2

In my understanding, admins need to access logs of the servers, workstations, services and applications they manage, either for administration or debugging purposes, never to logs generated by auditd from their own activities. Another admin or the SOC can. I am considering here corporate policy and the threat of an admin account stolen where I want to prevent an attacker to see or erase his traces, or malevolence by the admin himself.

Is it correct? If not, what is recommended? To extend a little more the question, how shall be managed access to centralized logs when forensic or legal access is required, local and monitored accounts?

M'vy
  • 13,033
  • 3
  • 47
  • 69
lalebarde
  • 587
  • 1
  • 5
  • 13

2 Answers2

5

There is no reason not to allow Read access to his logs. He may be able to notice and handle breach of his own account or just chceck what he did if he forgets/mistypes.

They should NOT have write access to any logs. Especially if you want to be able to do forensics on the logs, the logs should not be tampered with.

Peter Harmann
  • 7,728
  • 5
  • 20
  • 28
  • Eventually, you can have the log written on some WORM device. – M'vy Sep 27 '18 at 11:26
  • 1
    ...but the **first** thing you do is to pipe the logs to a remote system with seperate admin personnel immediately. – symcbean Sep 27 '18 at 11:33
  • @symcbean Yes, it is advisable to have external logging devices. But not giving admins write access to the log files is better then nothing and probably more than most smaller companies do. Additional equipment is often hard to justify to management, so doing the best with what you have and prioritizing what equipment you need is also important. – Peter Harmann Sep 27 '18 at 12:38
  • Configuring a POSIX system to disallow write access for the root user is virtually impossible, and much more expensive than just offloading the logging elsewhere. – symcbean Sep 27 '18 at 13:08
  • @symcbean Am I missing something? I only ever saw him talk about admins, that manage a web server. I just assumed they would not be granted root permissions, considering he suggested denying them read access to the logs. Why do you thing the question is about root? – Peter Harmann Sep 27 '18 at 13:35
  • root is the de facto admin account on Unix systems. – symcbean Sep 27 '18 at 14:02
  • 1
    @symcbean An admin is an individual person with an account with priviledges. This is not the same as in _root is admin_ – lalebarde Sep 27 '18 at 14:25
  • @PeterHarmann what about avoiding an attacker who has usurpated an administrator account to monitor is own traces? Isn't it legitimate, or does it provide too much hurdle to legitimate users? – lalebarde Oct 01 '18 at 09:04
  • @lalebarde I am sorry, I don't understand the question. Can you explain please? – Peter Harmann Oct 01 '18 at 09:27
  • @PeterHarmann Sure "_There is no reason not to allow Read access to his logs_" : what about preventing reading access also in addition to writting? If an attacker can read his logs, he can build decisions on his traces, is it correct? – lalebarde Oct 01 '18 at 13:42
  • 1
    @lalebarde in theory yes, he may be able to make better decisions. But I can't imagine what that would be in practice. If he wants to know what is being logged, he can just check other admins log. If he wants to know if he was caught, well that is too late to do anything about it anyway as he can't delete the log. I just don't see the advantage there, even though there theoretically could be one. – Peter Harmann Oct 01 '18 at 15:26
1

The whole purpose of an admin/root account is to have absolute access to all parts of a system. If you want to prevent a scenario like that don't use full access admin/root accounts, work with users/groups that only have permissions to perform their specific tasks. You can give them read-access to logs but prevent write access.

That's for example what I do with my web servers, I create a group "web administrators" that have write access to ONLY the website but nothing else on the server but still can access logs.

Also called "principle of least privilege" (PoLP).

Broco
  • 128
  • 7