SlideShare una empresa de Scribd logo

Regulatory compliance and system logging

BalaBit
BalaBit

Log messages can be used to detect security incidents, operational problems, and other issues like policy violations, and are useful in auditing and forensics situations. From this white paper you can learn the advantages of using the syslog-ng Store Box logserver appliance to collect, store, and manage system log (syslog) and eventlog messages for policy compliance.

1 de 15
Descargar para leer sin conexión
Regulatory compliance and system logging Second Edition Publication date December 14, 2010 Abstract The advantages of using the syslog-ng Store Box logserver appliance to collect, store, and manage system log (syslog) and eventlog messages for policy compliance. Copyright © 2010 BalaBit IT Security Ltd.
Table of Contents 1. Preface ............................................................................................................................................. 3 1.1. Summary of contents .............................................................................................................. 3 2. Introduction ..................................................................................................................................... 4 2.1. What is system logging ............................................................................................................ 4 2.2. Why is system logging important when dealing with policy compliance ......................................... 4 2.3. What syslog-ng and the syslog-ng Store Box are ......................................................................... 4 2.4. Problems to be solved by log management ................................................................................. 4 3. Using the syslog-ng Store Box for policy compliance ............................................................................. 7 3.1. PCI-DSS compliance and logging ............................................................................................. 7 3.2. COBIT 4.1 compliance and logging .......................................................................................... 9 4. HIPAA compliance and logging ........................................................................................................ 12 5. Other important features .................................................................................................................. 13 5.1. Managing SSB ....................................................................................................................... 13 5.2. Fine-tuned access control ....................................................................................................... 13 5.3. LDAP integration ................................................................................................................. 13 5.4. Real-time log monitoring and alerting ...................................................................................... 13 5.5. Log collector agent for several platforms ................................................................................. 13 5.6. Agent for Microsoft Windows platforms ................................................................................. 14 5.7. Agent for IBM System i platforms .......................................................................................... 14 5.8. Automatic data and configuration backups ............................................................................... 14 5.9. Automatic data archiving ........................................................................................................ 14 5.10. Ability to handle extreme load .............................................................................................. 14 6. Further information ......................................................................................................................... 15 6.1. About BalaBit ....................................................................................................................... 15 www.balabit.com 2
Preface 1. Preface This paper discusses the advantages of using the syslog-ng Store Box to collect, store, and manage system log (syslog) and eventlog messages in compliance with regulations like the Sarbanes-Oxley Act (SOX), the Health In- surance Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI- DSS). The document is recommended for technical experts and decision makers working on implementing centralized logging solutions, but anyone with basic networking knowledge can fully understand its contents. The procedures and concepts described here are applicable to version 1.x of the syslog-ng Store Box (SSB). 1.1. Summary of contents This paper is organized into the following sections: Section 2, Introduction (p. 4) briefly describes what system logging is, and why it is an important part of policy com- pliance. Section 3, Using the syslog-ng Store Box for policy compliance (p. 7) is a detailed list of policy requirements, including the requirements of the Payment Card Industry Data Security Standard (PCI-DSS), COBIT 4.1, and the Health Insurance Portability and Accountability Act (HIPAA) that you can address with the syslog-ng Store Box and syslog-ng Premium Edition. Section 5, Other important features (p. 13) discusses further features of syslog-ng Store Box that can come handy for you when designing and implementing your system logging architecture. Section 6, Further information (p. 15) contains a brief description of BalaBit IT Security and provides links where you can find out more about syslog-ng Store Box, request an evaluation version, or find a reseller. www.balabit.com 3
Introduction 2. Introduction 2.1. What is system logging Operating systems, applications, and network devices generate text messages of various events that happen to them: a user logs in, a file is created, a network connection is opened to a remote host, and so on. These messages, called log messages, are usually stored in a file on the local hard disk of the system. The aim of central system logging is to collect the log messages to a single, central log server. Fo r a more detailed introduction into syslog a r c h i t e c t u r e s, see the Distributed syslog architectures with syslog-ng Premium Edition whitepaper. 2.2. Why is system logging important when dealing with policy compliance Log messages provide important information about the events of the network, the devices, and the applications running on these devices. Log messages can be used to detect security incidents, operational problems, and other issues like policy violations, and are useful in auditing and forensics situations. But collecting and analyzing log messages is also required directly or indirectly by several regulations, including the Sarbanes-Oxley Act (SOX), the Basel II Accord, the Health Insurance and Portability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI-DSS). 2.3. What syslog-ng and the syslog-ng Store Box are The syslog-ng application is a system log collector and forwarder tool that can collect log messages from files and other sources, and also receive the log messages sent by remote hosts. It also has powerful message-filtering and message routing capabilities. The syslog-ng Store Box is a log server appliance built around syslog-ng, offering a web-based configuration and log-browsing interface, encrypted and digitally signed log storage, and more. 2.4. Problems to be solved by log management There are several problems and difficulties that have to be solved when creating a usable logging infrastructure. The main problems to consider are summarized below, along with a brief description about how the syslog-ng Premium Edition (PE) application can help you to overcome these problems. ■ Many different devices and applications running on a variety of operating systems. To start collecting log messages into a central log server, the logs must be retrieved somehow from the devices where the messages are generated. These devices (desktop computers, servers, networking devices like switches and routers, firewalls, and so on) usually use many different operating systems – all of which should send the logs to the central server. The problem with the variety of operating systems is that they use different logging solutions, with different configuration requirements and capabilities. To address this problem, syslog- ng can be installed on most common operating systems, including Linux, Solaris, HP-UX, BSD, IBM AIX, and has dedicated agent applications to collect the logs from Microsoft Windows and IBM System i platforms. Using a single logging application vastly simplifies configuration and management problems, and ensures that advanced logging capabilities (like TLS-encrypted log transfer or disk-based buffering) is available on every device. If syslog-ng cannot be installed on a device for some reason (for example, it is running a pre-built firmware which cannot be modified), a local computer running syslog-ng can accept the syslog messages from devices and relay them to the central log server. www.balabit.com 4
Problems to be solved by log management ■ Inconsistent timestamps and message format. Different log messages often use different timestamp formats to date the messages (for example, some timestamp formats do not contain year or timezone information), making it difficult to locate the messages later, and to properly see their place in the flow of events. With syslog-ng, it is possible to convert the timestamps to a single format (for example as specified in the ISO 8601 standard), and also to use the date when the syslog-ng Store Box has received the message from the application or the remote host, so the stored messages will contain accurate date information even if the clock of the remote host or the application is inaccurate. The syslog-ng application provides macros and powerful message-rewriting capabilities to reformat and normalize the messages in order to convert them to a common format to ensure that the order of the data fields in the message is con- sistent with other messages. Supporting the new IETF syslog protocol standard, syslog-ng and the syslog- ng Store Box make it easy to integrate all kinds of log messages and logging clients into a common framework. ■ Protecting the integrity and confidentiality of the messages during transmission. Log messages are important from the network-security point of view, but they may also contain sensitive information and private data like passwords, usernames, and so on. Therefore, it is important that they are protected against eavesdropping when they are transmitted over the network. It is also important to verify the identity of the communic- ating parties (that is, the host sending the message, and the central log server) to ensure that the message is received only by its intended target (the log server), and that the message received by the server was indeed sent by the client host. The integrity of the message must be also maintained so that no unauthor- ized modification of the message is possible. To address these issues, the syslog-ng PE application uses the secure Transport Layer Security (TLS) protocol to encrypt the communication with the the syslog- ng Store Box log server. Both the syslog-ng client and the server can be authenticated using X.509 cer- tificates. ■ Protecting the integrity and confidentiality of the messages stored on the log server. Log messages must be protected even after they arrive to the log server to prevent manipulation and unauthorized access. For this reason, the syslog-ng Store Box can store the log messages in encrypted and digitally signed log files. Encrypting the log files ensures that the log messages can be accessed only by authorized personnel who has the appropriate decryption key; while the digital signature prevents the unnoticed modification of the mes- sages. It is also possible to request timestamps from an external Timestamping Authority (TSA) to add further reliability to the date of the log messages. ■ Ensuring that no messages are lost. The syslog-ng PE application assigns a unique identifier to every message and ensures that you do not lose messages during network or system outages, because syslog-ng PE can store unsent messages on the local hard disk until the log server becomes available again. The syslog-ng PE application and SSB can also apply flow-control on the messages. Flow-control means that if the destination server or database becomes overloaded, syslog-ng PE and SSB can stop accepting messages from the sending applications or hosts. That way the senders are notified that there is a problem in the logging infrastructure and can act accordingly: for example, in an environment where policy compliance mandates all events to be logged, the applications may temporarily halt until the logging can be resumed, so there are no actions that are not logged. As an alternative to handle server downtime, syslog-ng PE can send the log messages to a backup log server if the primary server becomes unavailable. To avoid losing messages on the server side, the syslog-ng Store Box (SSB) appliances use hot-swappable hard disks in RAID configuration to protect against disk failures, and out-of-the-box high-availability support in failover cluster configurations. The nodes of the cluster use a common block-device subsystem that is automatically synchronized on-the-fly. In addition, SSB can periodically archive the received messages into a remote backup server. www.balabit.com 5
