Information Security Best Practices: 205 Basic Rules

9.8: Security Logs

9.8 Security Logs

INFOSEC Best Practice #110

Keep a security event log on your computer.

A security logger should be available as part of the operating system or as a third party product. All servers and workstations with restricted access must run a security logger. The security log must be turned on and record the following categories of events:

  1. Logins and logoffs.

  2. Object access (logging this data may lead to very large log files).

  3. File permission changes.

  4. File ownership changes.

  5. Security policy changes.

  6. Changes in user rights.

  7. Group changes for an account.

  8. System restarts and shutdowns.

  9. Virus scans.

Security logs can grow to take up much disk space therefore the server must have a large enough disk. Periodic maintenance will need to be performed to archive or discard the logs.

INFOSEC Best Practice #111

Review the security log on each server on a daily schedule.

Recording security events is a waste of resources if the system administrator does not review the logs on a daily basis. All it takes is five minutes each day to invoke the security log viewer and scan through the recorded events. Since most machines will have little hacker or mischievous activity, system administrators get complacent and stop reviewing the security log. If the machine is important enough for you to decide that security logging must be turned on in order to comply with your established security policy, then the administrator must treat this task seriously. To ease the tedious nature of this task, there are...