9.6 Securing the Log Files and the Auditing Process

You need to secure the log files so that events aren’t tampered with or deleted. To secure the log files:

  1. In the logevent.cfg file, verify the setting of LogSigned=Always.

    This setting guarantees that the logged data is signed and chained. Novell Audit’s Verification process can validate that the events were not tampered with and that none of the events have been deleted.

  2. Create separate user accounts for the Secure Logging Server and auditors.

    The Secure Logging Server should have write rights to the database. The auditors should only have read rights to the database.

You also need to secure the auditing process so that it cannot be disabled. You need to secure all server consoles and prevent access from anonymous sources. Each Novell Audit server platform requires different steps to secure the auditing process, which are discussed below.

NetWare

To secure the auditing process on NetWare, use screensaver passwords and restrict knowledge of the screensaver password to only trusted individuals. Do not grant console access to more people than is necessary.

Windows

To secure the auditing process on Windows, use either the Local Security Policy or Group Policies to restrict access to the Windows server consoles and Control Panel. Only allow trusted individuals to access the Novell eDirectory Services Applet within the Control Panel.

Linux and Solaris

To secure the auditing process on Linux and Solaris, do not share the root password. Restrict knowledge of the root password to only trusted individuals.