To avoid detection by system, network, and security administrators, attacker often alter the logs of the victim machine. The attacker will attempt to remove particular events from the logs associated with the attacker’s gaining access, elevating privileges, and installing RootKits and back doors. Events such as failed login records, error conditions, stopped and restarted services, and file access/update times must be purged from the logs or altered to avoid suspicion of the administrator.
Of course, on most systems, an attacker with sufficient access privileges (usually root or administrator) can completely purge the log files. However, completely deleting the logs is too likely to be noticed. Ideally, an attacker wants to edit the system logs on a line-by-line basis to keep normal events in the logs while removing suspicious events.
To mount an effective defense, preventing attackers from altering logs is critical. Conducting a forensics investigation without adequate logging is like trying to drive your car while wearing a blindfold: difficult, if not impossible, and certainly messy. The amount of effort that you will want to apply to defending a given system’s log information depends on the sensitivity of the server. Clearly, for Internet-accessible machines with sensitive data, a great amount of care must be taken with the logs. For some internal systems, logging may be less important. However, for critical systems containing information about human resources, legal issues, and mergers and acquisitions, logs could make or break your ability to detect an attack and build a case for prosecution. Let’s examine the techniques used to defend logs on Windows NT and UNIX, as well as other platforms.
Activate Logging, Please
The first step in ensuring the integrity and usefulness of your log files is quite simple: Activate logging on your sensitive systems! Quite often, I have been involved with a security investigation only to discover that, by default, logging is deactivated on many of the servers that are included in the investigation. My heart drops when I come to this realization. Your organization must have a policy or standard defined that specifies that logging must be done. Additionally, you should periodically audit your systems to ensure that logging is activated in accordance with your policy.