As an IT administrator, knowing the precise sequence of activities that affect a specific operation, procedure, or event within a company is very valuable. This is where audit logging (sometimes called event logging or system logging) comes in. Logging creates an “audit trail”—a security-relevant chronological record, or set of records, that documents an organization’s digital footsteps day to day. Keeping detailed records of daily activities allows further visibility into employees' actions and helps to keep that company more secure. For example, audit logs act as a detective control because their trails provide evidence if a hacker or user engages in unauthorized activity. Show
Audit logging is also helpful when it comes to SSL Certificate management. If a certificate is misissued, lost, or needs to be renewed, audit logging gives administrators and other users the ability to retrace their steps. Having a log of user activities helps companies remain organized and also helps when dealing with unforeseen circumstances, including security violations, performance problems, and system flaws. Audit Logging Reinforces Enterprise SecurityThis article from WeLiveSecurity states “logging user actions can help [companies] improve security in a variety of ways” because it provides a way for administrators to “reconstruct events, detect intrusions, and analyze problems such as poor performance or unexpected system behavior.” The following includes other ways audit logging can reinforce an enterprise’s security. Detect Security BreachesHaving detailed audit logs helps companies monitor data and keep track of potential security breaches or internal misuses of information. They help to ensure users follow all documented protocols and also assist in preventing and tracking down fraud. Any sort of intrusion can be detected in real-time by examining audit records as they are created. Importantly, to maximize the security benefits of audit logging, the logs should be reviewed often enough to detect security incidents as early as possible. Assess System DamagesAudit trails can be used to reconstruct events after a problem has occurred. “Damage can be more easily assessed by reviewing audit trails of system activity to pinpoint how, when, and why normal operations ceased,” according to The National Institute of Standards and Technology in outlining how and why organizations should use audit logging. Aid in Recovery ProcessesUnderstanding how and why a system crash or an intrusion occurred is pertinent to avoiding similar outcomes in the future. Audit logs can help in situations regarding data loss or corruption by allowing administrators to reconstruct data files through the changes recorded in the logs. Audit Logging with CertCentral®DigiCert CertCentral® is a platform created to consolidate certificate monitoring, SSL deployment, certificate inspection, and PKI management. With CertCentral®, administrators can also access audit logs within the account. These logs capture important details such as when a certificate is requested, if a certificate is mis-issued, when a certificate is approved, and other actions. By using the “action” bar, a user can look up recorded logs of their choosing, and all records show the date and time an action was performed, the user that performed the action, the user’s division, and more, with all information organized conveniently on the intuitive dashboard. Keeping detailed audit logs provides a company many different benefits. If an enterprise makes sure to track and review the logs regularly rather than allowing them to pile up, audit logs can be utilized to reconstruct events, detect intrusions, and analyze problems such as poor performance or unexpected system behavior. Audit logging is an efficient way to help enterprises observe their environment more effectively and to keep their data secure.
Most software and systems generate audit logs. They are a means to examine what activities have occurred on the system and are typically used for diagnostic performance and error correction. System Administrators, network engineers, developers, and help desk personnel all use this data to aid them in their jobs and maintain system stability. Audit logs have also taken on new importance for cybersecurity and are often the basis of forensic analysis, security analysis, and criminal prosecution. Similar to other types of log data, when incorrectly configured, compromised, or corrupted, audit logs are useless. Because of their growing importance, and to extract the most value from them, we’ve put together some useful information on the basics of audit logging. What are audit logs?Let’s start with the basics — what exactly are audit logs? Audit logs vary between applications, devices, systems, and operating systems but are similar in that they capture events which can show “who” did “what” activity and “how” the system behaved. An administrator or developer will want to examine all types of log files to get a complete picture of normal and abnormal events on their network. A log file event will indicate what action was attempted and if it was successful. This is critical to check during routine activities like updates and patching, and also to determine when a system component is failing or incorrectly configured. For the sake of space and time, we will examine primarily operating system logs, but you’d do well to examine all systems in your environment to get a good understanding of the logs, log configurations, file formats, and event types that you can gather. Here are common Linux log file names and a short description of their usage:
For example, in terms of security analysis you may want to examine user session (login) interaction on a Linux system. Linux session information is stored in different *tmp files. To display the contents of /var/run/utmp, run the following command: utmpdump /var/run/utmpDo the same with /var/log/wtmp: utmpdump /var/log/wtmpAnd finally with /var/log/btmp: utmpdump /var/log/btmpThe output format in these three cases is similar. Note that the event records in the utmp and btmp are arranged chronologically, while in the wtmp, the order is reversed. With Microsoft Windows, event management is typically done with the Event viewer application, rather than the command prompt. The screenshots below illustrate the Microsoft Event Viewer interface that allows you to examine logs used for Security, Administration, System, and Setup activities. (with Server 2008/Vista and up, the logs are stored in the %SystemRoot%\system32\winevt\logs directory.) A similar Windows login/session audit log event might look like this: Some important points to keep in mind:
