How To Maintain And Monitor Audit Logs

Hasan Kismetli
Hasan Kismetli
Technical Support Engineer
NNT - New Net Technologies

The coronavirus outbreak has become a real global pandemic affecting hundreds of millions of individuals and organizations across the world. Many governments have advised residents to avoid non-essential social contact and travel, a concept recently coined ‘social distancing’.

For safety reasons, most organizations have also advised their employees to work remotely from home and have taken steps to allow users remote access who would not normally have the ability to do so. With that in place, organizations must consider the consequences in terms of security as their employees will be accessing their internal IT infrastructure to view critical data remotely.

Employees will be exposing the organizations devices to greater risk as they leave the safety and security of the workplace. Many employees do not have a proper security framework at home like they normally do at their organization’s workplace such as firewalls, antivirus software, etc. which can increase the chances of malware finding its way into the internal infrastructure.

Audit Logs

Even with robust security defenses in place in the internal infrastructure, there’s no way to 100 percent guarantee that systems will not be breached. That’s why maintaining, monitoring and analyzing audit logs is so crucial. The Center for Internet Security (CIS) emphasizes the importance of maintaining, monitoring, and analyzing these audit logs in CIS Control 6, the last of the Basic CIS Controls.

The use of the audit policy is needed now more than ever before to help fight against any cyber attacks as audit logs will provide a detail-rich source of security data and remote user activity that can help an organization gain insight into the inner working of their IT environment.

It is very important to get expert advice when it comes to configuring your audit policy on your environment, not only to ensure that you are getting all the audit events needed, but to also avoid generating unneeded events. When it comes to expert advice, NNT can provide you with this as we are partnered with the Center for Internet Security (CIS) and together we provide certified audit policy recommendations that you can implement to ensure detailed auditing is applied with unwanted events being suppressed at the source. Within the auditing section of any CIS guide is a full description of the suggested auditing configuration and the rational on why the system should be configured in this manner.

audit logs audit logs

The benefits of configuring auditing are clear and the CIS guides tell us the what and the why but they also cover the how. Each rule within the guides has a remediation note that covers the configuration of the setting on the system.

audit logs audit logs

Configuring auditing in your environment would of course be covered by any system hardening activities. We recently published a blog on 5 steps to harden your cloud environment and auditing is an easy starting point for any organization looking to begin their system hardening journey.

The CIS can also help here with the use of the CIS Remediation/Build Kits, pre-configured Group Policies for Windows and a script for Linux that match the suggested configuration of the CIS guidelines.

Remediation/build kits can be used as part of your group policy structure or with your configuration management software of choice for Linux but be mindful, if you only want the audit configuration from the kits you will need to remove the other settings that the kits include. If using the kits on standalone systems is required then this is also possible. All remediation/build kits can be run locally by utilizing the following OS specific approach.

Standalone Windows Server

Steps to apply the auditing section of Microsoft’s local group policy locally.

  1. Download the Local Group Policy Object executable
  2. On the system to be hardened, unzip the NNT provided remediation or build kit
  3. Open a command prompt with administrative privileges
  4. Use the command prompt to run this command to configure the auditing settings of the system:
    LGPO.exe /ac "C:\\DomainSysvol\GPO\Machine\microsoft\windows
    nt\Audit\audit.csv"
  5. Reboot the system
Standalone Linux Server

Steps to apply the auditing for Linux hardening to a standalone Linux server.

  1. Unzip the remediation or build kit
  2. Edit the script using the CIS guidelines to only contain the auditing commands
  3. Move the .sh file to the system that will be hardened
  4. Provide executable permissions to the .sh script:
    # sudo chmod +x NNT CIS Red Hat Enterprise Linux 7 Server Benchmark - Level 1.sh
  5. Run the script:
    # sudo NNT CIS Red Hat Enterprise Linux 7 Server Benchmark - Level 1.sh
  6. Reboot the system once the script has finished
audit logs

Windows systems will need a helping hand due to the lack of a native logging service. Fortunately, any SIEM solution on the market today will have a mechanism of collecting important Windows’ logs via a local agent or through a pull mechanism.

Using a SIEM solution combined with the NNT CIS audit policy templates, you will be able to efficiently gather and centralize logs from all of your devices and applications, allowing you to analyze and spot suspicious activities by mining incoming logs or searching through logs from past weeks and months to build a picture of past activity.

With all the logs being centralized, it’s a good idea to configure your SIEM solution to lookout for the key types of logs. But with so many logs flowing into the system, where do you start? Here we can lean on the various compliance standards as a starting point. If we look at the PCI DSS standard requirement 10, we can see a good description of the type of logs we might want to pick out from the collected logs.

audit logs

Using this as guidance we can then decide which event types we are looking to collect for posterity and which events will also lend themselves to immediate alert generation.

In conclusion, if you are thinking about how to get started on an audit project now that all of your workforce is remote working for the foreseeable future, please consider the following steps:

  • Collect advise about what to monitor
  • Configure systems to generate the correct logging
  • Forward logs to a centralized SIEM solution
  • Analyze the message stream for important events
Cloud and Container Security
The Most Powerful & Reliable Cybersecurity Products

change tracker gen7r2 logo

Change Tracker Gen 7R2: Complete configuration and system integrity assurance combined with the most comprehensive and intelligent change control solution available.

FAST Cloud logo

Fast Cloud: Leverage the world’s largest whitelist repository to automatically evaluate and verify the authenticity of file changes in real-time with NNT FAST™ (File Approved-Safe Technology)

vulnerability tracker logo

Vulnerability Tracker: The world’s only limitless and unrestricted vulnerability scanning solution with unparalleled accuracy and efficiency, protecting your IT assets on premises, in the cloud and mobile endpoints.

log tracker logo

Log Tracker: Comprehensive and easy to use security information & event log management with intelligent & self-learning correlation technology to highlight potentially harmful activity in seconds

Contact Us

Corporate Headquarters

Netwrix
6160 Warren Parkway, Suite 100
Frisco, Texas, 75034

Phone 1: 1-949-407-5125

Phone 2: 888-638-9749 (toll-free)


[email protected]
 

United Kingdom

Netwrix
5 New Street Square
London EC4A 3TW

Phone: +44 (0) 203 588 3023


 [email protected]
Information
SC Magazine Cybersecurity 500 CSGEA Winners 2021 CIS benchmarking SEWP Now Certified IBM Security
Copyright 2024, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.