The ability to access the audit trace files is restricted to members of the LogRhythmGlobalAdmin role as configured in earlier steps.
The audit trace files typically reside on an NTFS file system at a location determined by the LogRhythm_Audit configuration. Because the trace files reside on a file system in order to restrict access to them, proper discretionary access controls must be implemented at the file system level. In general, permissions need to be granted to these trace files for read access and/or maintenance and will vary from environment to environment.
The file system folder that the LogRhythm audit traces are written to (the trace folder) must be locked down with appropriate discretionary access controls to prevent access, modification, or deletion at the file system level. To implement minimal permissions on the folder perform the following steps:
- Remove all permissions on the folder with the exception of a single user (or group of users) that requires administrative access (e.g. system or security administrators) to the folder so that permissions can be managed.
- Identify the service account that SQL Server is running under on the LogRhythm server
- On LogRhythm appliances, SQL Server runs under the local SYSTEM account. The account SQL Server is running under can be found by examining the SQL Server service configuration in the Microsoft services.msc management console.
- Ensure the trace folder has the following permissions set for the SQL Server service account:
- Traverse folder/execute file
- List folder/read data
- Read attributes
- Read extended attributes
- Create files/write data
- Read permissions
- Grant additional permissions as required for trace file management.
- Grant access to the trace folder for users who will need access to manage (copy, move, etc.) the trace files present in the trace folder. These may be the same individuals cited in 1 above.
- Ensure that the trace file folder permissions are propagated to the contained trace files (i.e. ensure that the Apply to setting is set for “This folder, subfolders and files” when permissions are granted on the trace folder.)
With these discretionary access controls in place, the only methods for trace file access are via the LogRhythm_Audit_Select stored procedure, its underlying SQL Server fn_trace_gettable function, and those users called out in steps 1 and 3 above. To ensure separation of duties, the users who manage the LogRhythm audit trace files could be different from LogRhythm administrators and users.