Chapter 24: Auditing Dr. Wayne Summers Department of Computer Science Columbus State University

2 Anatomy of an Auditing System  Logging – recording of events / statistics to provide info about system use / performance. –Mechanism for analyzing system (security, rebuilding) –Review patterns of resource usage  Auditing – analysis of log records to present info about the system in clear / understandable manner.  Logger – creates log files (records information)  Analyzer – analyzes log files  Notifier – informs analyst of the results of the audit

3 Designing an Auditing System  Implementation Considerations –What information is logged?  Syntactic Issues –What data should be placed in log file? –How should it be expressed?  Log Sanitization –Delete confidential information before making logs available –Delete before / after information is logged?  Application and System Logging

4 A Posteriori Design  Auditing to Detect Violations of a Known Policy –State-Based Auditing: uses state-based logging to record information about the system’s state and determine if state is unauthorized –Transition-Based Auditing: uses transition-based logging to record information about an action on a system to determine if the result will place the system in an authorized state  Auditing to Detect Known Violations of a Policy – check for certain behaviours

5 Auditing Mechanisms  Secure Systems –Auditing mechanisms integrated with the system design and implementation  Nonsecure Systems –Typically an add-on system

6 Audit Browsing  Text-based  Hypertext display  Relational database browsing  Replay – presents events of interest in temporal order  Graphing  Slicing – presents minimum set of log events that affect a given object