Problems to be solved by log management ■ Helping SIEM devices to analyze the log messages. Analyzing logs is an essential element of network security. While SSB is not a log analyzing appliance, it has a number of features – including message normalization – that can aid log-analyzing engines. The syslog-ng application has powerful message filtering and sorting capabilities that make it possible to ignore trivial or low-priority messages. Since message filtering can take place already on the clients, it can save a significant amount of bandwidth by dropping unimportant messages, and decrease the load on the SIEM device at the same time. Also, since the capacity of log analyzing applications is often limited, the syslog-ng Store Box can limit the number of messages sent per second. This has the benefit of flattening out message bursts and protecting the log-analyzing engine from becoming overloaded. Certain SIEM devices prefer to receive log messages from databases; SSB can send the log messages directly to a database, and supports most popular databases, including MSSQL, MySQL, Oracle, and PostgreSQL. An even more powerful capability of SSB and syslog-ng is the ability to classify messages almost real-time, and apply artificial ignorance on the results. This allows you to create a pattern database of the log messages that appear normally in your log traffic, and label them as normal, security-related, violation and so on, and then compare every incoming message to this database. That way messages labeled as important can instantly generate alerts if needed, and also unknown messages – that might sign an event occurring for the first time on your network and thus be important – can be collected for review. ■ Storing the messages. Organizations often store log messages for a long time to be able to review security incidents that are not immediately discovered, and several regulations also require the logs to be available for several months or years. Storing the log messages becomes an issue especially if the volume of log traffic is very high (for example a few Gigabytes of raw logs per hour). To reduce the amount of logs to be stored, the syslog-ng Store Box provides powerful message filtering and sorting capabilities: it can drop or separate unimportant messages, organize messages into different files or databases based on their sending host, application, or content. It can also automatically compress and encrypt the log files, and periodically start a new file so that the older files can be archived and removed from the server. The SSB appliances have large internal hard disk space (up to 10 Terabytes), and also offer the possibility to directly connect to your SAN solution via an iSCSI or fibrechannel interface. www.balabit.com 6
Using the syslog-ng Store Box for policy compliance 3. Using the syslog-ng Store Box for policy compliance Compliance is becoming more and more important in several fields – laws, regulations and industrial standards mandate increasing security awareness and the protection of sensitive data. As a result, companies have to increase the control over and the auditability of their business processes, and this makes thorough log management necessary – especially since several regulations require the centralized collection of logs (including retaining logs for an extended amount of time often spanning several years). The syslog-ng Store Box logserver appliance and the syslog-ng Premium Edition log collector application give you the tools you need to create a complete, reliable, and trusted log infrastructure to collect the log messages from the clients to a central log server, ensuring the secure transmission and storage of the log messages from a wide variety of operating systems. 3.1. PCI-DSS compliance and logging The following table provides a detailed description of the requirements of the Payment Card Industry Data Security Standard (PCI-DSS, available here) relevant to log management and auditing. Other compliance regulations like the Sarbanes-Oxley Act (SOX) or the Basel II Accord imply similar requirements. PCI requirement How the syslog-ng Store box supports it 3. Protect stored cardholder data System logs may contain sensitive information such as personal identification numbers (PIN) and card validation codes. The syslog-ng Store Box protects these messages by storing them in an encrypted file instead of plain text files commonly used to store log messages. It is also possible to rewrite messages and automatically remove sensitive cardholder data using the message-rewriting capabilities of syslog-ng. 4. Encrypt transmission of cardhold- Transport layer security (TLS) can be used to encrypt the communication er data across open, public networks between the clients and the log server and to protect the integrity of the messages. Using TLS-encryption also prevents third-parties from accessing 4.1 Use strong cryptography and se- or modifying the communication. The communication between the syslog- curity protocols such as secure ng client and the SSB logserver can be mutually authenticated using X.509 sockets layer (SSL) / transport layer certificates to verify the identity of the communicating parties and prevent security (TLS) / secure shell (SSH) attackers from injecting fake messages into the log files. 10.2 Implement automated audit Log messages have an important role in reconstructing events of an applica- trails for all system components. tion, host, or a network. The syslog-ng application aids this process by ensuring that the log messages arrive to the central log server without any unwanted modification. Messages are sent encrypted using the secure TLS protocol, which is based on the reliable TCP networking protocol that ensures that the messages arrive to the log server. The disk-based buffering feature of syslog- ng PE buffers messages to the hard disk of the client, ensuring that no mes- sages are lost even if the log server or the network connection becomes un- available. The syslog-ng Store Box can organize the messages into audit trails based on the sending host, the application, and its web-based search interface makes it easy to browse the log messages and to execute targeted queries to review the log messages, or to find the details of an event. www.balabit.com 7
PCI-DSS compliance and logging PCI requirement How the syslog-ng Store box supports it As for its own audit trails, SSB logs every change of its configuration, and can require the administrators to enter a changelog entry. These log messages are stored separately to make it easy to review and audit the changes. The administrators of SSB can be authenticated to an LDAP database (for example Microsoft Active Directory). SSB also receives automatic notifications of the syslog-ng Premium Edition log collector clients whenever the configuration of a client is modified. 10.3 Record at least the following The syslog-ng PE application can automatically add the following to log audit trail entries for all system messages that omit this information: components for each event: ■ date and time in various standard formats (for example ISO), in- 10.3.1 User identification cluding timezone information ■ highly customizable date and time information using macros 10.3.2 Type of event ■ the name of the client host that generated the message 10.3.3 Date and time ■ the name of the application or facility that generated the message 10.3.4 Success or failure indication SSB automatically logs the required entries whenever an administrator modifies its configuration. The identity of the administrator can be verified to an LDAP 10.3.5 Origination of event database (for example Microsoft Active Directory). The IP address from where the administrator accessed SSB is also recorded. 10.3.6 Identity or name of affected data, system component, or resource. 10.4 Using time-synchronization The syslog-ng PE server can automatically add the date and time when it re- technology, synchronize all critical ceived the message, so the log messages contain accurate time information – system clocks and times and ensure even if the clock of the client host or the application is mistimed. Naturally, that the following is implemented SSB itself can synchronize its system clock to NTP servers. for acquiring, distributing, and stor- ing time. 10.5 Secure audit trails so they can- All log messages can be encrypted using public-key encryption on the central not be altered. log server in a so-called logstore file. The syslog-ng application can also request timestamps for the stored data from an external Timestamping Authority (TSA) to include reliable dates in the log files. 10.5.1 Limit viewing of audit trails SSB has detailed privilege-management capabilities to enable only those re- to those with a job-related need. quired to access a set of log messages. Encrypted log messages can be viewed only if the user has the required encryption key. 10.5.2 Protect audit trail files from The syslog-ng Store Box (SSB) logserver can store the log messages in encryp- unauthorized modifications ted logstore files, and log messages are also digitally signed to prevent modi- fications. The integrity of the messages is also checked when they are trans- mitted from the clients to the log server. The communication between the syslog-ng clients and SSB can be mutually authenticated using X.509 certific- ates to prevent log-injection attacks. www.balabit.com 8
COBIT 4.1 compliance and logging PCI requirement How the syslog-ng Store box supports it 10.5.3 Promptly back-up audit trail The SSB appliance was created exactly for this purpose: it is a log server that files to a centralized log server or can receive the log messages from reliable sources and store them in encrypted, media that is difficult to alter. digitally signed and timestamped log files to prevent modifications. To ensure that no log messages are lost, SSB can receive messages using the reliable TCP networking protocol. To avoid third parties gaining access or modifying the messages on the network, the clients can send the messages over mutually authenticated, TLS-encrypted connection as well. To guarantee that the log server is continuously available, SSB appliances can be set up in a high availability cluster, where the backup log server goes online in case the primary server becomes unavailable. To minimize the risk of losing messages, the units of the SSB cluster use a common disk subsystem. SSB can receive log messages from any client application that uses the standard syslog protocols (RFC 3164 or RFC 5428-5428), but it is recommen- ded to use the syslog-ng Premium Edition log collector application whenever possible. During network outages, syslog-ng PE buffers the messages to the hard disk, and sends the messages when the server becomes available. De- pending on the volume of the log traffic and the available disk space on the host, your messages are safe even in case of very long network downtime. 10.5.4 Copy logs for wireless net- The syslog-ng PE application can relay log messages received from wireless works onto a log server on the intern- devices and transfer them to the central log server. al LAN. 10.5.5 Use file integrity monitoring Using TLS encryption between the clients and the log server ensures that the and change detection software on log messages are not modified on the network. On the log server, syslog-ng logs to ensure that existing log data can store messages in special encrypted and digitally signed log files to prevent cannot be changed without generat- modifications. Timestamps for the stored data can be requested also from an ing alerts (although new data being external Timestamping Authority (TSA). When its configuration is changed, added should not cause an alert). syslog-ng PE application automatically sends a log message to simplify the auditing of your logging infrastructure. 10.7 Retain audit trail history for at When stored in the logstore of SSB, log messages can be compressed to save least one year, with a minimum of disk space. Messages archived to a remote server remain available in the SSB three months online availability. web interface as long as the server is online. SSB has large internal hard disks, but can also directly connect to external SAN systems. Table 1. PCI-DSS compliance and logging 3.2. COBIT 4.1 compliance and logging Although the compliance of logging infrastructures to COBIT is seldom required by authorities, COBIT-compliance is still important, as there are certain regulations (such as the Sarbanes-Oxley Act, or the Basel II Accord) that do www.balabit.com 9
