Saturday, June 14, 2008

SEC520: 10 More

Here are 10 more Security Log Management at both the Infrastructure and System Levels

Log parsing: using log data to be used as another part of the logging process

Event filtering: suppress data that is not needed like the duplication of a record.

Event Aggregation: Logging same events as one and counting each occurrence.
Log rotation: rotate logs to make them manageable, ex: examine archived logs to perform filtering.

Log archival: keeping logs for a extended period of time on a SAN’s network, two types Log retention archive on a regular basis, or Log preservation, keeping logs that would be discarded because they contain records of activity of particular interest.
--------------------------
Log compression: reduce the amount of storage space needed (filter)

Log reduction: remove entries of no important to make the log smaller

Log conversion: convert logs to different formats XML or database

Log Normalization: Ordered in a particular data representation and categorized consistently. DATES and TIME in a single format

Log file integrity checking - having a message digest for each file MD5 or SHA1
-------------------------------------
Event correlation: finding relationships between one or more entries

Log viewing :Display log entries in human readable format

Log reporting: displays the results of log analysis
-------------------------------------
Log clearing: removing all entries from the log that precede certain date and time. Remove old logged data b/c importance has been archived.
-------------------------------------
Syslog is a central framework for log entry generation, storage and transfer, the syslog format assigns messages based on importance. Two attributes to consider are message type, known as a facility(kernel messages, mail system messages, authorization messages, printer messages, and audit messages). Severity a value assigned, from 0(emergency) to 7 debug.
Mar 1 06:25:43 server1 sshd[23170]: Accepted publickey for server2 from 172.30.128.115 port 21011 ssh2
Mar 1 07:16:42 server1 sshd[9326]: Accepted password for murugiah from 10.20.30.108 port 1070 ssh2
Mar 1 07:16:53 server1 sshd[22938]: reverse mapping checking getaddrinfo for ip10.165.nist.gov failed - POSSIBLE BREAKIN ATTEMPT!
----------------------------
Syslog security does not conform to the use of basic security controls that would give it the confidentiality, integrity and availability of logs. Weaknesses the syslog protocol encounters is the UDP transfer of data, anyone can send information to the syslog server(DOS ATTACKS). MITM on the syslog, and analyze the syslog for a vector.
----------------------------
Reliable Log Delivery, TCP
Transmission Confidentiality Protection, SSH TLS
Transmission Integrity Protection and Authentication,MD5 SHA-1
----------------------------
Robust Filtering –handles messages based on programs or hosts that generate a message or RE matching content in the body.

Log Analysis –Use separate add on programs to analysis data

Event Response – Alert admins through pages or e-mails

Database storage logs, log file encryption,

----------------------------
Security Information and Event Management Software that is a centralized loggin software , SEIM does its job
Agentless which would mean it pulls logs from the hosts by authenticating to each host and retrieving logs, or the host pushing log files on the server this server will then perform even filtering and aggregation and log normalization and analysis on the collected logs

Advantage no installation on hosts, Disadvantage – large amounts of data transferred, some need credentials so you have to install an agent on the host.

Agent-Based all the filtering and aggregation and log normalization is done at the host then transmitted

Advantage all filtering and aggregation don’t on the host, small load going over the network , Disadvantage – installing agents on every host

No comments: