windows logs only general system events aimed at resolving system and application faults. To capture security-related information, you must enable auditing through the Local Security Policy editor (on a standalone system) or Group Policy (when using Active Directory). You can use the Event Viewer program to examine security log entries collected by the Windows auditing facility.
Figure 9.4 illustrates reasonable settings for a Windows workstation, although the specifics of the configuration will depend on your organization's requirements. As you can see, Windows allows you to log successful and failed actions associated with several categories of events. The more event types you choose to log, the more thorough your understanding will be of what takes place on the system. On the other hand, excessive auditing can degrade the host's performance, fill up its file system, and overwhelm you with superfluous log entries. Striking the right balance for event logging may require several different settings until you achieve the desired configuration.
Figure 9.4. You can use the Local Security Policy editor or Group Policy to enable security auditing in Windows.
UNIX Logging and Auditing
Like Windows, UNIX can gather detailed information regarding security events on the system, such as logon and logoff times, occurrences of failed logons, the use of privileged accounts, and even the commands users execute. The configuration of UNIX logging facilities is flexible and varies across UNIX flavors. However, here are some of the more standard log files:
A UNIX system stores event records in these log files using a binary format. As a result, you need to use the appropriate tools, specified in the preceding list, to view their contents.
Although the utmp and wtmp files exist by default on most UNIX platforms, you may need to explicitly create the btmp file for the system to log failed logon activity to that file.
In addition to maintaining the binary log files just mentioned, UNIX systems rely on the Syslog facility to centralize logging of security and other system events. Syslog typically uses the /etc/syslog.conf configuration file to determine what types of events to log and where to store the log files. Depending on how you configure it, Syslog can record messages from the kernel, user processes, the mail system, locally defined events, and so on. Syslog stores its records in text-based log files, which can be examined by regular text file viewers as well as through the use of the automated monitoring tools we mention in Chapter 10.
Following best practices when configuring the host's security logging mechanisms helps detect malicious activity during the early stages of an attack. This also allows administrators to determine what happened in the event of a successful compromise. Another critical aspect of host hardening, which we discuss in the following section, involves installing patches to address security vulnerabilities.