Consider installing a dedicated PC or
other non-Unix machine as a network log host.
Have your users check the last login time each time they log in to
make sure that nobody else is using their accounts.
Consider installing a simple cron task to save
copies of the lastlog file to track logins.
Evaluate whether C2 logging on your system is practical and
appropriate. If so, install it.
Determine if there is an intrusion detection and/or audit reduction
tool available to use with your C2 logs.
Make sure that your utmp file is not
world-writable.
Turn on whatever accounting mechanism you may have that logs command
usage.
Run last periodically to see who has been using
the system. Use this program on a regular basis.
Review your specialized log files on a regular basis. This review
should include loginlog,
sulog, aculog,
xferlog, and others (if they exist on your
system).
Consider adding an automatic log monitor such as Swatch.
Make sure that your log files are on your daily backups before they
are reset.
If you have syslog, configure it so that all
auth messages are logged to a special file. If
you can, also have these messages logged to a special hardcopy
printer and to another computer on your network.
Be aware that log file entries may be forged and misleading in the
event of a carefully crafted attack.
Keep a paper log on a per-site and per-machine basis.
If you process your logs in an automated fashion, craft your filters
so that they exclude the things you don't want
rather than pass only what you do want. This approach will ensure
that you see all exceptional condition messages.
