SYSTEM AUDIT TRAIL AND LOGS

System logging is one of the basic security features incorporated in both hardware and software. They “allow administrators to review a record of all system activity. The ongoing record of system activity shows general trends in system usage and also violations of your system use policy.” Menuhin’s Pages (2013). The National Institute of Standards and Technology (NIST) (2013) claims that “Audit trails maintain a record of system activity both by system and application processes and by user activity of systems and applications. In conjunction with appropriate tools and procedures, audit trails can assist in detecting security violations, performance problems, and flaws in applications.” NIST (2013). NIST (2013) further expounds that “An audit trail is a series of records of computer events, about an operating system, an application, or user activities. A computer system may have several audit trails, each devoted to a particular type of activity. Auditing is a review and analysis of management, operational, and technical controls. Audit trails may be used as either a support for regular system operations or a kind of insurance policy or as both of these. As insurance, audit trails are maintained but are not used unless needed, such as after a system outage. As a support for operations, audit trails are used to help system administrators ensure that the system or resources have not been harmed by hackers, insiders, or technical problems.”

So as a record to qualify to be an audit trail or log according to NIST (2013) it must include “sufficient information to establish what events occurred and who (or what) caused them. In general, an event record should specify when the event occurred, the user ID associated with the event, the program or command used to initiate the event, and the result. Date and time can help determine if the user was a masquerader or the actual person specified.” NIST (2013).

“Flexibility is a critical feature of audit trails. Ideally (from a security point of view), a system administrator would have the ability to monitor all system and user activity, but could choose to log only certain functions at the system level, and within certain applications. The decision of how much to log and how much to review should be a function of application/data sensitivity and should be decided by each functional manager/application owner with guidance from the system administrator and the computer security manager/officer, weighing the costs and benefits of the logging. Audit logging can have privacy implications; users should be aware of applicable privacy laws, regulations, and policies that may apply in such situations.” NIST (2013).

Lastly, “Audit trail data requires protection, since the data should be available for use when needed and is not useful if it is not accurate. Also, the best planned and implemented audit trail is of limited value without timely review of the logged data. Audit trails may be reviewed periodically, as needed (often triggered by occurrence of a security event), automatically in real-time, or in some combination of these. System managers and administrators, with guidance from computer security personnel, should determine how long audit trail data will be maintained — either on the system or in archive files.” NIST (2013).2013.

3. Types of log records

a) Event-oriented log
“Event-based logs usually contain records describing system events, application events, or user events.” NIST (2013). “System audit records are generally used to monitor and fine-tune system performance. Application audit trails may be used to discern flaws in applications, or violations of security policy committed within an application. User audits records are generally used to hold individuals accountable for their actions. An analysis of user audit records may expose a variety of security violations, which might range from simple browsing to attempts to plant Trojan horses or gain unauthorized privileges. The system itself enforces certain aspects of policy (particularly system-specific policy) such as access to files and access to the system itself. Monitoring the alteration of systems configuration files that implement the policy is important. If special accesses (e.g., security administrator access) have to be used to alter configuration files, the system should generate audit records whenever these accesses are used.” NIST (2013).

b) A record of every keystroke
Also called keystroke monitoring. “Keystroke monitoring is the process used to view or record both the keystrokes entered by a computer user and the computer’s response during an interactive session. Keystroke monitoring is usually considered a special case of audit trails. Examples of keystroke monitoring would include viewing characters as they are typed by users, reading users’ electronic mail, and viewing other recorded information typed by users.” NIST(2013). The main aim of conducting keystroke monitoring is for “routine system maintenance may record user keystrokes” NIST (2013) and “an effort to protect systems and data from intruders who access the systems without authority or in excess of their assigned authority. Monitoring keystrokes typed by intruders can help administrators assess and repair damage caused by intruders.” NIST (2013).

