Chapter 24: Auditing

1
Chapter 24 Auditing

• Dr. Wayne Summers
• Department of Computer Science
• Columbus State University
• Summers_wayne_at_colstate.edu
• http//csc.colstate.edu/summers

2
Anatomy of an Auditing System

• Logging recording of events / statistics to
  provide info about system use / performance.
• Mechanism for analyzing system (security,
  rebuilding)
• Review patterns of resource usage
• Auditing analysis of log records to present
  info about the system in clear / understandable
  manner.
• Logger creates log files (records information)
• Analyzer analyzes log files
• Notifier informs analyst of the results of the
  audit

3
Designing an Auditing System

• Implementation Considerations
• What information is logged?
• Syntactic Issues
• What data should be placed in log file?
• How should it be expressed?
• Log Sanitization
• Delete confidential information before making
  logs available
• Delete before / after information is logged?
• Application and System Logging

4
A Posteriori Design

• Auditing to Detect Violations of a Known Policy
• State-Based Auditing uses state-based logging to
  record information about the systems state and
  determine if state is unauthorized
• Transition-Based Auditing uses transition-based
  logging to record information about an action on
  a system to determine if the result will place
  the system in an authorized state
• Auditing to Detect Known Violations of a Policy
  check for certain behaviours

5
Auditing Mechanisms

• Secure Systems
• Auditing mechanisms integrated with the system
  design and implementation
• Nonsecure Systems
• Typically an add-on system

6
Audit Browsing

• Text-based
• Hypertext display
• Relational database browsing
• Replay presents events of interest in temporal
  order
• Graphing
• Slicing presents minimum set of log events that
  affect a given object