<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <link rel="stylesheet" href="/style.css" type="text/css" /> <script type="text/javascript" src="/jquery.min.js"></script> <title>CERN Computer Security Information</title> <script type="text/javascript"> $(document).ready(function(){ // Menu highlight var path = location.pathname.split("/"); if ( path ) { $('#main_menu a[href*="' + path[1] + '"][class!="noselect"]').addClass('selected'); // path[3] = /security/<xxxxx>/ $('#sidebar ul.sidemenu li[class!="noselect"]:has(a[href$="' + path.reverse()[0] + '"])').addClass('selected'); } // Add icon to external links $('a[id!=logo-img]').filter(function() { return this.hostname && this.hostname !== location.hostname;   }).after(' <img src="/images/external_link.png" alt="external link" title="external link"/>'); }); </script> </head> <body> <div id="wrap"> <div id="top-bg"></div> <!--header --> <div id="header"> <div id="logo-text"> <a id="logo-img" href="https://home.cern/"><img src="/images/CERNLogo2.png" width="59" height="59" style="margin: 10px" alt="CERN Logo"/></a><div id="logo-text-big"><a href="/home/en/index.shtml" title="">CERN Computer Security</a></div> </div> <div id="header-logo"><a href="/services/en/emergency.shtml"><img width=335 src="/images/emergency.png" alt="Computer Emergencies"/></a></div> </div> <!--header ends--> <div id="header-photo"></div> <!-- navigation starts--> <div id="nav"> <ul id="main_menu"> <li><a class="noselect" href="/home/fr/index.shtml"><img src="/images/fr.png" alt="FR"/></a></li> <li><a href="/home/en/index.shtml">Home</a></li> <li><a href="/rules/en/index.shtml">Computing Rules</a></li> <li><a href="/recommendations/en/index.shtml">Recommendations</a></li> <li><a href="/training/en/index.shtml">Training</a></li> <li><a href="/services/en/index.shtml">Services</a></li> <li><a class="secured" href="/reports/en/index.shtml">Reports &amp; Presentations</a></li> </ul> </div> <!-- navigation ends--> <div id="content-wrap"> <div id="main"> <h2>Central Security Logging</h2> <p>In order to comply with the <a href="https://edms.cern.ch/file/428037/3/Traceability-Logging-v2.0.pdf">Grid Security Traceability and Logging Policy</a>, CERN is required to store all system logs from Grid nodes in a central facility. The Security Team in collaboration with the CERN/IT groups managing the CERN Computer Centre has extended this facility to also store logs from a wide variety of other Computer Centre servers and services. These logs are stored for one year and purged afterwards. Access is restricted to the CERN Computer Security Team only.</p> <p>With these logs at hand, the Security Team performs automatic analyses looking for different threats and unusual behaviors such as:</p> <ul> <li>Bruteforce log-in attempts and log-in successess;</li> <li>Log-in patterns, i.e. the so-called <a href="/services/en/receipts.shtml">"SSH Receipts"</a> notification;</li> <li>Unusual or dangerous system calls and commands;</li> <li>Priviledge escalation attempts;</li> <li>Connections from IP addresses involved in past incidents.</li> </ul> <p>Furthermore, these logs provide an essential basis for conducting forensics in order to understand security events. Depending on the nature of the alert and its severity, the user and the responsible of the affected server will be notified about security events discovered by our automatic log analyses.</p> <p>All software developers are strongly encouraged to use <tt>syslog</tt> (or state-of-the-art libraries capable of communicating with it) for handling logs in their applications.</p> <h4>Want to join?</h4> <p>CERN service providers interested in having their logs integrated with this service are encouraged to contact the <a href="mailto:Computer.Security@cern.ch">Security Team</a>. Below we describe several ways of configuring your server to send system logs to the CSL. Note that, due to confidentiality reasons, direct access to CSL is restricted to the Computer Security Team. However, you may collect your logs on your own, and relay a copy of them to us.</p> </div>  <!-- sidebar menu starts --> <div id="sidebar"> <ul class="sidemenu"> <li><a href="/home/en/privacy_statement.shtml">Privacy Statement</a></li> </ul> <h3>Computer Security Incident Response</h3> <ul class="sidemenu"> <li><a href="/services/en/emergency.shtml">Emergencies</a> <li><a href="/services/en/sems.shtml">Self-mitigation portal</a></li> </ul> <h3>Consulting, Pentesting & Reviews</h3> <ul class="sidemenu"> <li><a href="/services/en/reviews.shtml">...on request</a> <li><a href="/services/en/whitehats.shtml">CERN WhiteHat Challenge</a> </ul> <h3>Host-Based Intrusion Detection</h3> <ul class="sidemenu"> <li><a href="/services/en/csl.shtml">Central security logging</a></li> <li><a href="/services/en/password_dumps.shtml">Password Dump Notifications</a></li> <li><a href="/services/en/receipts.shtml">Remote Login Notifications</a></li> </ul> <h3>Traffic Control & Monitoring</h3> <ul class="sidemenu"> <li><a href="/services/en/dns.shtml">DNS analysis</a></li> <li><a href="/services/en/ids.shtml">Network-based intrusion detection</a></li> <li><a href="/services/en/firewall.shtml">The CERN outer perimeter firewall</a></li> <li><a href="/services/en/dnim.shtml">Statistical traffic analysis</a></li> <li><a href="/services/en/spam.shtml">SPAM filtering</a></li> </ul> <h3>Vulnerability Scans</h3> <ul class="sidemenu"> <li><a href="/services/en/device_scans.shtml">Device scans</a></li> <li><a href="/services/en/network_scans.shtml">Network scans</a></li> <li><a href="/services/en/passwords.shtml">Password cracking</a></li> <li><a href="/services/en/web_scans.shtml">Web application scans</a></li> </ul> </div> <!-- sidebar menu ends --> <!-- content-wrap ends--> </div> <!-- footer starts --> <div id="footer-wrap"> <div id="footer-bottom"> &copy; Copyright 2024<strong> <a href="https://cern.ch/security">CERN Computer Security Office</a></strong> <table> <tr> <td id="footer-info-left"> e-mail: <a href="mailto:Computer.Security@cern.ch">Computer.Security@cern.ch</a><br/> Please use the following PGP key to encrypt your messages:<br/> ID: 0x954CE234B4C6ED84<br/> <a href="https://keys.openpgp.org/vks/v1/by-fingerprint/429D60460EBE8006B04CDF02954CE234B4C6ED84">429D 6046 0EBE 8006 B04C DF02 954C E234 B4C6 ED84</a> </td> <td id="footer-info-right"> Phone: +41 22 767 0500<br/> Please listen to the recorded instructions. </td> </tr> </table> </div> </div> <!-- footer ends--> </div> <!-- wrap ends here --> <!--img height=30px src="/home/en/CERNfooter_800.png"--> </body> </html>