4. Benefits of System Audit Trail and Logs
“Audit trails can provide a means to help accomplish several security-related objectives, including individual accountability, reconstruction of events (actions that happen on a computer system), intrusion detection, and problem analysis.

a) Individual Accountability
Audit trails are a technical mechanism that helps managers maintains individual accountability. By advising users that they are personally accountable for their actions, which are tracked by an audit trail that logs user activities, managers can help promote proper user behaviour. Users are less likely to attempt to circumvent security policy if they know that their actions will be recorded in an audit log.
Audit trails work in concert with logical access controls, which restrict use of system resources. Granting users access to particular resources usually means that they need that access to accomplish their job. Authorized access, of course, can be misused, which is where audit trail analysis is useful. While users cannot be prevented from using resources to which they have legitimate access authorization, audit trail analysis is used to examine their actions.

b) Reconstruction of Events
Audit trails can also be used to reconstruct events after a problem has occurred. Damage can be more easily assessed by reviewing audit trails of system activity to pinpoint how, when, and why normal operations ceased. Audit trail analysis can often distinguish between operator-induced errors (during which the system may have performed exactly as instructed) or system-created errors (e.g., arising from a poorly tested piece of replacement code). If, for example, a system fails or the integrity of a file (either program or data) is questioned, an analysis of the audit trail can reconstruct the series of steps taken by the system, the users, and the application. Knowledge of the conditions that existed at the time of, for example, a system crash, can be useful in avoiding future outages. Additionally, if a technical problem occurs (e.g., the corruption of a data file) audit trails can aid in the recovery process (e.g., by using the record of changes made to reconstruct the file).

c) Intrusion Detection
Intrusion detection refers to the process of identifying attempts to penetrate a system and gain unauthorized access. If audit trails have been designed and implemented to record appropriate information, they can assist in intrusion detection. Although normally thought of as a real-time effort, intrusions can be detected in real time, by examining audit records as they are created (or through the use of other kinds of warning flags/notices).

Real-time intrusion detection is primarily aimed at outsiders attempting to gain unauthorized access to the system. It may also be used to detect changes in the system’s performance indicative of, for example, a virus or worm attack (forms of malicious code). There may be difficulties in implementing real-time auditing, including unacceptable system performance.” NIST (2013).

5. Key issues for effective System Audit Trail and Logs management

a) Protecting Audit Trail Data
“Access to on-line audit logs should be strictly controlled. Computer security managers and system administrators or managers should have access for review purposes; however, security and/or administration personnel who maintain logical access functions may have no need for access to audit logs.
It is particularly important to ensure the integrity of audit trail data against modification. One way to do this is to use digital signatures. Another way is to use write-once devices. The audit trail files need to be protected since, for example, intruders may try to “cover their tracks” by modifying audit trail records. Audit trail records should be protected by strong access controls to help prevent unauthorized access.
The confidentiality of audit trail information may also be protected, for example, if the audit trail is recording information about users that may be disclosure-sensitive such as transaction data containing personal information (e.g., “before” and “after” records of modification to income tax data). Strong access controls and encryption can be particularly effective in preserving confidentiality.
b) Review of Audit Trails
Audit trails can be used to review what occurred after an event, for periodic reviews, and for real-time analysis. Reviewers should know what to look for to be effective in spotting unusual activity. They need to understand what normal activity looks like.
c) Periodic Review of Audit Trail Data
Application owners, data owners, system administrators, data processing function managers, and computer security managers should determine how much review of audit trail records is necessary, based on the importance of identifying unauthorized activities. This determination should have a direct correlation to the frequency of periodic reviews of audit trail data.
d) Real-Time Audit Analysis
Traditionally, audit trails are analysed in a batch mode at regular intervals (e.g., daily). Audit records are archived during that interval for later analysis. Audit analysis tools can also be used in a real-time, or near real-time fashion. Such intrusion detection tools are based on audit reduction, attack signature, and variance techniques.
REFERENCES
[1] Menehune’s Pages (2013) Chapter 6. Administering the System Audit Trail.Retrieved September 6, 2013, from http://menehune.opt.wfu.edu/Kokua/SGI/007-2862-005/sgi_html/ch06.html
[2] The National Institute of Standards and Technology (NIST) (2013), AUDIT TRAILS,Retrieved September 6, 2013, from http://csrc.nist.gov/publications/nistbul/itl97-03.txt

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s