13.11. Following Best Practices for Audit Logging
Problem
You want to record activity and/or errors in your program for later review.
Solution
On Unix systems, syslog is the system audit
logging facility. Windows also has its own built-in facility for
audit logging that differs significantly from
syslog on Unix.
Warning
The syslog( ) function is susceptible to a format
string attack if used improperly. See Recipe 3.2 for more
information.
Discussion
We cannot overstate the importance of audit logging for security and, more importantly, for forensics. Unfortunately, most existing logging infrastructures severely lack any kind of security. It is generally trivial for attackers to cover their tracks by modifying or deleting any logs that would betray their presence or indicate how they managed to infiltrate your system. A number of things can be done to raise the bar, making it much more difficult for the would-be attacker to invalidate your logs. (We acknowledge, however, that no solution is perfect.)
Network logging
One such possibility involves logging to
a network server that is dedicated to storing
the logs of other machines on the network. The Unix
syslog
utility provides a simple interface for
configuring logging to a network server instead of writing the log
files on the local system, but the system administrator must do the
configuration. Configuration cannot be done programmatically by
individual programs using the service to make log entries.
If the server that is responsible ...
Get Secure Programming Cookbook for C and C++ now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
