Logging and Threat Management

Division: 

Administration & Finance

Department: 

Information Technology Services

Contact Information: 

Nish Malik / Associate Vice President and Chief Information Officer, Information Technology Services / (415) 405-4105 / nish@sfsu.edu

Effective Date: 

Wednesday, November 30, 2011

Authority: 


Objective: 

This Practice Directve provides guidance on logging and threat management to SF State departments and operational units operating network devices, production servers as well as academic systems and servers.


Statement: 

Purpose and Scope 

This Practice Directive is applicable to all SF State departments and operational units operating network devices, production servers as well as academic systems and servers.  It outlines:

  • the minimum level of monitoring and logging that must be in place for all campus servers
  • the minimum event elements that must be logged
  • a minimum retention period
  • intervals and/or conditions for automated and human involved review and escalation
  • recommended tools and configuration guidelines for implementation
  • basic host and network threat management measures using log management tools (e.g. OSSEC)

Practice Directive

Logging

All critical servers and devices must activate logging of the elements listed below (if available via the application or device) and retain such logs for a minimum of 45 days. Incident investigations, CSU records retention guidelines, subpoenas, departmental guidelines or other directives may dictate longer retention periods.

Log Elements

If available, and storage and processor capacity allows, the following elements should be captured for the system and critical applications running on the system:

  • User/account identification
  • Type of event
  • Date and time
  • Success or failure indication
  • Program or utility used
  • Origination of event (e.g., network address)
  • Protocol
  • Identity or name of affected data, information system or network resource

System administrator may use native log management tools such as Event Viewer on Windows or syslog based tools.

An automated log monitoring tool such as OSSEC is recommended for automated log alerting and additional host-based intrusion detection and Threat Management capability.  Technical guidance regarding OSSEC's configuration can be found in the OSSEC Technical Implementation Guide: OSSEC Technical Implementation Guide.

Review & Escalation

System administrators should periodically review and share relevant data with their department IT staff, and as necessary, their management and the campus ISO when significant malicious or unauthorized activity is detected.  Log data must be made available to the campus ISO upon request. Suspected attacks, and malicious or unauthorized activity should be reported to incident@sfsu.edu or campus police as indicated at: Reporting a Security Incident or Vulnerability

Threat Management

Departments should use the review of log data to assess events that may be indicative of a threat or unauthorized activity.  In addition to automated log monitoring, the recommended tool, OSSEC, provides additional host-based intrusion detection.

References

CSU Records/Information Retention and Disposition Schedules - Executive Order 1031
OSSEC Technical Implementation Guide