Hi can any one assist me in knowing the following, if the logs are recorded could you please tell me the location as well..
Log Underlying Requirements
1.What Activity was performed ? (eg: login of user or enable/ disable network port etc)
2.What were tool(s) activity was performed with ? (eg. 3.Administrator tool, Windows tools, rlogin, Gzip etc)
4.What is the status of the activity (Success or Failure), outcome or result of activity ?
5.Who performed the activity, including where or what system the activity was performed? (eg root, admin or application system)
6.Why was the activity performed?
7.When was the Activity performed?
Activity To be Logged
1."Create, read, update, or delete confidential information, including
confidential authentication information such as passwords;"
2.Create, update, or delete information not covered in #7;
Initiate a network connection;
Accept a network connection;
3. User authentication and authorization for activities covered in #7 or #8 such as user login and logout;
4.Grant, modify, or revoke access rights, including adding a new user or group, changing user privilege levels, changing file permissions, changing database object permissions, changing firewall rules, and user password changes;
5. System, network, or services configuration changes, including installation of software patches and updates, or other installed software changes;
6.Application process startup, shutdown, or restart;
7."Application process abort, failure, or abnormal end, especially due to resource
exhaustion or reaching a resource limit or threshold (such as for CPU, memory,
network connections, network bandwidth, disk space, or hardware fault; and"
8.Detection of Suspicious/ malicious activity from the IPS or IDS
9.Detection of Suspicious/malicious activity from the Antivirus or Antispyware system.
iii.Elements of Logs
1." Type of action – examples include authorize, create, read, update, delete, and
accept network connection."
2." Subsystem performing the action – examples include process or transaction
name, process or transaction identifier."
3."Identifiers (as many as available) for the subject requesting the action – examples
include user name, computer name, IP address, and MAC address."
4." Identifiers (as many as available) for the object the action was performed on
– examples include file names accessed, unique identifiers of records accessed in a database, query parameters used to determine records accessed in a database, computer name,"
5. Before and after values when action involves updating a data element, if feasible
6. Date and time the action was performed, including relevant time-zone
7. Whether the action was allowed or denied by access-control mechanisms.
8. Description and/or reason-codes of why the action was denied by the access-control mechanism, if applicable
Sorry for bothering....