COBIT 4.1 compliance and logging not specify exact technical requirements, and compliance to these regulations is often achieved by adopting a well- established framework like COBIT. The following table discusses some sample control objectives of the Control Objectives for Information and related Technology (COBIT) 4.1, how they affect the logging infrastructure of the organizations, and how can syslog-ng PE be used to address these requirements. Please note that this list is by no means exhaustive, and other objectives may have further requirements on the logging infrastructure and log management. COBIT 4.1 control objective How syslog-ng Store Box supports it AI6 Manage Changes The syslog-ng Store Box can organize the messages into audit trails based on the sending host, the application, and its web-based search Changes (including those to procedures, interface makes it easy to browse the log messages and to execute tar- processes, system and service parameters) geted queries to review the log messages, or to find the details of an are logged, assessed and authorized prior event. to implementation and reviewed against planned outcomes following implementa- As for its own audit trails, SSB logs every change of its configuration, tion. and can require the administrators to enter a changelog entry. These log messages are stored separately to make it easy to review and audit the changes. The administrators of SSB can be authenticated to an LDAP database (for example Microsoft Active Directory). DS9.3 Configuration Integrity Review The syslog-ng PE application automatically detects if its configuration is changed, and sends a log message to SSB. That way it is easy to recog- Periodically review the configuration data nize any changes to the logging infrastructure, and detect unauthorized to verify and confirm the integrity of the changes. current and historical configuration. To support configuration reviews, SSB has an auditor role that allows only the browsing of its configuration, without any access to the collected log messages. DS5.11 Exchange of Sensitive Data Transport layer security (TLS) can be used to encrypt the communication between the clients and the SSB log server and to protect the integrity Exchange sensitive transaction data only of the messages. Using TLS-encryption also prevents third-parties from over a trusted path or medium with con- accessing or modifying the communication. The communication between trols to provide authenticity of content, the client and the server can be mutually authenticated using X.509 proof of submission, proof of receipt and certificates to verify the identity of the communicating parties and pre- non-repudiation of origin. vent attackers from injecting fake messages into the log files, and also from obtaining syslog data. The use of the TCP networking protocol, disk-based buffering, and the ability to send the messages to a backup server in case the primary log server becomes unavailable ensures that the log server indeed receives the sent messages. SSB can store the received log messages in encrypted, digitally signed and timestamped files to prevent modifications to the messages after they have been received. The timestamps can be received from an ex- ternal Timestamping Authority (TSA) as well. www.balabit.com 10
COBIT 4.1 compliance and logging COBIT 4.1 control objective How syslog-ng Store Box supports it DS13.3 IT Infrastructure Monitoring The syslog-ng PE log collector application was created exactly for this purpose: to transfer the log messages generated on the host to the Define and implement procedures to central log server, where they can be stored in encrypted and digitally monitor the IT infrastructure and related signed log files to prevent modifications. events. Ensure that sufficient chronologic- al information is being stored in opera- SSB has a powerful log classification engine that can classify thousands tions logs to enable the reconstruction, of messages per second, and raise alerts for certain message types. It can review and examination of the time se- also use the principles of artificial ignorance to detect unknown messages quences of operations and the other that may require attention or further investigation. activities surrounding or supporting oper- ations. To help the review of time sequences and events, SSB has a web-based search interface. SSB also stores the timestamp when a particular message was received: that way the time information of the message and the flow of the event is accurate even if the clock of the sending client is inaccur- ate. PO2.4 Integrity Management Using TLS encryption between the clients and the log server ensures that the log messages are not modified on the network. On the log Define and implement procedures to en- server, syslog-ng can store messages in special encrypted and digitally sure the integrity and consistency of all signed log files to prevent modifications. It is also possible to store a data stored in electronic form, such as copy of the messages digitally signed and encrypted in the logstore, and databases, data warehouses and data another copy in a database (syslog-ng can directly send messages into archives. Oracle, MySQL, and other databases); the database can be used for everyday log processing, analyzing, and reporting purposes, and the messages can be compared to the copies stored in the logstore to detect any unwanted changes. Table 2. COBIT 4.1 compliance and logging www.balabit.com 11
HIPAA compliance and logging 4. HIPAA compliance and logging The Health Insurance Portability and Accountability Act (HIPAA) has few direct requirements about logging, but it requires the protection and encryption of sensitive information as it is transmitted over the network and stored on a computer. As log messages may contain such information, the logging infrastructure must comply with these requirements as well. The following table discusses some sample requirement of HIPAA, how they affect the logging infrastructure of the organizations, and how can syslog-ng PE address these requirements. Please note that this list is by no means exhaustive, and other requirements may be applicable to the logging infrastructure and log management. HIPAA Security Rule How the syslog-ng Store Box supports it 164.312(e)(1) Transmission Security: Im- Transport layer security (TLS) can be used to encrypt the communication plement technical security measures to between the clients and the syslog-ng Store Box (SSB) log server and to guard against unauthorized access to protect the integrity of the messages. Using TLS-encryption also prevents electronic protected health information third-parties from accessing or modifying the communication. The that is being transmitted over an electronic communication between the client and the server can be mutually au- communications network. thenticated using X.509 certificates to verify the identity of the commu- nicating parties and prevent attackers from injecting fake messages into the log files, and also from obtaining syslog data. The use of the TCP networking protocol, disk-based buffering, and the ability to send the messages to a backup server in case the primary log server becomes unavailable ensures that the log server indeed receives the sent messages. 164.312(e)(2)(i) Integrity Controls (A): Using TLS encryption between the clients and the log server ensures Implement security measures to ensure that the log messages are not modified on the network. SSB can store that electronically transmitted electronic messages in special encrypted and digitally signed log files to prevent protected health information is not im- modifications. It is also possible to store a copy of the messages digitally properly modified without detection until signed and encrypted in the logstore, and another copy in a database disposed of. (SSB can directly send messages into Oracle, MySQL, and other data- bases); the database can be used for everyday log processing, analyzing, and reporting purposes, and the messages can be compared to the copies stored in the logstore to detect any unwanted changes. 164.312(e)(2)(ii) Encryption (A): Imple- The syslog-ng PE log collector application can encrypt log messages ment a mechanism to encrypt electronic while they are transferred from their origin to the SSB log server, and protected health information whenever SSB can store in an encrypted, digitally signed format. Timestamps for deemed appropriate. the stored data can be requested also from an external Timestamping Authority (TSA). Table 3. HIPAA compliance and logging www.balabit.com 12
Other important features 5. Other important features This section highlights some of the features of the syslog-ng Store Box (SSB) that were not discussed in detail so far, but are useful to know about. 5.1. Managing SSB SSB is configured from a clean, intuitive web interface. The roles of each SSB administrator can be clearly defined using a set of privileges, such as manage SSB as a host; manage log collection, forwarding and storage; configure various alerts; browse the collected logs reports. The web interface is accessible via a network interface dedicated to the management traffic. This management in- terface is also used for backups, sending alerts, and other administrative traffic. All configuration changes are automatically logged, simplifying the auditing of SSB. 5.2. Fine-tuned access control The SSB web interface features highly customizable access control. Using this together with the powerful message- sorting capabilities of syslog-ng, you can exactly specify which log messages a user has access to. For example, it is possible to grant access only to the logs of a specific application to the support engineer of that application – it is even possible to narrow the time frame of the data only to the relevant period. 5.3. LDAP integration SSB can connect to a remote LDAP database (for example a Microsoft Active Directory server) to resolve group memberships of the users who access the SSB web interface. Privileges to configure SSB or browse different logs can be defined based on group memberships. 5.4. Real-time log monitoring and alerting Even though SSB is not a log analyzing engine, it is able to classify individual log messages using artificial ignorance, much like the popular logcheck application of the Unix world. SSB comes with a built-in database of log message patterns that are considered “normal”. Messages matching these patterns are produced during the legitimate use of the applications (for example sendmail, Postfix, MySQL, and so on), and are unimportant from the log monitoring perspective, while the remaining messages may contain something “interesting”. The administrators can define log patterns on the SSB interface, label matching messages (for example security event, and so on) and request alerts if a specific pattern is encountered. For thorough log analysis, SSB can also forward the incoming log messages to external log analyzing engines. 5.5. Log collector agent for several platforms SSB uses the syslog-ng Premium Edition application to collect logs from different operating systems and hardware platforms, including Linux, Unix, BSD, Sun Solaris, HP-UX, IBM AIX, IBM System i, as well as Microsoft Windows XP, Server 2003, Vista, and Server 2008. www.balabit.com 13
Agent for Microsoft Windows platforms 5.6. Agent for Microsoft Windows platforms The syslog-ng Agent for Windows is a log collector and forwarder application for Microsoft Windows platforms, including Windows Vista and Windows Server 2008. It collects the log messages from eventlog groups and log files and forwards them to a syslog-ng server using regular or TLS-encrypted TCP connections. The syslog-ng Agent can be managed from a domain controller using group policies, or run as a standalone application. 5.7. Agent for IBM System i platforms The syslog-ng agent for IBM System i is a system log collector and forwarder application for the IBM System i (formerly known as AS/400 and IBM iSeries) platform. It collects application and system messages, as well as messages from the System i security audit journal (QAUDJRN) and the operator message queue (QSYSOPR). The collected messages are forwarded to a syslog-ng server using regular or TLS-encrypted TCP connections. The syslog- ng server can run on a separate machine, or directly on IBM System i in the Portable Application Solutions Envir- onment (PASE). The syslog-ng Agent for IBM System i is available as a standalone product and must be licensed independently from syslog-ng Store Box. 5.8. Automatic data and configuration backups The recorded log messages and the configuration of SSB can be periodically transferred to a remote server using the following protocols: ■ Network File System protocol (NFS); ■ Rsync over SSH; ■ Server Message Block protocol (SMB/CIFS). The latest backup – including the data backup – can be easily restored via SSB's web interface. 5.9. Automatic data archiving SSB's configuration and the recorded log messages are automatically archived to a remote server. The data on the remote server remains accessible and searchable; several terabytes of audit trails can be accessed from the SSB web interface. SSB uses the remote server as a network drive via the Network File System (NFS) or the Server Message Block (SMB/CIFS) protocol. 5.10. Ability to handle extreme load The syslog-ng Store Box is optimized for performance, and can handle enormous amount of messages. Depending on its exact configuration, it can process over 75,000 messages per second real-time, meaning over 24 GB raw logs per hour, and index and classify over 30,000 messages per second. Larger versions of the appliance (SSB5000 and SSB10000) include their own storage solutions capable of storing up to 10 Terabytes of data. www.balabit.com 14
Further information 6. Further information 6.1. About BalaBit BalaBit IT Security Ltd. is a developer of network security solutions satisfying the highest standards. BalaBit was founded and is currently owned by Hungarian individuals. Its main products are the syslog-ng system logging software, which is the most widely used alternative syslog solution of the world; the syslog-ng Store Box logserver appliance; Zorp, a modular proxy gateway capable of inspecting over twenty protocols, including encrypted ones like SSL and SSH, and the Shell Control Box, an appliance that can transparently control, audit, and replay SSH, RDP, VNC, and Telnet traffic. To learn more about commercial and open source BalaBit products, request an evaluation version, or find a reseller, visit the following links: ■ The syslog-ng homepage ■ Shell Control Box homepage ■ syslog-ng Store Box (SSB) homepage ■ Product manuals, guides, and other documentation ■ Register and request an evaluation version ■ Find a reseller All questions, comments or inquiries should be directed to <info@balabit.com> or by post to the following address: BalaBit IT Security 1115 Budapest, Bártfai str. 54 Phone: +36 1 3710540 Fax: +36 1 2080875 Web: http://www.balabit.com/ Copyright © 2010 BalaBit IT Security Ltd. Some rights reserved. This document is published under the Creative Commons Attribution Noncommercial No Derivative Works (byncnd) 3.0 license. All other product names mentioned herein are the trademarks of their respective owners. The latest version is always available at the BalaBit Documentation Page. www.balabit.com 15

