Application Logs - Security Best Practices

by Dipesh Rawal Security logs capture the security-related events within an application. They help detect security violations and flaws in application, and help re-construct user activities for forensic analysis. Short listing the events to log and the level of detail are key challenges in designing the logging system. This article simplifies the selection by presenting the options that many critical applications chose. Events to Log All user account management activity should be logged. o o o o o o Addition and deletion of user accounts Changes in security attributes (access-levels, login intervals, terminal login restrictions, connection interface !ser account suspensions and reactivations Administrative password resets Successful and failed logon#logoff events Account lockout events (in-valid password, inactive session, access from un-allowed interfaces, login attempts out of valid intervals, ma$. concurrent session limit violations o o o %assword changes. Change to critical functional settings (eg. interest rates, service charges, grace period System parameters (e.g. ma$. no. of concurrent connections per user, %assword length Access attempts to application and underlying system resources should be logged. o o o o o o o Changes to cryptographic keys Startup#stops of application processes Abnormal application e$its &ailed database connection attempts Attempts to modify critical registry keys 'ogin#logoff for (aintenance &ailed integrity checks for application data, e$ecutables and audit log should also be logged. Changes to application configuration settings should be tracked.

"very access control related events should be logged.

The Details to Log The logs should be captured with ade)uate level of detail re)uired for later analysis, while balancing the need to not adversely affect performance. &or each event, the following are important to record* A !ni)ue event +, and type Timestamp of the event "rror message Success or failure of event +% address of the client !ser +, triggering the event -esources accessed Application +nterface used by user Co-relation with audit trail entries

Safe Practices in Logging ,esign the application to save the logs to a different system. "lse, once a system is compromised, the logs themselves might be untrustworthy. Secure the system on which the logs are stored. 'imit access to logs on a need-to-know basis. ,o not log the authentication credentials itself (like password, %+., or encryption keys in the logs. Applications should alert administrators if logging system malfunctions or is shut down. The security logs should be archived periodically. The application should provide a log analysis console to view the logs and analy/e them. Discussion comments
0. ,harmesh (ehta +n certain environments, the +% Address of the user may not be a reliable parameter for identification, as in the case if +nternet-facing applications or if the application is hosted behind pro$ies or loadbalancers. +n that case, either ignore the +% Address or log the information in the Client-+% or 1ia 2TT% 2eaders