Procedure for Log Management
Details
| Date | Version | Status | Information Classification | Document Template ID | Document No |
|---|---|---|---|---|---|
| 03-12-2019 | 1.7 | Approved | Internal | AMS DOC | AMS- SP-24 |
Revision History
| Date | Version | Description | Author | Reviewed by | Approved by | Approved date |
|---|---|---|---|---|---|---|
| 27-02-2013 | 1.0 | Initial Version | ||||
| 24-06-2013 | 1.1 | Added the firewall error log category | Praveen Kumar G | |||
| 22-08-2013 | 1.2 | Added the log monitoring frequency | Premanand PP | Premanand PP | ||
| 30-09-2014 | 1.3 | Added the file and database server auditing of user and administrator access logging | ||||
| 11-05-2015 | 1.4 | Review as part of ISMS Transition | ||||
| 31-07-2017 | 1.4 | Reviewed no changes | ||||
| 10-08-2017 | 1.5 | Replaced shall with will | ||||
| 25-03-2019 | 1.6 | Reviewed no changes | ||||
| 30-10-2019 | 1.7 | Changes made as per the standard Document | Shaila | Praveen, Usha | Suresh Kumar | 03-12-2019 |
Acronym Used
| Acronym | Expanded Form |
|---|---|
Introduction
The purpose of this procedure is to establish accountability for the administrative activities and the access controls to the applications and the Internet.
Scope
This procedure addresses the requirements for logging on critical servers like the Firewall, Mail Server, Intrusion Protection Systems, Production servers etc.
Note: System Administrators in this procedure refers to all users who have administrative privilege on a system/server.
ISO27001 Control References
A.12.4.1 Event logging
A.12.4.2 Protection of log information
A.12.4.3 Administrator and operator logs
Key Practices & Responsibility
The key practices and responsibilities are as follows:
| Srl. | Key Practice | Responsibility |
|---|---|---|
| Log Setting and Review Policy | Head – IT | |
| Event log settings and review | Server Lead, Server Security Expert | |
| Administrator and Operator logs | Server Lead, Server Security Expert | |
| Fault Logging | Network Lead, Network Security Expert Server Lead, Server Security Expert | |
| Protection of Logs | Server Lead, Server Security Expert |
Key Practice Details
Log Setting and Review Policy
Head - IT in consultation with Network Lead, Server Lead and Desktop Lead will identify the requirements for log setting and the log review on servers and applications.
The log review policy will identify the logs to be reviewed, frequency of review, responsibility for review, the review method and review output for all required monitoring activities. The review frequency will be determined based on the criticality and sensitiveness of the server and application.
Event Log Settings and Review
Event logging will be enabled on all servers including production, development, testing, support groups and the IT common servers.
The clocks will be synchronized for all servers to capture precise log information.
Audit log file sizes will be set to a limit, which ensures that these are not exhausted in a one-month period.
Audit logs will be configured to capture, at a minimum, and dependent on system capabilities, the following:
Access to systems
Use of privileges
Configuration changes
Errors/ Faults reported
Start-up and Shutdown procedures
Audit logs will be configured to provide advance warning for reaching file size limitations.
Audit logs will be archived on a weekly basis for all systems.
Audit logs will be reviewed by Server Security Expert on a daily basis for all sensitive and critical systems. The review will be conducted for determining the following
Application errors from the application log
I/O errors, memory errors and other hardware errors from the system log
Unexpected shutdown of services from the application and system log
Unauthorized logon, file and object level access exceptions from the security log
Audit logs will be configured to capture all failures of services or actions, and successes for security sensitive services or actions
An independent audit of privileged use by system administrators will be randomly performed by the Head - IT
Audit logs will not be modifiable by systems administrators.
Access to audit logs will be provided only to IT team and auditors.
Administrator and Operator Logs
System Administrators (server administrators, database administrators, application administrators and backup operators) will maintain an operator log of activities they perform on a server. These activities include:
Routine and emergency start up and shutdown of applications
Backup and recovery
The log will include
The time at which the event (success or failure) occurred;
Information about the event
which account and which administrator or operator was involved
The Operator Log Register is used to log the activities of administrators and operators.
