Application Logs - Security Best Practices
by Dipesh Rawal, CISA | Discuss this article »» (2)
Security logs capture the security-related events within an application. They help detect security violations and flaws in application, and help re-construct user activities for forensic analysis. Short listing the events to log and the level of detail are key challenges in designing the logging system. This article simplifies the selection by presenting the options that many critical applications chose.
Events to Log
- All user account management activity should be logged.
- Addition and deletion of user accounts
- Changes in security attributes (access-levels, login intervals, terminal login restrictions, connection interface)
- User account suspensions and reactivations
- Administrative password resets
- Every access control related events should be logged.
- Successful and failed logon/logoff events
- Account lockout events (in-valid password, inactive session, access from un-allowed interfaces, login attempts out of valid intervals, max. concurrent session limit violations)
- Password changes.
- Changes to application configuration settings should be tracked.
- Change to critical functional settings (eg. interest rates, service charges, grace period)
- System parameters (e.g. max. no. of concurrent connections per user, Password length)
- Access attempts to application and underlying system resources should be logged.
- Changes to cryptographic keys
- Startup/stops of application processes
- Abnormal application exits
- Failed database connection attempts
- Attempts to modify critical registry keys
- Login/logoff for Maintenance
- Failed integrity checks for application data, executables and audit log should also be logged.
The Details to Log
The logs should be captured with adequate level of detail required for later analysis, while balancing the need to not adversely affect performance. For each event, the following are important to record:
- A Unique event ID and type
- Timestamp of the event
- Error message
- Success or failure of event
- IP address of the client
- User ID triggering the event
- Resources accessed
- Application Interface used by user
- Co-relation with audit trail entries
Safe Practices in Logging
- Design the application to save the logs to a different system. Else, once a system is compromised, the logs themselves might be untrustworthy.
- Secure the system on which the logs are stored.
- Limit access to logs on a need-to-know basis.
- Do not log the authentication credentials itself (like password, PIN, or encryption keys) in the logs.
- Applications should alert administrators if logging system malfunctions or is shut down.
- The security logs should be archived periodically.
- The application should provide a log analysis console
to view the logs and analyze them.