S 2.64 Checking the Log Files

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Person-in-charge of the various IT applications, Auditor

Keeping records of security-relevant events is only effective as a safeguard if the recorded data is evaluated by an Auditor at regular intervals. If it is not possible either by technical or personnel means to implement the role of an independent Auditor of log files, they can also be evaluated by the Administrator. If this is the case, it should be noted that it is difficult to monitor the Administrator's activities. The result of the evaluation should therefore be passed to the IT Security Officer, the person responsible for IT or another, specifically named person.

Regular checks followed by deletion of the logged data also ensure that the volume of log files does not grow to an inordinate size. Depending on the type of logged data, it may be appropriate to archive it to external data media.

As log files usually contain person-related data, steps must be taken to ensure that this data is only used for the purposes of monitoring adherence to data protection requirements, data backup or ensuring that operations are being carried out in the proper manner (cf. §14. Para 4 of the Federal Data Protection Act (BDSG) and S 2.110 Data Privacy Guidelines for Logging Procedures). The scope of logging and the criteria used in evaluating log files should be documented and agreed within the organisation.

There may be either statutory minimum periods for which logged data has to be kept or alternatively there may be statutory upper limits on the length of time for which logged data can be retained. Thus, it might be the case that deletion was required in order to comply with data protection legislation (see also S 2.110 Data Privacy Guidelines for Logging Procedures on this point).

On the other hand, for certain types of logged data there may be statutory minimum periods for which the data must be kept, e.g. where it provides information about business processes. These legal stipulations must be adhered to in every case. Prior to deleting any logged data it is therefore necessary to check carefully whether there are any such legal requirements which have to be complied with and, if so, what retention periods result from these. The legal department should be involved here.

The following evaluation criteria are intended as examples to assist detection of any security weaknesses, manipulation attempts or other irregularities:

• Are the log-on and log-off times outside of normal working times (suggesting a tampering attempt)?

• Is the number of incorrect log-on attempts increasing (suggesting an attempt to guess a password)?

• Is the number of unauthorised attempts at access increasing (suggesting tampering attempts)?

• Are there any particularly long periods of time when no protocol data were recorded (suggesting the records could have been deleted)?

• Is too much information recorded (long log files make it more difficult to detect irregularities)?

• Are there any particularly long periods of time when the user has not changed (suggesting that logging-off is not being consistently carried out when a user finishes working)?

• Are there any unusually long periods during which a connection with a public network has been maintained (see T 4.25 Still Active Connections)?

• Have unusually high network loads or an interruption in network operations been detected in individual network segments or throughout the network? (suggesting that there have been attempts to obstruct or impair network services or that the network has been inappropriately designed or configured)?

When evaluating the log files, particular attention should be paid to all accesses which have been carried out using an Administrator ID.

If extensive log files are to be evaluated on a regular basis, it is sensible to use an evaluation tool. This tool should allow evaluation criteria to be selected and highlight especially critical entries (e.g. repeated failed attempts at log-on).

The guidelines stated above also apply to the gathering of auditing data, because in principle, this involves the logging of security-critical events.

Additional controls:

• Who analyses the log files? Is the two-person rule applied?

• Can the activities of the Administrator be monitored to a sufficient extent?

• Is the IT Security Management Team notified of irregularities?