Recomendados

Session 9 Tp 9
Session 9 Tp 9Session 9 Tp 9
Session 9 Tp 9githe26200
 
syslog-ng: from log collection to processing and information extraction
syslog-ng: from log collection to processing and information extractionsyslog-ng: from log collection to processing and information extraction
syslog-ng: from log collection to processing and information extractionBalaBit
 
Session Auditor - Transparent Network Behavior Recorder
Session Auditor - Transparent Network Behavior RecorderSession Auditor - Transparent Network Behavior Recorder
Session Auditor - Transparent Network Behavior RecorderBMST
 
Integration Approach for MES
Integration Approach for MESIntegration Approach for MES
Integration Approach for MESVinod Kumar
 
Secure Management of Access to Privileged Accounts
Secure Management of Access to Privileged AccountsSecure Management of Access to Privileged Accounts
Secure Management of Access to Privileged AccountsHitachi ID Systems, Inc.
 
Secure Management of Privileged Passwords
Secure Management of Privileged PasswordsSecure Management of Privileged Passwords
Secure Management of Privileged PasswordsHitachi ID Systems, Inc.
 
Xd planning guide - storage best practices
Xd planning guide - storage best practicesXd planning guide - storage best practices
Xd planning guide - storage best practicesNuno Alves
 
Ocssco database policy document
Ocssco database policy documentOcssco database policy document
Ocssco database policy documentEndale Mintesinot
 

Recomendados

Session 9 Tp 9
Session 9 Tp 9Session 9 Tp 9
Session 9 Tp 9githe26200
 
syslog-ng: from log collection to processing and information extraction
syslog-ng: from log collection to processing and information extractionsyslog-ng: from log collection to processing and information extraction
syslog-ng: from log collection to processing and information extractionBalaBit
 
Session Auditor - Transparent Network Behavior Recorder
Session Auditor - Transparent Network Behavior RecorderSession Auditor - Transparent Network Behavior Recorder
Session Auditor - Transparent Network Behavior RecorderBMST
 
Integration Approach for MES
Integration Approach for MESIntegration Approach for MES
Integration Approach for MESVinod Kumar
 
Secure Management of Access to Privileged Accounts
Secure Management of Access to Privileged AccountsSecure Management of Access to Privileged Accounts
Secure Management of Access to Privileged AccountsHitachi ID Systems, Inc.
 
Secure Management of Privileged Passwords
Secure Management of Privileged PasswordsSecure Management of Privileged Passwords
Secure Management of Privileged PasswordsHitachi ID Systems, Inc.
 
Xd planning guide - storage best practices
Xd planning guide - storage best practicesXd planning guide - storage best practices
Xd planning guide - storage best practicesNuno Alves
 
Ocssco database policy document
Ocssco database policy documentOcssco database policy document
Ocssco database policy documentEndale Mintesinot
 
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Deepak Mishra
 
Srs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSrs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSahithi Naraparaju
 
Bit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currencyBit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currencyMohammad Salehin
 
Transaction Processing System
Transaction Processing SystemTransaction Processing System
Transaction Processing SystemAbdul Aslam
 
Scality RING Security White Paper
Scality RING Security White PaperScality RING Security White Paper
Scality RING Security White PaperPhillip Tribble
 
0045cbf22d80b68f
0045cbf22d80b68f0045cbf22d80b68f
0045cbf22d80b68fsujit Biswas
 
From Password Reset to Authentication Management
From Password Reset to Authentication ManagementFrom Password Reset to Authentication Management
From Password Reset to Authentication ManagementHitachi ID Systems, Inc.
 
Analyzing The Audit Statement Provided By The Information...
Analyzing The Audit Statement Provided By The Information...Analyzing The Audit Statement Provided By The Information...
Analyzing The Audit Statement Provided By The Information...April Charlton
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log managementBrian Honan
 
tssgi
tssgitssgi
tssgiArturo Gonzalez Mac Dowell
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner David Sweigert
 
Integrating ibm tivoli workload scheduler and content manager on demand to pr...
Integrating ibm tivoli workload scheduler and content manager on demand to pr...Integrating ibm tivoli workload scheduler and content manager on demand to pr...
Integrating ibm tivoli workload scheduler and content manager on demand to pr...Banking at Ho Chi Minh city
 
Integrating ibm tivoli workload scheduler and content manager on demand to pr...
Integrating ibm tivoli workload scheduler and content manager on demand to pr...Integrating ibm tivoli workload scheduler and content manager on demand to pr...
Integrating ibm tivoli workload scheduler and content manager on demand to pr...Banking at Ho Chi Minh city
 
A Study Of Real-Time Embedded Software Systems And Real-Time Operating Systems
A Study Of Real-Time Embedded Software Systems And Real-Time Operating SystemsA Study Of Real-Time Embedded Software Systems And Real-Time Operating Systems
A Study Of Real-Time Embedded Software Systems And Real-Time Operating SystemsRick Vogel
 
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxREAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxdanas19
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)David Sweigert
 
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxREAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxcatheryncouper
 
Ibm tivoli web access for information management sg246823
Ibm tivoli web access for information management sg246823Ibm tivoli web access for information management sg246823
Ibm tivoli web access for information management sg246823Banking at Ho Chi Minh city
 
Fsrm step bystep_r2
Fsrm step bystep_r2Fsrm step bystep_r2
Fsrm step bystep_r2marathonit
 
Zsq03116usen 02
Zsq03116usen 02Zsq03116usen 02
Zsq03116usen 02Manikandan Suresh
 
SCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataSCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataBalaBit
 
NIAS 2015 - The value add of open source for innovation
NIAS 2015 - The value add of open source for innovationNIAS 2015 - The value add of open source for innovation
NIAS 2015 - The value add of open source for innovationBalaBit
 

Más contenido relacionado

Similar a Regulatory compliance and system logging

Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Deepak Mishra
 
Srs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSrs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSahithi Naraparaju
 
Bit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currencyBit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currencyMohammad Salehin
 
Transaction Processing System
Transaction Processing SystemTransaction Processing System
Transaction Processing SystemAbdul Aslam
 
Scality RING Security White Paper
Scality RING Security White PaperScality RING Security White Paper
Scality RING Security White PaperPhillip Tribble
 
From Password Reset to Authentication Management
From Password Reset to Authentication ManagementFrom Password Reset to Authentication Management
From Password Reset to Authentication ManagementHitachi ID Systems, Inc.
 
Analyzing The Audit Statement Provided By The Information...
Analyzing The Audit Statement Provided By The Information...Analyzing The Audit Statement Provided By The Information...
Analyzing The Audit Statement Provided By The Information...April Charlton
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log managementBrian Honan
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner David Sweigert
 
Integrating ibm tivoli workload scheduler and content manager on demand to pr...
Integrating ibm tivoli workload scheduler and content manager on demand to pr...Integrating ibm tivoli workload scheduler and content manager on demand to pr...
Integrating ibm tivoli workload scheduler and content manager on demand to pr...Banking at Ho Chi Minh city
 
Integrating ibm tivoli workload scheduler and content manager on demand to pr...
Integrating ibm tivoli workload scheduler and content manager on demand to pr...Integrating ibm tivoli workload scheduler and content manager on demand to pr...
Integrating ibm tivoli workload scheduler and content manager on demand to pr...Banking at Ho Chi Minh city
 
A Study Of Real-Time Embedded Software Systems And Real-Time Operating Systems
A Study Of Real-Time Embedded Software Systems And Real-Time Operating SystemsA Study Of Real-Time Embedded Software Systems And Real-Time Operating Systems
A Study Of Real-Time Embedded Software Systems And Real-Time Operating SystemsRick Vogel
 
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxREAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxdanas19
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)David Sweigert
 
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxREAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxcatheryncouper
 
Ibm tivoli web access for information management sg246823
Ibm tivoli web access for information management sg246823Ibm tivoli web access for information management sg246823
Ibm tivoli web access for information management sg246823Banking at Ho Chi Minh city
 
Fsrm step bystep_r2
Fsrm step bystep_r2Fsrm step bystep_r2
Fsrm step bystep_r2marathonit
 

Similar a Regulatory compliance and system logging (20)

Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...Report: Study and Implementation of Advance Intrusion Detection and Preventio...
Report: Study and Implementation of Advance Intrusion Detection and Preventio...
 
