System Auditing

Read the section on access control assurance in this article to learn about system auditing. Auditing a system is important to verify that security policies are being followed. When reading, learn what auditing is and what should be audited on a system. Why information can be tracked through system auditing? How should audit and log data be protected to ensure confidentiality and integrity?

Access Control Assurance

Basic Concepts

Accountability is the method of tracking and logging the subject's actions on the objects.

Auditing is an activity where the users/subjects actions on the objects are monitored in order to verify that the sensitivity policies are enforced and can be used as an investigation tool.

Advantages of Auditing

  • To track unauthorized activities performed by individuals.
  • Detect intrusion.
  • Reconstruct events and system conditions.
  • Provide legal resource material and produce problem reports.

Note: A security professional should be able to access an environment and its security goals, know what actions should be audited, and know what is to be done with that information after it is captured – without wasting too much disk space, CPU power & staff time.

What to Audit?
  • System-level events
    • System performance
    • Logon attempts (successful and unsuccessful)
    • Logon ID
    • Date and time of each logon attempt
    • Lockouts of users and terminals
    • Use of administration utilities
    • Devices used
    • Functions performed
    • Requests to alter configuration files
  • Application-level events
    • Error messages
    • Files opened and closed
    • Modifications of files
    • Security violations within application
  • User-level events
    • Identification and authentication attempts
    • Files, services, and resources used
    • Commands initiated
    • Security violations

Review of Audit Information
  • Audit trails can be reviewed manually or through automated means.
  • Types of audit reviews
    • Event oriented: done as and when an event occurs.
    • Periodic: done periodically to access the health of the system.
    • Real time: done with the help of automated tools as and when the audit information gets created.
  • Audit trail analysis tools: These tools helps in reducing/filtering the audit log information that is not necessary and provides only those information necessary for auditing.
  • Types of audit trail analysis tools
    • audit reduction tools : these tools reduces the amount of information within an audit log, discards mundane tasks information and records system performance ,security and user functionality information that are necessary for auditing.
    • Variance – detection tools: these tools monitor computer and resource usage trends and detect variations unusual activities e.g. : an employee logging into the machine during odd hours.
    • Attack signature – detection: these tools parse the audit logs based on some predefined patterns in the database. If a pattern matches any of the pattern or signature in the database, it indicates that an attack has taken place or is in progress.
    • Key stroke monitoring.

Protecting Audit Data and Log Information
  • Audit logs should be protected by implementing strict access control.
  • The integrity of the data should be ensured with the use of digital signatures, message digest tools ,and strong access control.
  • The confidentiality can be protected with encryption and access controls and can be stored on CD-ROM'S to prevent loss or modification of the data. The modification of logs is often called as scrubbing.
  • Unauthorized access attempts to audit logs should be captured and reported.

Creative Commons License This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

Last modified: Saturday, November 21, 2020, 1:55 AM