How to prevent admins to access logs from their own activity?

Clash Royale CLAN TAG#URR8PPP

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;

up vote
4
down vote

favorite

The idea would be to prevent an attacker who has stolen a root/admin account or escalated to clear its own activities or even read the traces of what he is doing. Let's assume we are under Linux, we log with auditd, and we can use MAC with SELinux. But I am interested also for answers under Windows.

One solution would be to forbid all root accounts to access the logs. Logs are managed only by authorized processes on specific servers from logrotate, syslog, and all SIEM stuff. So only the SOC can read and analyse the admins'logs. Only a purge process can delete old logs. Can one confirm this is doable?

Is it possible to have something more flexible where admins with their own root priviledges could read the logs of other root accounts ?

access-control logging administration

share|improve this question

asked 2 hours ago

lalebarde

167117

add a comment | 

up vote
4
down vote

favorite

The idea would be to prevent an attacker who has stolen a root/admin account or escalated to clear its own activities or even read the traces of what he is doing. Let's assume we are under Linux, we log with auditd, and we can use MAC with SELinux. But I am interested also for answers under Windows.

One solution would be to forbid all root accounts to access the logs. Logs are managed only by authorized processes on specific servers from logrotate, syslog, and all SIEM stuff. So only the SOC can read and analyse the admins'logs. Only a purge process can delete old logs. Can one confirm this is doable?

Is it possible to have something more flexible where admins with their own root priviledges could read the logs of other root accounts ?

access-control logging administration

share|improve this question

asked 2 hours ago

lalebarde

167117

add a comment | 

up vote
4
down vote

favorite

up vote
4
down vote

favorite

The idea would be to prevent an attacker who has stolen a root/admin account or escalated to clear its own activities or even read the traces of what he is doing. Let's assume we are under Linux, we log with auditd, and we can use MAC with SELinux. But I am interested also for answers under Windows.

One solution would be to forbid all root accounts to access the logs. Logs are managed only by authorized processes on specific servers from logrotate, syslog, and all SIEM stuff. So only the SOC can read and analyse the admins'logs. Only a purge process can delete old logs. Can one confirm this is doable?

Is it possible to have something more flexible where admins with their own root priviledges could read the logs of other root accounts ?

access-control logging administration

share|improve this question

asked 2 hours ago

lalebarde

167117

The idea would be to prevent an attacker who has stolen a root/admin account or escalated to clear its own activities or even read the traces of what he is doing. Let's assume we are under Linux, we log with auditd, and we can use MAC with SELinux. But I am interested also for answers under Windows.

One solution would be to forbid all root accounts to access the logs. Logs are managed only by authorized processes on specific servers from logrotate, syslog, and all SIEM stuff. So only the SOC can read and analyse the admins'logs. Only a purge process can delete old logs. Can one confirm this is doable?

Is it possible to have something more flexible where admins with their own root priviledges could read the logs of other root accounts ?

access-control logging administration

access-control logging administration

share|improve this question

asked 2 hours ago

lalebarde

167117

share|improve this question

asked 2 hours ago

lalebarde

167117

share|improve this question

share|improve this question

asked 2 hours ago

lalebarde

167117

asked 2 hours ago

lalebarde

167117

asked 2 hours ago

lalebarde

167117

167117

add a comment | 

add a comment | 

2 Answers
2

active

oldest

votes

up vote
5
down vote

The accepted solution to this is to not store the logs locally, but on a log server. Once the logs are there, you can restrict or limit access as you see fit.

Syslog servers, SIEMs, log aggregators, ELK stacks etc. There are numerous options for you to explore.

share|improve this answer

answered 2 hours ago

schroeder♦

64.9k25138175

add a comment | 

up vote
3
down vote

Any logs on a compromised host are suspect. You need a centralized logging platform, either a central syslog server/ splunk / logrhythm / whatever. Keep a different set of administrators and accounts. That's the whole idea.

