This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Log review and management"
Anthonylai (talk | contribs) (→Log Review Tips) |
Anthonylai (talk | contribs) (→Subactivity 2) |
||
| Line 34: | Line 34: | ||
8. Any account unlocked/password reset by system administrators without authorized forms? | 8. Any account unlocked/password reset by system administrators without authorized forms? | ||
| − | == | + | == Log Standard == |
| − | + | In fact, we are suffering various log format and standard from various systems even we are working in-house or act as a consultant. Why don't we produce a standard/guidelines to developer before they design the user administrative and audit trail functions to fulfill security control. | |
| + | Functions:- | ||
| + | * Search - By date and time, by event type, by criticality, by account/user ID, by department | ||
| + | |||
| + | * Sorting - By date and time, by event type, by criticality, by account/user ID, by department | ||
| + | |||
| + | * Paging (Optional) | ||
| + | |||
| + | * Critical event is marked by "*" | ||
| + | |||
| + | * Show expired and inactive accounts (for example: 90 days) | ||
| + | |||
| + | |||
| + | Mandatory Fields:- | ||
| + | * User ID and Name | ||
| + | |||
| + | * Activity Date/Timestamp | ||
| + | |||
| + | * Activity Type and Description | ||
| + | |||
| + | * Terminal IP address and Location | ||
| + | |||
| + | |||
| + | User Account List:- | ||
| + | * User Info - Name, Department, Role | ||
| + | |||
| + | * Last Accessed Time | ||
| + | |||
| + | * Account Creation Date/Time | ||
| + | |||
| + | * Current Authority and Role | ||
| + | |||
| + | * Account authority and information change history | ||
==Subactivity 3== | ==Subactivity 3== | ||
Revision as of 09:55, 17 March 2007
Overview
Purpose:
- Communicate potential risks to stakeholder.
- Communicate rationale for security-relevant decisions to stakeholder.
Role:
- who typically does this
Frequency:
Log Review Tips
Critical systems require at least daily log review, however, what types of logs/activities should we pay attention to?
1. Consecutive login failure especially in non-office hour.
2. Login in non-office hour.
3. Authority change, addition and removal. Check them against with authorized application.
4. Any system administrator's activities
5. Any unknown workstation/server are plugged into the network?
6. Logs removal/log overwritten/log size is full
7. Pay more attention to the log reports after week-end and holiday
8. Any account unlocked/password reset by system administrators without authorized forms?
Log Standard
In fact, we are suffering various log format and standard from various systems even we are working in-house or act as a consultant. Why don't we produce a standard/guidelines to developer before they design the user administrative and audit trail functions to fulfill security control.
Functions:-
- Search - By date and time, by event type, by criticality, by account/user ID, by department
- Sorting - By date and time, by event type, by criticality, by account/user ID, by department
- Paging (Optional)
- Critical event is marked by "*"
- Show expired and inactive accounts (for example: 90 days)
Mandatory Fields:-
- User ID and Name
- Activity Date/Timestamp
- Activity Type and Description
- Terminal IP address and Location
User Account List:-
- User Info - Name, Department, Role
- Last Accessed Time
- Account Creation Date/Time
- Current Authority and Role
- Account authority and information change history
Subactivity 3
Describe the subactivity here
