HPE Community
Operating System - HP-UX
1834091 Members
2226 Online
110063 Solutions
New Discussion

How much space required for logs in a secure system?

 
Troy Nightingale
Occasional Advisor

‎09-02-2003 09:34 AM

‎09-02-2003 09:34 AM

How much space required for logs in a secure system?

Currently we do very minimal logs. ( syslog, sulog) Because of several audits showing many weaknesses and because we couldn't prove if we were hacked, we are trying to determine how much additional space we might need for more complete logfiles. Also any specific logs we should keep.
0 Kudos
Reply
5 REPLIES 5
Steven E. Protter
Exalted Contributor

‎09-02-2003 09:40 AM

‎09-02-2003 09:40 AM

Re: How much space required for logs in a secure system?

Assuming you've not converted to trusted system, you only need to reserve a few hundred MB for the logs you've noted.

Here are the important ones:

syslog
sulog (We copy that off once a week to /backups so it goes on tape, after that we null it out)

Copies of btmp bad login attempts and wtmp should be taken prior to nulling out the log.

I null out a log as follows via cron

> btmp

If you convert to trusted system, you will need to allocate at least another 500 MB to hold the audit logs. The default is to put it in the root fs, you'll want to change that so they go into a mounted filesystem.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Caesar_3
Esteemed Contributor

‎09-02-2003 11:58 AM

‎09-02-2003 11:58 AM

Re: How much space required for logs in a secure system?

Hello!

Depend how many features you wanna use from
the audit it will be about 300-600MB
Also depend on the activity.

Caesar
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎09-02-2003 06:45 PM

‎09-02-2003 06:45 PM

Re: How much space required for logs in a secure system?

There really isn't a good answer to this question. For instance, a good recommendation is to turn on detailed connection logging with inetd (-l and -v options) plus add detailed logging for ftp. This could make syslog grow megabytes per day. By changing the syslog.conf file to include more informational messages, you'll get more details. You probably have /var/adm/wtmp but do you have /var/adm/btmp? If not, that is a big security problem (the lastb command won't work). And you'll need /etc/shutdownlog if it does not exist.

However, these are logfiles that are known to hackers so they will likely be modified to eliminate records of intrusion. The first step to securing your system would be to download and run Bastille and then look at converting to a Trusted system and enabling authentication logging and more secure login restrictions. The Itrusion Detection System (IDS/9000) is also a useful tool to watch for potential problems. These logs will grow rapidly (multiple megs/day) so /var will likely have to be increased to 2-3 Gb. Additionally, you'll need cron jobs to archive and compress older log files. Weekly log trims would be the minimum, perhaps 2-3 times/week for really fast growing files.


Bill Hassell, sysadmin
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎09-02-2003 06:54 PM

‎09-02-2003 06:54 PM

Re: How much space required for logs in a secure system?

Bill reminds me of other security issues:

My speil...

Bastille Security hardening
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6849AA

Perl which the above needs.
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=PERL

Security Patch Check
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA

TCP Wrappers

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=TCPWRAP

IDS/9000 (Intrusion Detection Sytstem)

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J5083AA

Get all these products working you'll be quite secure.

Secure shell
http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=T1471AA


Yes, I know my answer is beyond the scope of this thread. Still, must make it easy to be secure.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎09-02-2003 07:12 PM

‎09-02-2003 07:12 PM

Re: How much space required for logs in a secure system?

Hi,

You would need to periodically recycle your log files. You will need to write a script that does the job for you. Below is a small example on how you can accomplish it.

/sbin/init.d/syslogd stop
I=14
J=15
while [ $I -ge 1 ]
do
mv /var/adm/syslog/syslog.log.$I /var/adm/syslog/syslog.log.$J
J=$I
(( I = $I - 1 ))
done
mv syslog.log syslog.log.1
/sbin/init.d/syslogd start

This will keep 15 revisions of syslogs. So, if you set your cronjob once in 15 days, you will have around 7 months of data. You can do the same for sulog and mail.log files. You have do something like this because rebooting your system twice (during the patch installs etc.,) will wipe out old log files.

If you enabled auditing, then you may probably consider adding a filesystem to /.secure directory. There are options to set how big you want your audfiles to grow. Accounting will dump the files by default under /var.

A good practice is not about how large your logfile is but how well you monitor your systems. For ex., generating daily reports on successful and unsuccessful logins, root su attempts, getting paged on the bad attempts etc impress the auditors.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.