LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Logs to be maintained keeping security in mind (https://www.linuxquestions.org/questions/linux-security-4/logs-to-be-maintained-keeping-security-in-mind-4175517239/)

pranks 09-03-2014 02:10 AM
Logs to be maintained keeping security in mind
 
Hello,

What kind of logs we need to maintain keeping security in mind or which can be useful for investigation agencies. As of now I download following:


1) Website Access Log
/usr/local/apache/logs/access_log
/usr/local/apache/domlogs

2) FTP Acees Log
/var/log/messages

3) MySQL Access Log
/var/lib/mysql called hostname.log and hostname-slow.log where hostname is the short hostname for the machine.

4) Cpanel Access Log
/usr/local/cpanel/logs/access_log

Thanks

zhjim 09-03-2014 03:41 AM
Every log file should be keep when it comes to security. One log file might not have all information you need or you might miss out on side steps been done.

Nother thing security wise is not to download the log files but to have them send to a logging server right away. An intruder will most likely alter the log files so downloads would not show any evidence. If you have the log files on another server you can compare them and see if they differ. If you need to investigate.

solarisguy 09-03-2014 07:14 PM
Centralized logging is the best route here, with extremely limited access to the logging server.

One great way to do this is with rsyslog. It can take UDP 514 (standard syslog) or TCP 514, which ensures delivery. UDP has no retry mechanism; it's fire and forget. TCP will retransmit if there is an error on the wire.

One file you should always keep an eye on is /var/log/secure as well.

OSSEC is also a great tool to install on your system. It will watch for any suspicious activity and alert administrators when it is detected. I work for a very large telecom and we have this type of alarming in place. We know when a security event occurs even before the security NOC knows and have taken action to prevent further intrusions in the past.

unSpawn 09-04-2014 01:06 AM
Talking about logs indeed is one thing. Too often I still see people don't alter logrotate defaults, meaning that given an incident a couple of months ago anything of use will already be rotated away and gone. Secondly it still needs emphasizing security is not a one off but (after the initial hardening process) a continuous process of auditing and adjusting. This means for example that installation of a service must be preceded by informing yourself about the (in)security of the software and the ways in which to mitigate risks, and be followed by proper configuration, testing and regular log checks (Logwatch?). Also note that one shouldn't rely on one auditing tool alone. For example the rootkit component of OSSEC HIDS hasn't as a whole been updated much since the product was bought by a large commercial vendor (and if you only want the file integrity checking part you could well use Samhain or even AIDE or tripwire). Finally, as the OP seems to be using Cpanel, he should be especially aware of the pitfalls of using such products.

pranks 09-06-2014 01:01 AM
Thanks everyone


All times are GMT -5. The time now is 11:15 AM.