稽核紀錄管理(Log management)

稽核紀錄(Log)的管理，對於資訊管理者而言通常是很嚴峻的工作，各種安全軟硬體產品，都各有其不同的Log紀錄，預設監測的事件紀錄是否符合組織安全目標的要求，對於監測的紀錄何時檢視，誰來檢視這些紀錄，是否包含網路管理員、系統管理員、資料庫管理員都要對不同的紀錄進行檢視，多如牛毛的紀錄對於預防資安事件是否有幫助，如何分析這些Log紀錄，種種的問題都考驗管理者如何妥善的管理這些Log紀錄，參考NIST SP 800-92 Guide to Computer Security Log Management ，此份指引將Log管理區分成幾個方面，首先，應確認組織中有那些防禦性偵測性的安全機制(Security Software)，了解每種系統的Log紀錄，其次，選出組織中哪些伺服器之作業系統(Operation System)需要監控，最後，確認組織中哪些應用系統(Application System)需要監控，如業務類或是支援類有不同的監控要求。確認的虛監控的標的後，選擇需要紀錄的事件，可參考Microsoft在事件檢視器中有定義一些需蒐集紀錄的事件。Log管理的建置策略可參考(Establish Logging Policies)章節。

NIST SP 800-92 Guide to Computer Security Log Management

摘要

Security Software(安全性系統)

1. Antimalware Software (防毒軟體)
2. Intrusion Detection and Intrusion Prevention Systems (入侵偵測系統)
3. Remote Access Software(遠端存取軟體)
4. Web Proxies(網站代理伺服器)
5. Vulnerability Management Software. (弱點管理軟體)
6. Authentication Servers (認證伺服器)
7. Routers (路由器)
8. Firewalls (防火牆)
9. Network Quarantine Servers (網路監控伺服器)

Operating Systems(作業系統)

1. System Events (系統事件) shutting down the system or starting a service.(關機或重啟)、failed events and the most significant successful events are logged,(失敗事件)、CIA的考量(機密性、'完整性、可用性)
2. Audit Records  Microsoft 事件檢視器稽核原則建議

類別	子類別	審核設定
帳戶登入	認證驗證	成功與失敗
帳戶管理	安全性群組管理	成功
帳戶管理	使用者帳戶管理	成功與失敗
帳戶管理	電腦帳戶管理	成功與失敗
帳戶管理	其他帳戶管理事件	成功與失敗
詳細追蹤	進程建立	成功
詳細追蹤	處理常式終止	成功
登入/登出	使用者/裝置宣告	未設定
登入/登出	IPsec 延伸模式	未設定
登入/登出	IPsec 快速模式	未設定
登入/登出	標識	成功與失敗
登入/登出	登出	成功
登入/登出	其他登入/登出事件	成功與失敗
登入/登出	特殊登入	成功與失敗
登入/登出	帳戶封鎖	成功
物件存取	已產生應用程式	未設定
物件存取	檔案共用	成功
物件存取	檔案系統	未設定
物件存取	其他物件存取事件	未設定
物件存取	登錄	未設定
物件存取	卸除式存放裝置	成功
原則變更	審核原則變更	成功與失敗
原則變更	MPSSVC 規則層級原則變更	成功與失敗
原則變更	其他原則變更事件	成功與失敗
原則變更	驗證原則變更	成功與失敗
原則變更	授權原則變更	成功與失敗
許可權使用	機密許可權使用	未設定
系統	安全性狀態變更	成功與失敗
系統	安全性系統延伸	成功與失敗
系統	系統完整性	成功與失敗

Applications(應用系統)

1. Client requests and server responses (需求與回應)
2. Account information(帳號監控
3. Usage information(資料存取監控)
4. Significant operational actions(重要的作業行為)

Usefulness of Logs.

The Need for Log Management

The Challenges in Log Management

        Log Generation and Storage 

Many Log Sources(log來源多樣)

Inconsistent Log Content (不一致的內容)

Inconsistent Timestamps(不一致的時間戳記)

Inconsistent Log Formats(不一致的格式)

         Log Protection

Log Analysis

Log Management Infrastructure

Architecture

Log Generation

Log Analysis and Storage

Log Monitoring.

Establish Logging Policies(建置log管理的策略)
Log generation (要監測哪些log)

1. Which types of hosts must or should perform logging 
2. Which host components must or should perform logging (e.g., OS, service, application)
3. Which types of events each component must or should log (e.g., security events, network connections, authentication attempts)
4. Which data characteristics must or should be logged for each type of event (e.g., username and source IP address for authentication attempts)
5. How frequently each type of event must or should be logged (e.g., every occurrence, once for all instances in x minutes, once for every x instances, every instance after x instances)

Log transmission (log如何傳遞至 log server)

1. Which types of hosts must or should transfer logs to a log management infrastructure
2. Which types of entries and data characteristics must or should be transferred from individual hosts to a log management infrastructure
3. How log data must or should be transferred (e.g., which protocols are permissible), including out-of-band methods where appropriate (e.g., for standalone systems)
4. How frequently log data should be transferred from individual hosts to a log management infrastructure (e.g., real-time, every 5 minutes, every hour)
5. How the confidentiality, integrity, and availability of each type of log data must or should be protected while in transit, including whether a separate logging network should be used

Log storage and disposal(Log的儲存與輪轉)

1. How often logs should be rotated
2. How the confidentiality, integrity, and availability of each type of log data must or should be protected while in storage (at both the system level and the infrastructure level)
3. How long each type of log data must or should be preserved (at both the system level and the infrastructure level)46
4. How unneeded log data must or should be disposed of (at both the system level and the infrastructure level)
5. How much log storage space must or should be available (at both the system level and the infrastructure level)
6. How log preservation requests, such as a legal requirement to prevent the alteration and destruction of particular log records, must be handled (e.g., how the impacted logs must be marked, stored, and protected)

Log analysis( Log分析)

1. How often each type of log data must or should be analyzed (at both the system level and the infrastructure level)
2. Who must or should be able to access the log data (at both the system level and the infrastructure level), and how such accesses should be logged
3. What must or should be done when suspicious activity or an anomaly is identified
4. How the confidentiality, integrity, and availability of the results of log analysis (e.g., alerts, reports) must or should be protected while in storage (at both the system level and the infrastructure level) and in transit
5. How inadvertent disclosures of sensitive information recorded in logs, such as passwords or the contents of e-mails, should be handled.

市面常用的Log管理工具

https://www.pcwdld.com/free-syslog-servers-windows-and-linux

https://www.solarwinds.com/kiwi-syslog-server

如何調整Windows作業系統最佳稽核原則?