0 evaluări0% au considerat acest document util (0 voturi)
426 vizualizări2 pagini
The log cheat sheet presents a checklist for reviewing critical system, network and security logs when responding to a security incident. It can also be used for routine periodic log review. It was authored by Dr. Anton Chuvakin and Lenny Zeltser.
The log cheat sheet presents a checklist for reviewing critical system, network and security logs when responding to a security incident. It can also be used for routine periodic log review. It was authored by Dr. Anton Chuvakin and Lenny Zeltser.
Drepturi de autor:
Attribution Non-Commercial (BY-NC)
Formate disponibile
Descărcați ca DOCX, PDF, TXT sau citiți online pe Scribd
The log cheat sheet presents a checklist for reviewing critical system, network and security logs when responding to a security incident. It can also be used for routine periodic log review. It was authored by Dr. Anton Chuvakin and Lenny Zeltser.
Drepturi de autor:
Attribution Non-Commercial (BY-NC)
Formate disponibile
Descărcați ca DOCX, PDF, TXT sau citiți online pe Scribd
CRITICAL LOG REVIEW Outbound proxy logs and end-user Password changes To self: 628; to
application logs others: 627
CHECKLIST FOR Service started or 7035, 7036, etc. Remember to consider other, non-log SECURITY INCIDENTS sources for security events. stopped This cheat sheet presents a checklist for Object access 560, 567, etc reviewing critical logs when responding to Typical Log Locations denied (if auditing a security incident. It can also be used for Linux OS and core applications: /var/logs enabled) routine log review. Windows OS and core applications: What to Look for on Network Windows Event Log (Security, System, General Approach Application) Devices 1. Identify which log sources and Network devices: usually logged via Look at both inbound and outbound automated tools you can use during Syslog; some use proprietary locations and activities. the analysis. formats Examples below show log excerpts from 2. Copy log records to a single location Cisco ASA logs; other devices have similar What to Look for on Linux where you will be able to review them. functionality. Successful user “Accepted password”, login “Accepted publickey”, Traffic allowed “Built … connection”, 3. Minimize “noise” by removing routine, "session opened” on firewall “access-list … repetitive log entries from view after Failed user login “authentication permitted” confirming that they are benign. failure”, “failed Traffic blocked “access-list … denied”, 4. Determine whether you can rely on on firewall “deny inbound”; “Deny password” logs’ time stamps; consider time zone … by” User log-off “session closed” differences. Bytes “Teardown TCP User account “password changed”, 5. Focus on recent changes, failures, change or “new user”, transferred connection … duration errors, status changes, access and deletion “delete user” (large files?) … bytes …” administration events, and other Sudo actions “sudo: … Bandwidth and “limit … exceeded”, events unusual for your environment. COMMAND=…” protocol usage “CPU utilization” “FAILED su” Detected attack “attack from” 6. Go backwards in time from now to Service failure “failed” or “failure” activity reconstruct actions after and before User account “user added”, “user the incident. What to Look for on Windows changes deleted”, 7. Correlate activities across different logs Event IDs are listed below for Windows “User priv level to get a comprehensive picture. 2000/XP. For Vista/7 security event ID, add changed” 8. Develop theories about what occurred; 4096 to the event ID. Administrator “AAA user …”, explore logs to confirm or disprove Most of the events below are in the access “User … locked out”, them. Security log; many are only logged on the “login failed” domain controller. What to Look for on Web Potential Security Log Sources User logon/logoff Successful logon 528, Servers Server and workstation operating system events 540; failed logon 529- Excessive access attempts to non-existent logs 537, 539; logoff 538, files Application logs (e.g., web server, 551, etc database server) Code (SQL, HTML) seen as part of the URL Authored by Anton Chuvakin (chuvakin.org) and Lenny User account Zeltser Created 624; (zeltser.com). Reviewed enabled by Anand Sastry. Distributed according to the Creative Commons v3 Security tool License “Attribution” logs (e.g., . anti-virus, change changes 626; changed 642; Access to extensions you have not Cheat sheet detection, version 1.0. intrusion detection/prevention disabled 629; deleted implemented system) 630 Web service stopped/started/failed messages Access to “risky” pages that accept user input Look at logs on all servers in the load balancer pool Error code 200 on files that are not yours Failed user Error code 401, authentication 403 Invalid request Error code 400 Internal server error Error code 500 Other Resources Windows event ID lookup: www.eventid.net A listing of many Windows Security Log events: ultimatewindowssecurity.com/.../Default.as px Log analysis references: www.loganalysis.org A list of open-source log analysis tools: securitywarriorconsulting.com/logtools Anton Chuvakin’s log management blog: securitywarriorconsulting.com/logmanage mentblog Other security incident response-related cheat sheets: zeltser.com/cheat-sheets