Logging

Central audit logging: Configuration and collecting of Linux audit events

Guide to setup central audit logging for your Linux based systems, with the use of the powerful Linux audit framework. No single audit log should get lost!

Summary of Central audit logging: Configuration and collecting of Linux audit events

This guide is to help our users of the Lynis Enterprise Suite to configure a central node to receive Linux audit events. It provides some pointers on how to do a quick set-up, to store and forward events. This information is very valuable for forensic investigations and intrusion detection. Configure the server First start by configuring the server. Since this is a central log host, it should have enough disk capacity and enough bandwidth to sustain peaks.

Read the full article…

Creating audit trails – Logging commands on Linux with Snoopy

Snoopy is a useful utility to log commands on Linux and create a related audit trail. If you need to be PCI compliant, auditing trails are considered to be important for proper accounting.

Summary of Creating audit trails – Logging commands on Linux with Snoopy

Logging commands on Linux with Snoopy Our customers often want to set-up an audit trail for accounting purposes. When something happens, they want to be able to see what happened, when it did and by whom. Defining an audit trail is also becoming mandatory for compliance, like PCI. One possible solution we cover is using Snoopy, a small library to log executed commands. How it works Snoopy is a wrapper around the execve() function.

Read the full article…

How to log only some requests to a log file in nginx

Nginx is flexible when it comes to what should be logged in the access.log. With the combination of a map and if-statement, this can be achieved very easily!

Summary of How to log only some requests to a log file in nginx

Nginx is flexible when it comes to what should be logged in the access.log. With the combination of a map and if-statement, this can be achieved very easily!" Log only some events by HTTP status Creating a map using $status The $status variable contains the HTTP status code that is normally returned to each request. We can leverage this status code to set a so-called boolean (true/false, or 1/0). Let’s define first the map and use the HTTP status.

Read the full article…

PCI DSS (v3) Linux: Restrict log file viewing (A.1.2.d)

Linux users who want to compliant with PCI DSS have to restrict log file viewing to only the owner. We have a look at how to discover log files which can be viewed by others.

Summary of PCI DSS (v3) Linux: Restrict log file viewing (A.1.2.d)

A.1.2.d Verify that viewing of log entries is restricted to the owning entity. To limit exposure to information, PCI DSS requires access of logging to only the entity owning that log file. In other words, we have to search for those entries which can be seen by others. Search related log files By default, most log files on Linux based systems will be stored in /var/log. We can do a quick check for any files which are world readable, by using find.

Read the full article…