I read your tip on log analysis and management and was hoping you could elaborate further on audit log security. Is it possible to make logs tamper-proof? If so, what is needed to build a tamper-proof audit log? Is there any way to limit the information that needs to be exchanged to verify entries?
Ask the Expert!
Have questions about network security for expert Matt Pascucci? Send them via email today! (All questions are anonymous.)
While it's not possible to make logs 100% tamper-proof (because it's impossible to make anything 100% tamper-proof), there are plenty of steps security managers or administrators can take to ensure the security and integrity of IT system logs.
Many administrators don't go the last mile when it comes to securing their audit logs. This is a somewhat overlooked part of log management, and many times it is assumed that logs are completely secure when there is a log management solution in place.
Keeping your logs secure is a must, however, especially if there is ever a need to go back to them to review a breach. When compromising a system, attackers commonly remove the logs to cover their tracks. If an attacker completely owns a box, all the logs locally on this system are to be taken with a grain of salt. When an attacker has admin privileges or root, the possibilities are endless. So what can be done to protect the integrity of a company's logs?
For starters, administrators should have those logs removed from the local machine as soon as possible. If you're only logging locally to a system, you may lose those logs in the event of a system failure or intentional destruction by someone with administrative access to the server. It's crucial to have the capability to send your logs to a centralized log management system for safe keeping. There are many vendors that will assist with this, but having the capability to log directly to another system helps with keeping a true copy of the logs on your system. Making sure that the logs are encrypted in transit to the log management system and then are encrypted at rest is another measure that needs to be taken to secure long-term copies of logs.
Once you've verified that the logs are going to a secured location and that all the systems and applications are being logged at the right audit level, it's important to start creating reports and looking at trends in the logs. For example, by searching for "Event Log Cleared" events in your Windows system, you can see if someone has intentionally cleared the logs. Also, looking for anyone adding or inserting audit logs, deleting audit logs, or even truncating them is a good way to monitor logs for suspicious activity. Gaps in security logs or trends in corrupt logs are two red flags to watch for that would indicate potential misuse.
Lastly, setting up file integrity monitoring to allow an alert or report (like those above) as to when and who changed these logs is extremely important. This runs on most systems and can be very helpful when trying to decipher why certain files or logs are the way they are.
This was first published in March 2013