A.22 Chapter 21: Auditing, Logging, and Forensics

  • Consider installing a dedicated PC or other non-Unix machine as a network log host.

  • Have your users check the last login time each time they log in to make sure that nobody else is using their accounts.

  • Consider installing a simple cron task to save copies of the lastlog file to track logins.

  • Evaluate whether C2 logging on your system is practical and appropriate. If so, install it.

  • Determine if there is an intrusion detection and/or audit reduction tool available to use with your C2 logs.

  • Make sure that your utmp file is not world-writable.

  • Turn on whatever accounting mechanism you may have that logs command usage.

  • Run last periodically to see who has been using the system. Use this program on a regular basis.

  • Review your specialized log files on a regular basis. This review should include loginlog, sulog, aculog, xferlog, and others (if they exist on your system).

  • Consider adding an automatic log monitor such as Swatch.

  • Make sure that your log files are on your daily backups before they are reset.

  • If you have syslog, configure it so that all auth messages are logged to a special file. If you can, also have these messages logged to a special hardcopy printer and to another computer on your network.

  • Be aware that log file entries may be forged and misleading in the event of a carefully crafted attack.

  • Keep a paper log on a per-site and per-machine basis.

  • If you process your logs in an automated fashion, craft your filters so that they exclude the things you don't want rather than pass only what you do want. This approach will ensure that you see all exceptional condition messages.

    Part VI: Appendixes