One of the truly horrible, horrible, horrible :-) challenges of log management is obtaining trusted logs (see my log trust pyramid) of administrator activities (sometimes broadened to cover so-called "privileged users"). Many consider it to be the "lost battle" of logging. However, logging administrator access and actions is more important than ever today (and it is one of the few workable way to deal with insider attacks)
So, let's have a little table where I try to summarize how to protect the C-I-A of various logs from administrators and privileged users (some successful and some very hard to pull off). Note that in case of databases and application, we need to protect the log from the DBA and application admins and not from the underlying server platform admins.
UPDATE: table below might look weird; see the full table here.
| "C" - prevent admins from reading logs | "I" - prevent admins from changing logs | "A" - prevent admin from disabling logging | |
| Standard Unix | Forget it! Maybe stealth logging (sebek) | Remote logging via syslog to another server, append-only log files (via RBAC) | Forget it! But this is logged and thus can be detected (also: stealth logging) |
| Windows server | Forget it! Maybe stealth logging (sebek for Windows) | Pull the logs ASAP to a central server | Forget it! But this is logged and can be detected (also stealth logging) |
| Databases | DBA activity log stored outside the database (append-only access) | DBA activity log stored outside the database (append-only access) | DBA activity log stored outside the database |
| Firewalls and network gear | Remote logging via syslog to another server - no local logging | Remote logging via syslog to another server | Forget it! But this is logged and can be detected |
| IDS/IPS boxes | Remote logging to another server - no local logging | Remote logging to another server, inaccessible to admin | Forget it! But this is logged and can be detected |
| Misc enterprise applications | App admin log outside the app (not readable to application user) | App admin log outside the app (only appendable by the application user) | Forget it! But this is logged and can be detected |
(just in case, full table is here)
Comments?
