Forests, Trees, and Security Logs
Article Date: 6/94
The VOS security logging facility is obviously one of the more valuable tools for you to use while you are working to secure your system. It detects a number of security-related incidents, such as login attempts with a bad password, insufficient access rights to view a file, etc., and writes a description of the problem into a text file named security_log.(date) in the (master_disk)>system directory. Each entry in the log will show a sequence number (since bootload), the time of the incident, the target, the type of incident, and perhaps some supporting information. If the same incident occurs several times in a row, you will get only one entry in the log, where one of the fields will show how many occurrences there were within the time period.
The facility is built in to the operating system, so you can turn it on with the security_admin command. Don't forget to put this command into your module_start_up.cm so that it is turned on whenever the module reboots. In order to make sure that the facility is in use, run the analyze_system request display_security_info.
One of the first problems you will have in making use of the log is knowing when to examine it. You might want to make it a habit to view each log at least once a day. Perhaps you can have your first cup of coffee while looking at yesterday's log (and today's too so you can look for overnight incidents). In addition to daily review, you might want to use the VOS command notify_security_violation. This will send a message to a given terminal, notifying you whenever a security log entry has been written. By using this notification, you will be able to see security incidents within minutes after they occur. The drawback to being notified, is that, on a busy system, minor incidents can occur very frequently, and the notification becomes very annoying!
There is more value to security logging, however, than just looking at individual entries. The log always presents incidents in the order in which they occurred. Unfortunately, you may not see the "forest" of patterns of violations for the "trees" of the individual incidents. One of the things you should be doing with your security logs is examining the data in different ways. Try looking at your log information sorted by user. Now you can see which user causes which kind of incidents. Do they need training? Do they need more permissions to do their job? Do you need to tell them to stay out of directory areas that they are not authorized for? You can also try looking at log information sorted by the terminal where it occurred. Do your dialup terminals show a lot of failed login attempts?
Another way to analyze your log data is to look just at the counts of violation types, rather than the detail. How many access violations usually occur on this module in a day? A week? A month? How many bad password violations? Now that you know that, do you see any times when the number is very different from the average? This kind of analysis may point you to areas where you need to investigate further.
In order to do these kinds of analyses, you will have to extract the incident data from the security log text. The cost of doing the extraction can be quickly repaid if the analysis helps you to pinpoint a potential problem. Look at your security logs to find the trees and forests that will help you to manage VOS security better.
|
