This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Log review and management"
Anthonylai (talk | contribs) (→Log Review Tips) |
Anthonylai (talk | contribs) (→Log Review Tips) |
||
| Line 18: | Line 18: | ||
Critical systems require at least daily log review, however, what types of logs/activities should we pay attention to? | Critical systems require at least daily log review, however, what types of logs/activities should we pay attention to? | ||
1. Consecutive login failure especially in non-office hour. | 1. Consecutive login failure especially in non-office hour. | ||
| + | |||
2. Login in non-office hour. | 2. Login in non-office hour. | ||
| + | |||
3. Authority change, addition and removal. Check them against with authorized application. | 3. Authority change, addition and removal. Check them against with authorized application. | ||
| + | |||
4. Any system administrator's activities | 4. Any system administrator's activities | ||
| + | |||
5. Any unknown workstation/server are plugged into the network? | 5. Any unknown workstation/server are plugged into the network? | ||
| + | |||
6. Logs removal/log overwritten/log size is full | 6. Logs removal/log overwritten/log size is full | ||
| + | |||
7. Pay more attention to the log reports after week-end and holiday | 7. Pay more attention to the log reports after week-end and holiday | ||
| + | |||
8. Any account unlocked/password reset by system administrators without authorized forms? | 8. Any account unlocked/password reset by system administrators without authorized forms? | ||
Revision as of 09:39, 17 March 2007
Overview
Purpose:
- Communicate potential risks to stakeholder.
- Communicate rationale for security-relevant decisions to stakeholder.
Role:
- who typically does this
Frequency:
Log Review Tips
Critical systems require at least daily log review, however, what types of logs/activities should we pay attention to? 1. Consecutive login failure especially in non-office hour.
2. Login in non-office hour.
3. Authority change, addition and removal. Check them against with authorized application.
4. Any system administrator's activities
5. Any unknown workstation/server are plugged into the network?
6. Logs removal/log overwritten/log size is full
7. Pay more attention to the log reports after week-end and holiday
8. Any account unlocked/password reset by system administrators without authorized forms?
Subactivity 2
Describe the subactivity here
Subactivity 3
Describe the subactivity here