Why audit logging?Now that we have a better understanding of what audit logs are, let’s review some of the core benefits of collecting this data from your environment, whether it’s a data center, server/workstation, or even application logs. Promote accountabilityFor example, audit logs can be used in tandem with access controls to identify and provide information about users suspected of improper modification of access privileges or data. To do this effectively, event logs have to be captured and stored regularly and securely to show behavior before and after an event has occurred. Reconstruction of eventsEvent logs may also be used to essentially “replay” events in sequence to help understand how a damaging event has occurred. Analysis can distinguish between system, application, or operator errors. By gaining knowledge of system conditions prior to the time of an error is a way to prevent future failures. Additionally, if logs are configured to capture detailed transactions, data can sometimes be reconstructed from logs. Security and forensicsBecause event logs work in concert with logical access controls, actions taken are pinpointed to specific users and devices. This information can be used to see when a user account may have been hacked, and then if user account privileges were escalated to access specific files or directories with sensitive information. Logs could also show who and when specific files were copied, printed, or deleted. Audit logging requirementsFrom the information above, it is fairly clear that audit logging is systems based. There are audit logging systems on network devices and within applications and operating systems. Within logging services on stand-alone systems, there can be further log subtypes for gathering specific types of events, like security events, system events, and specific services. Modern web-oriented systems are based on auto-scaling components and have blurred the lines between traditional “servers” and the applications that run on them. Audit logging now involves collecting data from a large amount of data sources, which poses a series of challenges necessitating a log management solution — data collection, storage, protection, parsing of the data and its subsequent analysis. When looking for a solution, some of the key considerations are:
There is a wide array of solutions available in the market that support audit logging and centralized logging as a whole. ELK (Elasticsearch, Logstash and Kibana) is the most common open source solution used, while SIEM systems are more tailored for a security use case. Using audit logging for security and complianceSimply put, without audit logging, any action by a malicious actor on a system can go totally unnoticed. Needless to say, this is a significant risk when trying to protect your environment or recover sensitive information for operations. Yes – audit logs are valuable for detecting and analyzing production issues, but they can also provide the underpinning for a security system. Security compliance programs and certifications reflect industry best practices and focus on high risk, and it is not a coincidence that they include audit logging as an ingredient for compliance. Below is a list of compliance programs with reference to audit logging components: Audit logging best practicesThe following are recommendations for system settings and configurations that can help you use audit logs for security and compliance. Log system configurationLogs are composed of event entries, which capture information related to a specific event that has occurred. Log format will vary between sources, platforms, or application, but each recorded event should capture at a minimum the following:
o Start-up and shut-down of the system o Start-up and shut-down of a service o Network connection changes or failures o Changes to, or attempts to change, system security settings and controls o Log-on attempts (successful or unsuccessful) o The function(s) performed after logging on (e.g., reading or updating a critical file, software installation) o Account changes (e.g., account creation and deletion, account privilege assignment) o Successful/failed use of privileged accounts
o Successful and failed application authentication attempts o Application account changes (e.g., account creation and deletion, account privilege assignment) o Use of application privileges o Application startup and shutdown o Application failures o Major application configuration changes o Application transactions, for example, – e-mail servers recording the sender, recipients, subject name, and attachment names for each e-mail – Web servers recording each URL requested and the type of response provided by the server – business applications recording which financial records were accessed by each user Sync the timestampWithout logs using a common format for the timestamp field, typical correlation between logs and sequential analysis would be almost impossible. It is a compliance requirement for a number of standards that the NTP (time protocol) be synchronized for all devices, servers, applications. This configuration is typically applied globally within an enterprise with a backup source should the primary fail. If you are using a log aggregator/processor such as Logstash, you can make sure the timestamp is applied across all the audit logs as they are processed. Log file securityAudit logs are also a prime target for attackers who are looking to cover evidence of their activities and to maximize opportunities to compromise data. To prevent malicious actors from hiding their activities, administrators must configure audit logging to enforce strong access control around audit logs and limit the number of user accounts that can modify audit log files. Finally, if audit logs are transmitted for remote collection or archive/backup, administrators should ensure the transmission is secure providing encryption in transmission and encryption for backups. This will improve the chances that the logs will be usable, if necessary, for forensic analysis of events. EndnotesAudit logging necessitates understanding the architecture of your system and the different components comprising it. Understanding how the different building blocks communicate with each other and how they rely on each other is part of understanding how to finetune and protect your system. With the advent of cloud computing, virtualized resources, and devices, modern systems rely on audit logging tools to address a new complexity of audit events. Security and compliance requirements for audit logs add additional configuration and operational considerations — such as protection of the log data to enhance the integrity, availability, and confidentiality of records. The benefit of a log management platform such as Logz.io is providing a centralized solution for log aggregation, processing, storage and analysis to help organizations improve audit log management. |