Log Blindspots: A review of cases where System Logs are insufficient

January 20, 2015

configuration file)
What the User Did: Via Windows Explorer and Notepad, the user made a simple change to an XML attribute in the file “web.config”, changing a ‘0” (false) value to “1” (true).
Editing web.config with Notepad
Security and Audit Implications of this Action: Changes to this file will affect how the web server runs, in numerous different ways. This can expose security risks, and can also affect proper operations.
What shows up in system event logs: 6,000 log entries cover the 20 seconds it took to make the change. One log entry indicates that “Notepad” was launched. Another log entry indicates that “web.config” was added to the “Recent Files” list in Windows. A third log entry seems to show (not convincingly) that it was Notepad that edited the filw web.config. But even with this info, we cannot tell what was actually changed within the file! (Was it a harmless addition of an application extension? Or did the user modify an important entry within the file?)
To know what was changed, we would now have to access a file server backup, and perform a file compare on the old and new versions. Doable, but that’s a heavy burden to answer a pretty straightforward question: “What did the user change???”
Event Viewer: But what was changed?
What User Activity Monitoring shows you: ObserveIT’s log shows what the user did, in a concise and descriptive manner. And again, video replay shows what took place within the file.
Log Blindspots: A review of cases where system logs are insufficient © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
Scenario 5: Changing the port used by IIS
What the User Did: An admin user changed IIS to listen to port 8080 instead of the default 80. This was done via “Start > Settings > Control Panel > Administrative Tools > IIS Manager”, and once there editing the Properties for “Default web site”.
Set IIS to listen to port 8080
Security and Audit Implications of this Action: Modifying the port of a service accessible from outside the DMZ can open a huge hole in the firewall security.
What shows up in system event logs: Among the 5,500 log entries, there is one entry that adds IIS Manager to the Recent Items list in Windows. This is timestamped when the app was closed, which might mislead the investigator, and alsow wouldn’t even occur if the user left the window open. Earlier, there is an obscure log entry indicating a DLL that was loaded to memory. This is the true indication that IIS Manager was launched, but it is very difficult to find this in a reasonable level of effort!
Event Viewer: Obscure log entry of DLL. It turns out that this is the culprit!
What User Activity Monitoring shows you: Once again, ObserveIT gives us the whole picture.
Log Blindspots: A review of cases where system logs are insufficient © Copyright 2011 ObserveIT Ltd. | www.observeit-sys.com
Platform Considerations
The Windows experiments were performed on a Windows 2003 server. Windows 2008R2 has added additional audit policy granularity. However, these updates do not mean that additional knowledge can be gleaned from the logs; Only that the logs can be filtered a bit better. The bottom line remains that many high-risk, security-impacting actions, including those highlighted in this paper, are not logged.
The Linux experiments were performed on RedHat RHEL. Similar audit logging is found in other Linux flavors, as well as in Solaris Unix, with similar focus on technical aspects of each command (pid, cwd, success).
Security audits that rely on existing system logs have large holes in them due to the fact that system logs simply do not capture the relevant information necessary.
For issues that are known a priori, the blindspot can be eliminated with a custom utility targeted at that specific issue. But this only solves this one specific issue.
The easiest way to eliminate these blindspots in their entirety is by adding User Activity Monitoring such as ObserveIT, which augments the existing system and database logs by showing precisely what the user did (as opposed to the technical results of what he did.)
About ObserveIT
ObserveIT User Activity Monitoring software meets the complex compliance and security challenges related to user activity auditing, one of the key issues that IT, Security and Compliance officers are facing today.
ObserveIT acts like a security camera on your servers, generating audit logs and video recording of every action the user performs. ObserveIT captures all activity, even for applications that do not produce their own internal logs. Every action performed by remote vendors, developers, sysadmins and business users is tied to a video recording, providing bulletproof forensic evidence.
ObserveIT is the ideal solution for 3rd Party Vendor Monitoring, and PCI/HIPAA/SOX/ISO Compliance Accountability.
Founded in 2006, ObserveIT has a worldwide customer base of Global 2000 companies that spans many industry segments including finance, healthcare, manufacturing, telecom, government and IT services.


Leave a Reply

You must be logged in to post a comment.