Srs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemesSrs document for identity based secure distributed data storage schemes
Srs document for identity based secure distributed data storage schemes
 
Bit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currencyBit taka bangladeshi country owned crypto currency
Bit taka bangladeshi country owned crypto currency
 
Transaction Processing System
Transaction Processing SystemTransaction Processing System
Transaction Processing System
 
Scality RING Security White Paper
Scality RING Security White PaperScality RING Security White Paper
Scality RING Security White Paper
 
0045cbf22d80b68f
0045cbf22d80b68f0045cbf22d80b68f
0045cbf22d80b68f
 
From Password Reset to Authentication Management
From Password Reset to Authentication ManagementFrom Password Reset to Authentication Management
From Password Reset to Authentication Management
 
Analyzing The Audit Statement Provided By The Information...
Analyzing The Audit Statement Provided By The Information...Analyzing The Audit Statement Provided By The Information...
Analyzing The Audit Statement Provided By The Information...
 
Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log management
 
tssgi
tssgitssgi
tssgi
 
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner Department of Defense standard 8570 - CompTia Advanced Security Practitioner
Department of Defense standard 8570 - CompTia Advanced Security Practitioner
 
Integrating ibm tivoli workload scheduler and content manager on demand to pr...
Integrating ibm tivoli workload scheduler and content manager on demand to pr...Integrating ibm tivoli workload scheduler and content manager on demand to pr...
Integrating ibm tivoli workload scheduler and content manager on demand to pr...
 
Integrating ibm tivoli workload scheduler and content manager on demand to pr...
Integrating ibm tivoli workload scheduler and content manager on demand to pr...Integrating ibm tivoli workload scheduler and content manager on demand to pr...
Integrating ibm tivoli workload scheduler and content manager on demand to pr...
 
A Study Of Real-Time Embedded Software Systems And Real-Time Operating Systems
A Study Of Real-Time Embedded Software Systems And Real-Time Operating SystemsA Study Of Real-Time Embedded Software Systems And Real-Time Operating Systems
A Study Of Real-Time Embedded Software Systems And Real-Time Operating Systems
 
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxREAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
 
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docxREAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
REAL-TIME INTEGRATION SYSTEMS Computer Systems Security .docx
 
Ibm tivoli web access for information management sg246823
Ibm tivoli web access for information management sg246823Ibm tivoli web access for information management sg246823
Ibm tivoli web access for information management sg246823
 
Fsrm step bystep_r2
Fsrm step bystep_r2Fsrm step bystep_r2
Fsrm step bystep_r2
 
Zsq03116usen 02
Zsq03116usen 02Zsq03116usen 02
Zsq03116usen 02
 

Más de BalaBit

SCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataSCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataBalaBit
 
NIAS 2015 - The value add of open source for innovation
NIAS 2015 - The value add of open source for innovationNIAS 2015 - The value add of open source for innovation
NIAS 2015 - The value add of open source for innovationBalaBit
 
Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?BalaBit
 
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...BalaBit
 
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...BalaBit
 
Big Data Science - hype?
Big Data Science - hype?Big Data Science - hype?
Big Data Science - hype?BalaBit
 
DevAssistant, Docker and You
DevAssistant, Docker and YouDevAssistant, Docker and You
DevAssistant, Docker and YouBalaBit
 
Linux Kernel – Hogyan csapjunk bele?
Linux Kernel – Hogyan csapjunk bele?Linux Kernel – Hogyan csapjunk bele?
Linux Kernel – Hogyan csapjunk bele?BalaBit
 
Swift -Helyzetjelentés az iOS programozás új nyelvéről
Swift -Helyzetjelentés az iOS programozás új nyelvérőlSwift -Helyzetjelentés az iOS programozás új nyelvéről
Swift -Helyzetjelentés az iOS programozás új nyelvérőlBalaBit
 
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkel
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkelDATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkel
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkelBalaBit
 
eCSI - The Agile IT security
eCSI - The Agile IT securityeCSI - The Agile IT security
eCSI - The Agile IT securityBalaBit
 
Top 10 reasons to monitor privileged users
Top 10 reasons to monitor privileged usersTop 10 reasons to monitor privileged users
Top 10 reasons to monitor privileged usersBalaBit
 
Hogyan maradj egészséges irodai munka mellett?
Hogyan maradj egészséges irodai munka mellett?Hogyan maradj egészséges irodai munka mellett?
Hogyan maradj egészséges irodai munka mellett?BalaBit
 
Kontrolle und revisionssichere Auditierung privilegierter IT-Zugriffe
Kontrolle und revisionssichere Auditierung privilegierter IT-ZugriffeKontrolle und revisionssichere Auditierung privilegierter IT-Zugriffe
Kontrolle und revisionssichere Auditierung privilegierter IT-ZugriffeBalaBit
 
Techreggeli - Logmenedzsment
Techreggeli - LogmenedzsmentTechreggeli - Logmenedzsment
Techreggeli - LogmenedzsmentBalaBit
 
State of the art logging
State of the art loggingState of the art logging
State of the art loggingBalaBit
 
Why proper logging is important
Why proper logging is importantWhy proper logging is important
Why proper logging is importantBalaBit
 
Balabit Company Overview
Balabit Company OverviewBalabit Company Overview
Balabit Company OverviewBalaBit
 
BalaBit IT Security cégismertető prezentációja
BalaBit IT Security cégismertető prezentációjaBalaBit IT Security cégismertető prezentációja
BalaBit IT Security cégismertető prezentációjaBalaBit
 
The Future of Electro Car
The Future of Electro CarThe Future of Electro Car
The Future of Electro CarBalaBit
 

Más de BalaBit (20)

SCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataSCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big Data
 
NIAS 2015 - The value add of open source for innovation
NIAS 2015 - The value add of open source for innovationNIAS 2015 - The value add of open source for innovation
NIAS 2015 - The value add of open source for innovation
 
Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?Les Assises 2015 - Why people are the most important aspect of IT security?
Les Assises 2015 - Why people are the most important aspect of IT security?
 
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
2015. Libre Software Meeting - syslog-ng: from log collection to processing a...
 
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
LOADays 2015 - syslog-ng - from log collection to processing and infomation e...
 
Big Data Science - hype?
Big Data Science - hype?Big Data Science - hype?
Big Data Science - hype?
 
DevAssistant, Docker and You
DevAssistant, Docker and YouDevAssistant, Docker and You
DevAssistant, Docker and You
 
Linux Kernel – Hogyan csapjunk bele?
Linux Kernel – Hogyan csapjunk bele?Linux Kernel – Hogyan csapjunk bele?
Linux Kernel – Hogyan csapjunk bele?
 
Swift -Helyzetjelentés az iOS programozás új nyelvéről
Swift -Helyzetjelentés az iOS programozás új nyelvérőlSwift -Helyzetjelentés az iOS programozás új nyelvéről
Swift -Helyzetjelentés az iOS programozás új nyelvéről
 
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkel
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkelDATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkel
DATA DRIVEN DESIGN - avagy hogy fér össze a kreativitás a tényekkel
 
eCSI - The Agile IT security
eCSI - The Agile IT securityeCSI - The Agile IT security
eCSI - The Agile IT security
 
Top 10 reasons to monitor privileged users
Top 10 reasons to monitor privileged usersTop 10 reasons to monitor privileged users
Top 10 reasons to monitor privileged users
 
Hogyan maradj egészséges irodai munka mellett?
Hogyan maradj egészséges irodai munka mellett?Hogyan maradj egészséges irodai munka mellett?
Hogyan maradj egészséges irodai munka mellett?
 
Kontrolle und revisionssichere Auditierung privilegierter IT-Zugriffe
Kontrolle und revisionssichere Auditierung privilegierter IT-ZugriffeKontrolle und revisionssichere Auditierung privilegierter IT-Zugriffe
Kontrolle und revisionssichere Auditierung privilegierter IT-Zugriffe
 
Techreggeli - Logmenedzsment
Techreggeli - LogmenedzsmentTechreggeli - Logmenedzsment
Techreggeli - Logmenedzsment
 
State of the art logging
State of the art loggingState of the art logging
State of the art logging
 
Why proper logging is important
Why proper logging is importantWhy proper logging is important
Why proper logging is important
 
Balabit Company Overview
Balabit Company OverviewBalabit Company Overview
Balabit Company Overview
 
BalaBit IT Security cégismertető prezentációja
BalaBit IT Security cégismertető prezentációjaBalaBit IT Security cégismertető prezentációja
BalaBit IT Security cégismertető prezentációja
 
The Future of Electro Car
The Future of Electro CarThe Future of Electro Car
The Future of Electro Car
 

