OWASP Logging GuideSUMMARYWhy log ?. 2What is commonly logged ? . 2What are security logs ?. 2What are the most common issues with logging ? . 2What are the common functions of a log management infrastructure ? . 3General. 3Storage . 3Analysis . 3Disposal . 3How to plan a logging infrastructure ? . 4What is log management ?. 4What application logs/events to monitor ? . 5Application logs and Security Information Management systems . 6Case study - OSSIM (Open Source Security Information Management system) . 6Figure 1 - OSSIM correlation. The Directive Editor allows us to define what events to correlate. 7Figure 2 - OSSIM example. Alerts resulting from correlation. 7Tools . 8References . 8
Why log ? identify security incidents monitor policy violations identify fraudulent activity identify operational and longterm problems establish baselines ensure compliance with laws,rules and regulationsWhat is commonly logged ?NB Much of the info below can only be logged by the applications themselves (this is especially true for applications usedthrough encrypted network communications) Client requests and server responses Account activities (login, logout, change password etc.) Usage information (transaction types and sizes, generated traffic etc.) Significant operational actions such as application startup and shutdown, application failures, and majorapplication configuration changes. This can be used to identify security compromises and operational failures.What are security logs ? security software logs (Antimalware Software, IDS, IPS, Remote Access Software, Web Proxies, VulnerabilityManagement Software, Authentication Servers, Routers, Firewalls) operating system logs (System Events, Audit Records) application and database logs- commercial offtheshelf (COTS) applications (s.a . email servers and clients, Web servers and browsers,file servers and file sharing clients, database servers and clients, ERP and CRM systems)- custom-developed applicationsWhat are the most common issues with logging ? high number of log sources inconsistent log content inconsistent log formats inconsistent timestamps increasingly large volumes of log data
What are the common functions of a log management infrastructure ?General Log parsing Event filtering (e.g. suppression of duplicate entries and standard informational entries) Event aggregation (see Figure 1 - OSSIM correlation)Storage Log rotation Log archival Log compression Log reduction Log conversion Log normalization (e.g. storing dates and times in a single format) Log file integrity checking (involves calculating a message digest for each file and storing the message digestsecurely to ensure that changes to archived logs are detected).Analysis Event correlation- rulebased correlation- using statistical methods or visualization toolsSee Figure 2 – OSSIM example – alerts resulting from correlation Log viewing (displaying log entries in a human-readable format) Log reporting is displaying the results of log analysis. Log reporting is often performed to summarize significantactivity over a particular period of time or to record detailed information related to a particular event or series ofevents.Disposal
How to plan a logging infrastructure ? develop standard processes for log management define its logging requirements and goals define mandatory requirements and suggested recommendations for log management activities prioritize the requirements/goals based on the organization’s perceived reduction of risk and the expected timeand resources needed to perform log management functions prioritize/classify data in order to log/analyze data that is of greatest importance(e.g. Business data, Application binaries, configurations and documentation, System binaries, configurations anddocumentation, Application and database logs, System logs.For each data class, criteria such as criticality, security and retention duration requirements must be defined. define roles and responsibilities for log management for key personnel throughout the organization, including logmanagement duties at both the individual system level and the log management infrastructure level create and maintain a log management infrastructuredefine standard log management operational processes (configuring log sources, performing log analysis,initiating responses to identified events, managing longterm storage, monitoring the logging status of all logsources, monitoring log rotation and archival, checking for upgrades and patches to logging software, andacquiring, testing, and deploying them, ensuring that each logging host’s clock is synched to a common timesource, reconfiguring logging as needed based on policy changes, technology changes, and other factors,documenting and reporting anomalies in log settings, configurations, and processes).(Source : P80092.pdf) What is log management ? log generation transmission storage analysis disposal ensuring that security, system, and network administrators regularly perform effective analysis of log data protecting the confidentiality, integrity, and availability of logs
What application logs/events to monitor ?What to monitor ?ProsConsSQL statements generated by applicationactivityEasier to baseline thanSQL issued by DBAs,developers and powerusersHigh volumeSequence monitoring (base on multipleactivities) : (pattern of activity, frequence ofactivity, order between activities)This gives us a window ofopportunity to block anattackDifficult toimplement/configureWhat data is returned on which session ? ; Howmuch data is returned ?Can help us identifycompromisedsessions/accountsDifficult toimplement/configuremonitor usage of procedures and packages that arevulnerable and/or useful in attacks ; profile under whatconditions they are used normallyExample : white list of users and white list of IPs for theuse of UTL SMTPExample : black list of errors that we do not allow for anysessionAn “unknown column” error might indicate an SQLinjection attackCan allow us to quicklyidentifyattacks and terminate roguesessionsThis measure is lessreliable than implementingreactive sessiontermination in theapplication (e.g. a sessionprovoking s.a. errors getsterminated by theapplication)A single user credential that is concurrently being usedfrom different IPs is at least a misuse of credentials andsometimes an intrusionCan allow us to fightagainst misuse ofcredentials and intrusionsNot always possible :Centralized sessionmanagement is aprerequisiteEvents related to known application vulnerabilities thathave not yet been addressedCan represent a quickprotectionagainst such vulnerabilitiesin theapplication.Temporary solution. Canbe used as an excuse todelay implementation ofproper defenses in theapplicationTo be continued/detailed
Application logs and Security Information Management systemsCase study - OSSIM (Open Source Security Information Management system)Ossim’s generic correlation engine allows us to configure alerts based on information from:- the integrated software components detailed below- various provided plugins (WMWare Workstation, OpteNEt, Nepenthes, ISA Server, Aladdin, Avast, Bro-IDS,Enterasys Dragon, Honeyd, MCAfee Antivirus, Sidewinder, SonicWall, Trendmicro, Cyberguard, VSftpd, Bind etc.)- application logs*** In order to generate IDS events/alerts from your customs-developed applications’ logs :the logs must be consistent (content, format, timestamps) ;you need to write your own OSSIM plugin (no need to be scared, plugin writing amounts to finding theright regular expression)Ossim software components* Arpwatch, used for mac anomaly detection.* P0f, used for passive OS detection and os change analisys.* Pads, used for service anomaly detection.* Nessus/OpenVAS, used for vulnerability assessment and for cross correlation (IDS vs Security Scanner).* Snort, the IDS, also used for cross correlation with nessus.* Spade, the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signature.* Tcptrack, used for session data information which can grant useful information for attack correlation.* Ntop, which builds an impressive network information database from which we can get aberrant behaviour anomalydetection.* Nagios. Being fed from the host asset database it monitors host and service availability information.* Osiris, a great HIDS.* OCS-NG, Cross-Platform inventory solution.* OSSEC, integrity, rootkit, registry detection and more.
Figure 1 - OSSIM correlation. The Directive Editor allows us to define what events to correlate.The number of occurrences for each event is used to calculate reliability (see Event aggregation)Figure 2 - OSSIM example. Alerts resulting from correlation.
ToolsToolRoleLinkSplunkindexes all of your IT data in real time, without requiring you to writeconnectors, plugins, custom parsers or controlshttp://www.splunk.comOssimOpen Source Security Information Management umentation/latest/User/SplunkOverview