Once you get a platform in place you can delegate the rights to view their actions, either their own or other admins - can be performed. We had rights read specific log sources and hosts delegated out.

share|improve this answer

answered 2 hours ago

Tim Brigham

2,80022033

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f194231%2fhow-to-prevent-admins-to-access-logs-from-their-own-activity%23new-answer', 'question_page');

);

Post as a guest

Name Email

2 Answers
2

active

oldest

votes

2 Answers
2

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
5
down vote

The accepted solution to this is to not store the logs locally, but on a log server. Once the logs are there, you can restrict or limit access as you see fit.

Syslog servers, SIEMs, log aggregators, ELK stacks etc. There are numerous options for you to explore.

share|improve this answer

answered 2 hours ago

schroeder♦

64.9k25138175

add a comment | 

up vote
5
down vote

The accepted solution to this is to not store the logs locally, but on a log server. Once the logs are there, you can restrict or limit access as you see fit.

Syslog servers, SIEMs, log aggregators, ELK stacks etc. There are numerous options for you to explore.

share|improve this answer

answered 2 hours ago

schroeder♦

64.9k25138175

add a comment | 

up vote
5
down vote

up vote
5
down vote

The accepted solution to this is to not store the logs locally, but on a log server. Once the logs are there, you can restrict or limit access as you see fit.

Syslog servers, SIEMs, log aggregators, ELK stacks etc. There are numerous options for you to explore.

share|improve this answer

answered 2 hours ago

schroeder♦

64.9k25138175

The accepted solution to this is to not store the logs locally, but on a log server. Once the logs are there, you can restrict or limit access as you see fit.

Syslog servers, SIEMs, log aggregators, ELK stacks etc. There are numerous options for you to explore.

share|improve this answer

answered 2 hours ago

schroeder♦

64.9k25138175

share|improve this answer

share|improve this answer

answered 2 hours ago

schroeder♦

64.9k25138175

answered 2 hours ago

schroeder♦

64.9k25138175

answered 2 hours ago

schroeder♦

64.9k25138175

64.9k25138175

add a comment | 

add a comment | 

up vote
3
down vote

Any logs on a compromised host are suspect. You need a centralized logging platform, either a central syslog server/ splunk / logrhythm / whatever. Keep a different set of administrators and accounts. That's the whole idea.

Once you get a platform in place you can delegate the rights to view their actions, either their own or other admins - can be performed. We had rights read specific log sources and hosts delegated out.

share|improve this answer

answered 2 hours ago

Tim Brigham

2,80022033

add a comment | 

up vote
3
down vote

Any logs on a compromised host are suspect. You need a centralized logging platform, either a central syslog server/ splunk / logrhythm / whatever. Keep a different set of administrators and accounts. That's the whole idea.

Once you get a platform in place you can delegate the rights to view their actions, either their own or other admins - can be performed. We had rights read specific log sources and hosts delegated out.

share|improve this answer

answered 2 hours ago

Tim Brigham

2,80022033

add a comment | 

up vote
3
down vote

up vote
3
down vote

Any logs on a compromised host are suspect. You need a centralized logging platform, either a central syslog server/ splunk / logrhythm / whatever. Keep a different set of administrators and accounts. That's the whole idea.

Once you get a platform in place you can delegate the rights to view their actions, either their own or other admins - can be performed. We had rights read specific log sources and hosts delegated out.

share|improve this answer

answered 2 hours ago

Tim Brigham

2,80022033

Any logs on a compromised host are suspect. You need a centralized logging platform, either a central syslog server/ splunk / logrhythm / whatever. Keep a different set of administrators and accounts. That's the whole idea.

Once you get a platform in place you can delegate the rights to view their actions, either their own or other admins - can be performed. We had rights read specific log sources and hosts delegated out.

share|improve this answer

answered 2 hours ago

Tim Brigham

2,80022033

share|improve this answer

share|improve this answer

answered 2 hours ago

Tim Brigham

2,80022033

answered 2 hours ago

Tim Brigham

2,80022033

answered 2 hours ago

Tim Brigham

2,80022033

2,80022033

add a comment | 

add a comment | 

 

draft saved

draft discarded

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f194231%2fhow-to-prevent-admins-to-access-logs-from-their-own-activity%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email