Regulatory compliance and system logging

  • 1. Regulatory compliance and system logging Second Edition Publication date December 14, 2010 Abstract The advantages of using the syslog-ng Store Box logserver appliance to collect, store, and manage system log (syslog) and eventlog messages for policy compliance. Copyright © 2010 BalaBit IT Security Ltd.
  • 2. Table of Contents 1. Preface ............................................................................................................................................. 3 1.1. Summary of contents .............................................................................................................. 3 2. Introduction ..................................................................................................................................... 4 2.1. What is system logging ............................................................................................................ 4 2.2. Why is system logging important when dealing with policy compliance ......................................... 4 2.3. What syslog-ng and the syslog-ng Store Box are ......................................................................... 4 2.4. Problems to be solved by log management ................................................................................. 4 3. Using the syslog-ng Store Box for policy compliance ............................................................................. 7 3.1. PCI-DSS compliance and logging ............................................................................................. 7 3.2. COBIT 4.1 compliance and logging .......................................................................................... 9 4. HIPAA compliance and logging ........................................................................................................ 12 5. Other important features .................................................................................................................. 13 5.1. Managing SSB ....................................................................................................................... 13 5.2. Fine-tuned access control ....................................................................................................... 13 5.3. LDAP integration ................................................................................................................. 13 5.4. Real-time log monitoring and alerting ...................................................................................... 13 5.5. Log collector agent for several platforms ................................................................................. 13 5.6. Agent for Microsoft Windows platforms ................................................................................. 14 5.7. Agent for IBM System i platforms .......................................................................................... 14 5.8. Automatic data and configuration backups ............................................................................... 14 5.9. Automatic data archiving ........................................................................................................ 14 5.10. Ability to handle extreme load .............................................................................................. 14 6. Further information ......................................................................................................................... 15 6.1. About BalaBit ....................................................................................................................... 15 www.balabit.com 2
  • 3. Preface 1. Preface This paper discusses the advantages of using the syslog-ng Store Box to collect, store, and manage system log (syslog) and eventlog messages in compliance with regulations like the Sarbanes-Oxley Act (SOX), the Health In- surance Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI- DSS). The document is recommended for technical experts and decision makers working on implementing centralized logging solutions, but anyone with basic networking knowledge can fully understand its contents. The procedures and concepts described here are applicable to version 1.x of the syslog-ng Store Box (SSB). 1.1. Summary of contents This paper is organized into the following sections: Section 2, Introduction (p. 4) briefly describes what system logging is, and why it is an important part of policy com- pliance. Section 3, Using the syslog-ng Store Box for policy compliance (p. 7) is a detailed list of policy requirements, including the requirements of the Payment Card Industry Data Security Standard (PCI-DSS), COBIT 4.1, and the Health Insurance Portability and Accountability Act (HIPAA) that you can address with the syslog-ng Store Box and syslog-ng Premium Edition. Section 5, Other important features (p. 13) discusses further features of syslog-ng Store Box that can come handy for you when designing and implementing your system logging architecture. Section 6, Further information (p. 15) contains a brief description of BalaBit IT Security and provides links where you can find out more about syslog-ng Store Box, request an evaluation version, or find a reseller. www.balabit.com 3
  • 4. Introduction 2. Introduction 2.1. What is system logging Operating systems, applications, and network devices generate text messages of various events that happen to them: a user logs in, a file is created, a network connection is opened to a remote host, and so on. These messages, called log messages, are usually stored in a file on the local hard disk of the system. The aim of central system logging is to collect the log messages to a single, central log server. Fo r a more detailed introduction into syslog a r c h i t e c t u r e s, see the Distributed syslog architectures with syslog-ng Premium Edition whitepaper. 2.2. Why is system logging important when dealing with policy compliance Log messages provide important information about the events of the network, the devices, and the applications running on these devices. Log messages can be used to detect security incidents, operational problems, and other issues like policy violations, and are useful in auditing and forensics situations. But collecting and analyzing log messages is also required directly or indirectly by several regulations, including the Sarbanes-Oxley Act (SOX), the Basel II Accord, the Health Insurance and Portability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI-DSS). 2.3. What syslog-ng and the syslog-ng Store Box are The syslog-ng application is a system log collector and forwarder tool that can collect log messages from files and other sources, and also receive the log messages sent by remote hosts. It also has powerful message-filtering and message routing capabilities. The syslog-ng Store Box is a log server appliance built around syslog-ng, offering a web-based configuration and log-browsing interface, encrypted and digitally signed log storage, and more. 2.4. Problems to be solved by log management There are several problems and difficulties that have to be solved when creating a usable logging infrastructure. The main problems to consider are summarized below, along with a brief description about how the syslog-ng Premium Edition (PE) application can help you to overcome these problems. ■ Many different devices and applications running on a variety of operating systems. To start collecting log messages into a central log server, the logs must be retrieved somehow from the devices where the messages are generated. These devices (desktop computers, servers, networking devices like switches and routers, firewalls, and so on) usually use many different operating systems – all of which should send the logs to the central server. The problem with the variety of operating systems is that they use different logging solutions, with different configuration requirements and capabilities. To address this problem, syslog- ng can be installed on most common operating systems, including Linux, Solaris, HP-UX, BSD, IBM AIX, and has dedicated agent applications to collect the logs from Microsoft Windows and IBM System i platforms. Using a single logging application vastly simplifies configuration and management problems, and ensures that advanced logging capabilities (like TLS-encrypted log transfer or disk-based buffering) is available on every device. If syslog-ng cannot be installed on a device for some reason (for example, it is running a pre-built firmware which cannot be modified), a local computer running syslog-ng can accept the syslog messages from devices and relay them to the central log server. www.balabit.com 4
  • 5. Problems to be solved by log management ■ Inconsistent timestamps and message format. Different log messages often use different timestamp formats to date the messages (for example, some timestamp formats do not contain year or timezone information), making it difficult to locate the messages later, and to properly see their place in the flow of events. With syslog-ng, it is possible to convert the timestamps to a single format (for example as specified in the ISO 8601 standard), and also to use the date when the syslog-ng Store Box has received the message from the application or the remote host, so the stored messages will contain accurate date information even if the clock of the remote host or the application is inaccurate. The syslog-ng application provides macros and powerful message-rewriting capabilities to reformat and normalize the messages in order to convert them to a common format to ensure that the order of the data fields in the message is con- sistent with other messages. Supporting the new IETF syslog protocol standard, syslog-ng and the syslog- ng Store Box make it easy to integrate all kinds of log messages and logging clients into a common framework. ■ Protecting the integrity and confidentiality of the messages during transmission. Log messages are important from the network-security point of view, but they may also contain sensitive information and private data like passwords, usernames, and so on. Therefore, it is important that they are protected against eavesdropping when they are transmitted over the network. It is also important to verify the identity of the communic- ating parties (that is, the host sending the message, and the central log server) to ensure that the message is received only by its intended target (the log server), and that the message received by the server was indeed sent by the client host. The integrity of the message must be also maintained so that no unauthor- ized modification of the message is possible. To address these issues, the syslog-ng PE application uses the secure Transport Layer Security (TLS) protocol to encrypt the communication with the the syslog- ng Store Box log server. Both the syslog-ng client and the server can be authenticated using X.509 cer- tificates. ■ Protecting the integrity and confidentiality of the messages stored on the log server. Log messages must be protected even after they arrive to the log server to prevent manipulation and unauthorized access. For this reason, the syslog-ng Store Box can store the log messages in encrypted and digitally signed log files. Encrypting the log files ensures that the log messages can be accessed only by authorized personnel who has the appropriate decryption key; while the digital signature prevents the unnoticed modification of the mes- sages. It is also possible to request timestamps from an external Timestamping Authority (TSA) to add further reliability to the date of the log messages. ■ Ensuring that no messages are lost. The syslog-ng PE application assigns a unique identifier to every message and ensures that you do not lose messages during network or system outages, because syslog-ng PE can store unsent messages on the local hard disk until the log server becomes available again. The syslog-ng PE application and SSB can also apply flow-control on the messages. Flow-control means that if the destination server or database becomes overloaded, syslog-ng PE and SSB can stop accepting messages from the sending applications or hosts. That way the senders are notified that there is a problem in the logging infrastructure and can act accordingly: for example, in an environment where policy compliance mandates all events to be logged, the applications may temporarily halt until the logging can be resumed, so there are no actions that are not logged. As an alternative to handle server downtime, syslog-ng PE can send the log messages to a backup log server if the primary server becomes unavailable. To avoid losing messages on the server side, the syslog-ng Store Box (SSB) appliances use hot-swappable hard disks in RAID configuration to protect against disk failures, and out-of-the-box high-availability support in failover cluster configurations. The nodes of the cluster use a common block-device subsystem that is automatically synchronized on-the-fly. In addition, SSB can periodically archive the received messages into a remote backup server. www.balabit.com 5