Fault Logging
In case IT detects a fault or error on any of the servers, an Infrastructure Failure Log is raised for the reason of failure and steps adopted for resolution.
In case IT detects a fault or error on any of the network or related equipment, an Infrastructure Failure Log is raised for the reason of failure and steps adopted for resolution.
In case the failure has a security implication, an Information Security Incident Report will be raised
Production Server Log Management
All production servers with windows operating system are configured for managing logs as follows:
Logs are monitored every day and incidents if any are captured and resolution initiated.
Over writing of Event Logs are disabled.
Logs of Application, Security and System events will be captured and monitored.
Once the size of Event Logs at the default location exceeds 2048 KB it is configured to be moved from the default location to E:\Eventlogs.
All reported errors will be resolved.
Following known errors where resolution is not required.
"Error Source TermDD", : RDP is used for remote administration of the servers. The connection time set for remote administration is to terminate after 5 minutes which causes this event. Resolution- No action required
"Error in Apache Service: Apache services are used as web server. Whenever restart of tomcat application takes place causes this event. Resolution: No action required.
Firewall Log Management
Firewall logs are monitored daily and incidents /events if any are reported and resolution initiated. Logs of all the firewalls will be shipped and stored for future reference on the Forti Analyzer. A copy of these logs is being backed up at ASL backup server.
Fire wall events are categorized as follows:-
| Srl. | Category | Resolution | Remarks |
|---|---|---|---|
| Emergency | Immediate resolution | To be brought in incident management | |
| Alert | Analyse the alert and action will be taken in proactive manner | Preventive action management | |
| Critical | Immediate resolution | To be brought in incident management | |
| Error | Error will be observed & analysed and proactive action will be taken | Correction and corrective action will be initiated | |
| Warning | Warning will be observed and action will be taken if required | Correction and corrective action will be initiated before any resolution. | |
| Notification | Notification will be observed and analysed if required | ||
| Information | No action required |
- Firewall logs are copied and stored at backup server and offsite backup tapes .
Database Log Management
The following logs of production database will be monitored:
Alert Logs
Listener Logs
Audit Logs - The audit logs of database will be backed up to tapes at regular intervals.
User activity audit logs: this logs are continuously monitored by DBA team for any update of the tables and data of the database by users. All the activities are logged in xml format.
File System log management
All the administrator and user access to servers are audited and logged in event logs.
Non Tampering of Logs: Login attempts by accounts with super user privileges such as administrator on Windows and root on Linux servers needs to be monitored.
All logs pertaining to administrator / root user logins on Production Servers will be instantaneously transferred to a Log Analyzer System.
Login access to the Log Analyzer System will be strictly restricted to IT Manager.
The Database of Log Analyzer System containing all login records will be protected by writing it to WORM Tapes at regular intervals.
Protection of Log Information
Server Security Expert and Network Security Expert is responsible for protecting logging facilities and log information against tampering and unauthorized access
Controls implemented will aim to protect against unauthorized changes and operational problems with the logging facilities which includes
alterations to message types that is recorded;
log files being edited or deleted
Audit log file sizes will be set to a limit, which ensures that these are not exhausted in a one-month period.
A second level log can be maintained for security monitoring purposes where the primary log contains large volume of information which is extraneous to security monitoring. This log captures the significant events of the system logs with appropriate messages.
Log files are stored for the exclusive use of Antares staff for specific business reasons or to satisfy legal, Contractual & Regulatory requirements. Log files are destroyed after their business use is completed.
All the critical audit logs should be archived and retained for at least one year. Refer to Inventory of assets for the list of logs.
References
| Srl. | Document/Section Name |
| Procedure for Information Security Handling | |
| Procedure for Safeguarding Organizational Records | |
| Inventory of Assets |
Implementation Artifacts
| Srl. | Template ID | Artifact Name |
| F-OLR | Operator Log Register | |
| F-IFL | Infrastructure Failure Log | |
| F-ISIR | Information Security Incident Report |