In order to be able to perform effective audits and investigations, the event log should contain as much of the relevant data as possible for the processes being examined.
OWASP Proactive Controls v3.0, section C9, recommends the following when implementing security logging functions.
For security logging implementation:
- Use a common logging format and approach within the system and across systems of an organization.
- Log the timestamp and identifying information including the source IP and user ID, but do not log any private or confidential data.
- Time sync across nodes to ensure that timestamps are consistent.
- When logging for intrusion detection and response, log all potentially malicious activities including:
- Submitted data that is outside of an expected numeric range.
- Submitted data that involves changes to data that should not be modifiable (select list, checkbox, or other limited entry component).
- Requests that violate server-side access control rules.
To ensure secure logging design:
- Encode and validate any dangerous characters before logging to prevent log injection or log forging attacks.
- Do not log sensitive information. For example, do not log password, session ID, credit cards, or social security numbers.
- Protect log integrity. An attacker may attempt to tamper with the logs. Therefore, the permission of log files and log changes audit should be considered.
- Forward logs from distributed systems to a central, secure logging service. This will ensure log data cannot be lost if one node is compromised. This also allows for centralized monitoring.
Resource: https://www.owasp.org/images/b/bc/OWASP_Top_10_Proactive_Controls_V3.pdf
Storage and Analysis of Data Events
Event and log data can become very costly to archive and maintain depending on the volume of data being gathered. Carefully consider these issues as well as the business/regulatory requirements and responsibilities of the organizations when planning for event data preservation.
Preservation is defined by ISO 27037:2012 as the “process to maintain and safeguard the integrity and/or original condition of the potential digital evidence.”
Evidence preservation helps assure admissibility in a court of law. However, digital evidence is notoriously fragile and is easily changed or destroyed. Given that the backlog in many forensic laboratories ranges from six months to a year (and that the legal system might create further delays), potential digital evidence may spend a significant period of time in storage before it is analyzed or used in a legal proceeding. Storage requires strict access controls to protect the items from accidental or deliberate modification, as well as appropriate environment controls.
Please also note that certain regulations and standards require that event logging mechanisms should be tamperproof in order to avoid the risks of faked event logs.
The gathering, analysis, storage, and archiving of event and log data is not limited to the forensic investigative process, however. In all organizations, you will be called on to execute these activities on an ongoing basis for a variety of reasons during the normal flow of enterprise operations. Whether it is to examine a firewall log, to diagnose an application installation error, to validate access controls, to understand network traffic flows, or to manage resource consumption, the use of event data and logs is a standard practice.