  • 6. Problems to be solved by log management ■ Helping SIEM devices to analyze the log messages. Analyzing logs is an essential element of network security. While SSB is not a log analyzing appliance, it has a number of features – including message normalization – that can aid log-analyzing engines. The syslog-ng application has powerful message filtering and sorting capabilities that make it possible to ignore trivial or low-priority messages. Since message filtering can take place already on the clients, it can save a significant amount of bandwidth by dropping unimportant messages, and decrease the load on the SIEM device at the same time. Also, since the capacity of log analyzing applications is often limited, the syslog-ng Store Box can limit the number of messages sent per second. This has the benefit of flattening out message bursts and protecting the log-analyzing engine from becoming overloaded. Certain SIEM devices prefer to receive log messages from databases; SSB can send the log messages directly to a database, and supports most popular databases, including MSSQL, MySQL, Oracle, and PostgreSQL. An even more powerful capability of SSB and syslog-ng is the ability to classify messages almost real-time, and apply artificial ignorance on the results. This allows you to create a pattern database of the log messages that appear normally in your log traffic, and label them as normal, security-related, violation and so on, and then compare every incoming message to this database. That way messages labeled as important can instantly generate alerts if needed, and also unknown messages – that might sign an event occurring for the first time on your network and thus be important – can be collected for review. ■ Storing the messages. Organizations often store log messages for a long time to be able to review security incidents that are not immediately discovered, and several regulations also require the logs to be available for several months or years. Storing the log messages becomes an issue especially if the volume of log traffic is very high (for example a few Gigabytes of raw logs per hour). To reduce the amount of logs to be stored, the syslog-ng Store Box provides powerful message filtering and sorting capabilities: it can drop or separate unimportant messages, organize messages into different files or databases based on their sending host, application, or content. It can also automatically compress and encrypt the log files, and periodically start a new file so that the older files can be archived and removed from the server. The SSB appliances have large internal hard disk space (up to 10 Terabytes), and also offer the possibility to directly connect to your SAN solution via an iSCSI or fibrechannel interface. www.balabit.com 6
  • 7. Using the syslog-ng Store Box for policy compliance 3. Using the syslog-ng Store Box for policy compliance Compliance is becoming more and more important in several fields – laws, regulations and industrial standards mandate increasing security awareness and the protection of sensitive data. As a result, companies have to increase the control over and the auditability of their business processes, and this makes thorough log management necessary – especially since several regulations require the centralized collection of logs (including retaining logs for an extended amount of time often spanning several years). The syslog-ng Store Box logserver appliance and the syslog-ng Premium Edition log collector application give you the tools you need to create a complete, reliable, and trusted log infrastructure to collect the log messages from the clients to a central log server, ensuring the secure transmission and storage of the log messages from a wide variety of operating systems. 3.1. PCI-DSS compliance and logging The following table provides a detailed description of the requirements of the Payment Card Industry Data Security Standard (PCI-DSS, available here) relevant to log management and auditing. Other compliance regulations like the Sarbanes-Oxley Act (SOX) or the Basel II Accord imply similar requirements. PCI requirement How the syslog-ng Store box supports it 3. Protect stored cardholder data System logs may contain sensitive information such as personal identification numbers (PIN) and card validation codes. The syslog-ng Store Box protects these messages by storing them in an encrypted file instead of plain text files commonly used to store log messages. It is also possible to rewrite messages and automatically remove sensitive cardholder data using the message-rewriting capabilities of syslog-ng. 4. Encrypt transmission of cardhold- Transport layer security (TLS) can be used to encrypt the communication er data across open, public networks between the clients and the log server and to protect the integrity of the messages. Using TLS-encryption also prevents third-parties from accessing 4.1 Use strong cryptography and se- or modifying the communication. The communication between the syslog- curity protocols such as secure ng client and the SSB logserver can be mutually authenticated using X.509 sockets layer (SSL) / transport layer certificates to verify the identity of the communicating parties and prevent security (TLS) / secure shell (SSH) attackers from injecting fake messages into the log files. 10.2 Implement automated audit Log messages have an important role in reconstructing events of an applica- trails for all system components. tion, host, or a network. The syslog-ng application aids this process by ensuring that the log messages arrive to the central log server without any unwanted modification. Messages are sent encrypted using the secure TLS protocol, which is based on the reliable TCP networking protocol that ensures that the messages arrive to the log server. The disk-based buffering feature of syslog- ng PE buffers messages to the hard disk of the client, ensuring that no mes- sages are lost even if the log server or the network connection becomes un- available. The syslog-ng Store Box can organize the messages into audit trails based on the sending host, the application, and its web-based search interface makes it easy to browse the log messages and to execute targeted queries to review the log messages, or to find the details of an event. www.balabit.com 7
  • 8. PCI-DSS compliance and logging PCI requirement How the syslog-ng Store box supports it As for its own audit trails, SSB logs every change of its configuration, and can require the administrators to enter a changelog entry. These log messages are stored separately to make it easy to review and audit the changes. The administrators of SSB can be authenticated to an LDAP database (for example Microsoft Active Directory). SSB also receives automatic notifications of the syslog-ng Premium Edition log collector clients whenever the configuration of a client is modified. 10.3 Record at least the following The syslog-ng PE application can automatically add the following to log audit trail entries for all system messages that omit this information: components for each event: ■ date and time in various standard formats (for example ISO), in- 10.3.1 User identification cluding timezone information ■ highly customizable date and time information using macros 10.3.2 Type of event ■ the name of the client host that generated the message 10.3.3 Date and time ■ the name of the application or facility that generated the message 10.3.4 Success or failure indication SSB automatically logs the required entries whenever an administrator modifies its configuration. The identity of the administrator can be verified to an LDAP 10.3.5 Origination of event database (for example Microsoft Active Directory). The IP address from where the administrator accessed SSB is also recorded. 10.3.6 Identity or name of affected data, system component, or resource. 10.4 Using time-synchronization The syslog-ng PE server can automatically add the date and time when it re- technology, synchronize all critical ceived the message, so the log messages contain accurate time information – system clocks and times and ensure even if the clock of the client host or the application is mistimed. Naturally, that the following is implemented SSB itself can synchronize its system clock to NTP servers. for acquiring, distributing, and stor- ing time. 10.5 Secure audit trails so they can- All log messages can be encrypted using public-key encryption on the central not be altered. log server in a so-called logstore file. The syslog-ng application can also request timestamps for the stored data from an external Timestamping Authority (TSA) to include reliable dates in the log files. 10.5.1 Limit viewing of audit trails SSB has detailed privilege-management capabilities to enable only those re- to those with a job-related need. quired to access a set of log messages. Encrypted log messages can be viewed only if the user has the required encryption key. 10.5.2 Protect audit trail files from The syslog-ng Store Box (SSB) logserver can store the log messages in encryp- unauthorized modifications ted logstore files, and log messages are also digitally signed to prevent modi- fications. The integrity of the messages is also checked when they are trans- mitted from the clients to the log server. The communication between the syslog-ng clients and SSB can be mutually authenticated using X.509 certific- ates to prevent log-injection attacks. www.balabit.com 8
  • 9. COBIT 4.1 compliance and logging PCI requirement How the syslog-ng Store box supports it 10.5.3 Promptly back-up audit trail The SSB appliance was created exactly for this purpose: it is a log server that files to a centralized log server or can receive the log messages from reliable sources and store them in encrypted, media that is difficult to alter. digitally signed and timestamped log files to prevent modifications. To ensure that no log messages are lost, SSB can receive messages using the reliable TCP networking protocol. To avoid third parties gaining access or modifying the messages on the network, the clients can send the messages over mutually authenticated, TLS-encrypted connection as well. To guarantee that the log server is continuously available, SSB appliances can be set up in a high availability cluster, where the backup log server goes online in case the primary server becomes unavailable. To minimize the risk of losing messages, the units of the SSB cluster use a common disk subsystem. SSB can receive log messages from any client application that uses the standard syslog protocols (RFC 3164 or RFC 5428-5428), but it is recommen- ded to use the syslog-ng Premium Edition log collector application whenever possible. During network outages, syslog-ng PE buffers the messages to the hard disk, and sends the messages when the server becomes available. De- pending on the volume of the log traffic and the available disk space on the host, your messages are safe even in case of very long network downtime. 10.5.4 Copy logs for wireless net- The syslog-ng PE application can relay log messages received from wireless works onto a log server on the intern- devices and transfer them to the central log server. al LAN. 10.5.5 Use file integrity monitoring Using TLS encryption between the clients and the log server ensures that the and change detection software on log messages are not modified on the network. On the log server, syslog-ng logs to ensure that existing log data can store messages in special encrypted and digitally signed log files to prevent cannot be changed without generat- modifications. Timestamps for the stored data can be requested also from an ing alerts (although new data being external Timestamping Authority (TSA). When its configuration is changed, added should not cause an alert). syslog-ng PE application automatically sends a log message to simplify the auditing of your logging infrastructure. 10.7 Retain audit trail history for at When stored in the logstore of SSB, log messages can be compressed to save least one year, with a minimum of disk space. Messages archived to a remote server remain available in the SSB three months online availability. web interface as long as the server is online. SSB has large internal hard disks, but can also directly connect to external SAN systems. Table 1. PCI-DSS compliance and logging 3.2. COBIT 4.1 compliance and logging Although the compliance of logging infrastructures to COBIT is seldom required by authorities, COBIT-compliance is still important, as there are certain regulations (such as the Sarbanes-Oxley Act, or the Basel II Accord) that do www.balabit.com 9
  • 10. COBIT 4.1 compliance and logging not specify exact technical requirements, and compliance to these regulations is often achieved by adopting a well- established framework like COBIT. The following table discusses some sample control objectives of the Control Objectives for Information and related Technology (COBIT) 4.1, how they affect the logging infrastructure of the organizations, and how can syslog-ng PE be used to address these requirements. Please note that this list is by no means exhaustive, and other objectives may have further requirements on the logging infrastructure and log management. COBIT 4.1 control objective How syslog-ng Store Box supports it AI6 Manage Changes The syslog-ng Store Box can organize the messages into audit trails based on the sending host, the application, and its web-based search Changes (including those to procedures, interface makes it easy to browse the log messages and to execute tar- processes, system and service parameters) geted queries to review the log messages, or to find the details of an are logged, assessed and authorized prior event. to implementation and reviewed against planned outcomes following implementa- As for its own audit trails, SSB logs every change of its configuration, tion. and can require the administrators to enter a changelog entry. These log messages are stored separately to make it easy to review and audit the changes. The administrators of SSB can be authenticated to an LDAP database (for example Microsoft Active Directory). DS9.3 Configuration Integrity Review The syslog-ng PE application automatically detects if its configuration is changed, and sends a log message to SSB. That way it is easy to recog- Periodically review the configuration data nize any changes to the logging infrastructure, and detect unauthorized to verify and confirm the integrity of the changes. current and historical configuration. To support configuration reviews, SSB has an auditor role that allows only the browsing of its configuration, without any access to the collected log messages. DS5.11 Exchange of Sensitive Data Transport layer security (TLS) can be used to encrypt the communication between the clients and the SSB log server and to protect the integrity Exchange sensitive transaction data only of the messages. Using TLS-encryption also prevents third-parties from over a trusted path or medium with con- accessing or modifying the communication. The communication between trols to provide authenticity of content, the client and the server can be mutually authenticated using X.509 proof of submission, proof of receipt and certificates to verify the identity of the communicating parties and pre- non-repudiation of origin. vent attackers from injecting fake messages into the log files, and also from obtaining syslog data. The use of the TCP networking protocol, disk-based buffering, and the ability to send the messages to a backup server in case the primary log server becomes unavailable ensures that the log server indeed receives the sent messages. SSB can store the received log messages in encrypted, digitally signed and timestamped files to prevent modifications to the messages after they have been received. The timestamps can be received from an ex- ternal Timestamping Authority (TSA) as well. www.balabit.com 10
  • 11. COBIT 4.1 compliance and logging COBIT 4.1 control objective How syslog-ng Store Box supports it DS13.3 IT Infrastructure Monitoring The syslog-ng PE log collector application was created exactly for this purpose: to transfer the log messages generated on the host to the Define and implement procedures to central log server, where they can be stored in encrypted and digitally monitor the IT infrastructure and related signed log files to prevent modifications. events. Ensure that sufficient chronologic- al information is being stored in opera- SSB has a powerful log classification engine that can classify thousands tions logs to enable the reconstruction, of messages per second, and raise alerts for certain message types. It can review and examination of the time se- also use the principles of artificial ignorance to detect unknown messages quences of operations and the other that may require attention or further investigation. activities surrounding or supporting oper- ations. To help the review of time sequences and events, SSB has a web-based search interface. SSB also stores the timestamp when a particular message was received: that way the time information of the message and the flow of the event is accurate even if the clock of the sending client is inaccur- ate. PO2.4 Integrity Management Using TLS encryption between the clients and the log server ensures that the log messages are not modified on the network. On the log Define and implement procedures to en- server, syslog-ng can store messages in special encrypted and digitally sure the integrity and consistency of all signed log files to prevent modifications. It is also possible to store a data stored in electronic form, such as copy of the messages digitally signed and encrypted in the logstore, and databases, data warehouses and data another copy in a database (syslog-ng can directly send messages into archives. Oracle, MySQL, and other databases); the database can be used for everyday log processing, analyzing, and reporting purposes, and the messages can be compared to the copies stored in the logstore to detect any unwanted changes. Table 2. COBIT 4.1 compliance and logging www.balabit.com 11
  • 12. HIPAA compliance and logging 4. HIPAA compliance and logging The Health Insurance Portability and Accountability Act (HIPAA) has few direct requirements about logging, but it requires the protection and encryption of sensitive information as it is transmitted over the network and stored on a computer. As log messages may contain such information, the logging infrastructure must comply with these requirements as well. The following table discusses some sample requirement of HIPAA, how they affect the logging infrastructure of the organizations, and how can syslog-ng PE address these requirements. Please note that this list is by no means exhaustive, and other requirements may be applicable to the logging infrastructure and log management. HIPAA Security Rule How the syslog-ng Store Box supports it 164.312(e)(1) Transmission Security: Im- Transport layer security (TLS) can be used to encrypt the communication plement technical security measures to between the clients and the syslog-ng Store Box (SSB) log server and to guard against unauthorized access to protect the integrity of the messages. Using TLS-encryption also prevents electronic protected health information third-parties from accessing or modifying the communication. The that is being transmitted over an electronic communication between the client and the server can be mutually au- communications network. thenticated using X.509 certificates to verify the identity of the commu- nicating parties and prevent attackers from injecting fake messages into the log files, and also from obtaining syslog data. The use of the TCP networking protocol, disk-based buffering, and the ability to send the messages to a backup server in case the primary log server becomes unavailable ensures that the log server indeed receives the sent messages. 164.312(e)(2)(i) Integrity Controls (A): Using TLS encryption between the clients and the log server ensures Implement security measures to ensure that the log messages are not modified on the network. SSB can store that electronically transmitted electronic messages in special encrypted and digitally signed log files to prevent protected health information is not im- modifications. It is also possible to store a copy of the messages digitally properly modified without detection until signed and encrypted in the logstore, and another copy in a database disposed of. (SSB can directly send messages into Oracle, MySQL, and other data- bases); the database can be used for everyday log processing, analyzing, and reporting purposes, and the messages can be compared to the copies stored in the logstore to detect any unwanted changes. 164.312(e)(2)(ii) Encryption (A): Imple- The syslog-ng PE log collector application can encrypt log messages ment a mechanism to encrypt electronic while they are transferred from their origin to the SSB log server, and protected health information whenever SSB can store in an encrypted, digitally signed format. Timestamps for deemed appropriate. the stored data can be requested also from an external Timestamping Authority (TSA). Table 3. HIPAA compliance and logging www.balabit.com 12
  • 13. Other important features 5. Other important features This section highlights some of the features of the syslog-ng Store Box (SSB) that were not discussed in detail so far, but are useful to know about. 5.1. Managing SSB SSB is configured from a clean, intuitive web interface. The roles of each SSB administrator can be clearly defined using a set of privileges, such as manage SSB as a host; manage log collection, forwarding and storage; configure various alerts; browse the collected logs reports. The web interface is accessible via a network interface dedicated to the management traffic. This management in- terface is also used for backups, sending alerts, and other administrative traffic. All configuration changes are automatically logged, simplifying the auditing of SSB. 5.2. Fine-tuned access control The SSB web interface features highly customizable access control. Using this together with the powerful message- sorting capabilities of syslog-ng, you can exactly specify which log messages a user has access to. For example, it is possible to grant access only to the logs of a specific application to the support engineer of that application – it is even possible to narrow the time frame of the data only to the relevant period. 5.3. LDAP integration SSB can connect to a remote LDAP database (for example a Microsoft Active Directory server) to resolve group memberships of the users who access the SSB web interface. Privileges to configure SSB or browse different logs can be defined based on group memberships. 5.4. Real-time log monitoring and alerting Even though SSB is not a log analyzing engine, it is able to classify individual log messages using artificial ignorance, much like the popular logcheck application of the Unix world. SSB comes with a built-in database of log message patterns that are considered “normal”. Messages matching these patterns are produced during the legitimate use of the applications (for example sendmail, Postfix, MySQL, and so on), and are unimportant from the log monitoring perspective, while the remaining messages may contain something “interesting”. The administrators can define log patterns on the SSB interface, label matching messages (for example security event, and so on) and request alerts if a specific pattern is encountered. For thorough log analysis, SSB can also forward the incoming log messages to external log analyzing engines. 5.5. Log collector agent for several platforms SSB uses the syslog-ng Premium Edition application to collect logs from different operating systems and hardware platforms, including Linux, Unix, BSD, Sun Solaris, HP-UX, IBM AIX, IBM System i, as well as Microsoft Windows XP, Server 2003, Vista, and Server 2008. www.balabit.com 13
  • 14. Agent for Microsoft Windows platforms 5.6. Agent for Microsoft Windows platforms The syslog-ng Agent for Windows is a log collector and forwarder application for Microsoft Windows platforms, including Windows Vista and Windows Server 2008. It collects the log messages from eventlog groups and log files and forwards them to a syslog-ng server using regular or TLS-encrypted TCP connections. The syslog-ng Agent can be managed from a domain controller using group policies, or run as a standalone application. 5.7. Agent for IBM System i platforms The syslog-ng agent for IBM System i is a system log collector and forwarder application for the IBM System i (formerly known as AS/400 and IBM iSeries) platform. It collects application and system messages, as well as messages from the System i security audit journal (QAUDJRN) and the operator message queue (QSYSOPR). The collected messages are forwarded to a syslog-ng server using regular or TLS-encrypted TCP connections. The syslog- ng server can run on a separate machine, or directly on IBM System i in the Portable Application Solutions Envir- onment (PASE). The syslog-ng Agent for IBM System i is available as a standalone product and must be licensed independently from syslog-ng Store Box. 5.8. Automatic data and configuration backups The recorded log messages and the configuration of SSB can be periodically transferred to a remote server using the following protocols: ■ Network File System protocol (NFS); ■ Rsync over SSH; ■ Server Message Block protocol (SMB/CIFS). The latest backup – including the data backup – can be easily restored via SSB's web interface. 5.9. Automatic data archiving SSB's configuration and the recorded log messages are automatically archived to a remote server. The data on the remote server remains accessible and searchable; several terabytes of audit trails can be accessed from the SSB web interface. SSB uses the remote server as a network drive via the Network File System (NFS) or the Server Message Block (SMB/CIFS) protocol. 5.10. Ability to handle extreme load The syslog-ng Store Box is optimized for performance, and can handle enormous amount of messages. Depending on its exact configuration, it can process over 75,000 messages per second real-time, meaning over 24 GB raw logs per hour, and index and classify over 30,000 messages per second. Larger versions of the appliance (SSB5000 and SSB10000) include their own storage solutions capable of storing up to 10 Terabytes of data. www.balabit.com 14
  • 15. Further information 6. Further information 6.1. About BalaBit BalaBit IT Security Ltd. is a developer of network security solutions satisfying the highest standards. BalaBit was founded and is currently owned by Hungarian individuals. Its main products are the syslog-ng system logging software, which is the most widely used alternative syslog solution of the world; the syslog-ng Store Box logserver appliance; Zorp, a modular proxy gateway capable of inspecting over twenty protocols, including encrypted ones like SSL and SSH, and the Shell Control Box, an appliance that can transparently control, audit, and replay SSH, RDP, VNC, and Telnet traffic. To learn more about commercial and open source BalaBit products, request an evaluation version, or find a reseller, visit the following links: ■ The syslog-ng homepage ■ Shell Control Box homepage ■ syslog-ng Store Box (SSB) homepage ■ Product manuals, guides, and other documentation ■ Register and request an evaluation version ■ Find a reseller All questions, comments or inquiries should be directed to <info@balabit.com> or by post to the following address: BalaBit IT Security 1115 Budapest, Bártfai str. 54 Phone: +36 1 3710540 Fax: +36 1 2080875 Web: http://www.balabit.com/ Copyright © 2010 BalaBit IT Security Ltd. Some rights reserved. This document is published under the Creative Commons Attribution Noncommercial No Derivative Works (byncnd) 3.0 license. All other product names mentioned herein are the trademarks of their respective owners. The latest version is always available at the BalaBit Documentation Page. www.balabit.com 15