Security Audit Methods

Audit refers to the use of automated mechanisms that cause the creation and storage in a secure computerized log of a computer system activity called an audit log. Accounting is a property that provides unambiguous tracking of the own actions of any logical object.
The audit mechanism is based on data supplied by the identification / authentication mechanism, since only this mechanism generates data that allows to identify the subject of the system whose activity is controlled. The audit mechanism, in turn, provides data for analyzing the security of a computer system, including identifying possible causes that caused the system to become insecure.

The audit mechanism is intended to:

  1. to view:
     – attempts to access individual objects;
     – activity of processes and users;
     – use of systems protection mechanisms;
  2. to detect attempts to circumvent protection mechanisms by authorized users and violators;
  3. to identify the use of privileges greater than what the user needs;
  4. for use as a protective measure, informing violators that all their actions are recorded;
  5. for use as a guarantee of reliability for authorized users, providing them with the assurance that all attempts to bypass the protection system will be recorded.

The users of the audit mechanism can be divided into two categories – auditors and the users of the audit mechanism themselves.
Auditors configure the audit mechanism by selecting events in the system that need to be recorded, and also analyze audit events. The audit mechanism must be protected from unauthorized modifications. In this case, it is necessary to control access to the configuration of the audit mechanism, allowing it to be performed only by system auditors.
The audit mechanism should record all system activities, which can be considered as potentially related to deliberate attacks. The term “safety critical” is often used to describe such activities.

Operations whose audit must be performed include:

  • use by the user of identification / authentication mechanisms;
  • access of subjects to objects;
  • the use of computer system administration mechanisms;
  • actions of the administrator or other privileged users;
  • printing documents;
  • other events affecting the security of the system.

Auditing non-security events can lead to large amounts of audit data and make analysis difficult. Selecting events for registration is a non-trivial task and requires an understanding of the nature of security breaches.
The audit mechanism should not have a harmful or undesirable effect on the normal functioning of the computing system, prompting system administrators to remove audit schemes in the interest of doing the job. Ideally, users of a computer system should not notice any impact of the audit subsystem on the functioning of the computer system, however, some impact of event logging on system performance is inevitable.
There are two main methods for selecting audit events: pre-selection and post-selection of events.
When using the event pre-selection method, the auditor selects the events that are being audited. Events not selected by the auditor are not recorded. The advantage of this approach is better performance compared to the post-selection method. The disadvantages include the need for a preliminary assessment of events that need to be recorded, which may affect the quality of the analysis.
When using the post-event selection method, all events are logged in the system. The auditor selects from all registered events with which the system security analysis is carried out. The advantage of this approach is the completeness of the picture of events in the system used for security analysis. The disadvantages include the loss of performance compared to the method of pre-selection of events and the large amount of audit data received.
Audit data intended to be stored in a journal should be well-defined pieces of information called audit records. This uniformity greatly facilitates the task of developing means of interpreting audit data.

Audit entries typically include:

  • date and time of the event;
  • user ID;
  • type of event;
  • result of the event.

For an event of access to an object, the name of the object to which access was made is fixed.
For identification / authentication events, the event source (for example, the terminal from which the computer was accessed) is usually taken into account.
For an event that changes the security policy of the system, an event description must be logged.

In addition, the following additional requirements for the audit subsystem can be described.

  • Data compression. Due to the fact that a large amount of data is usually recorded, it is advisable to use archiving during their storage. Unarchiving audit data is done when the auditor accesses the journal.
  • Several audit logs. One of the audit logs may reflect the activities of the user, while the other – the operator, and the third – the administrator. This separation of audit data flow facilitates analysis. To restore a possible sequence of events, each audit record must contain a time stamp.
  • Presentation of audit data in a form convenient for the auditor. The audit engine can write data in a binary representation. However, you need a data viewer in a convenient way.

The Windows operating system has three audit logs:

  •  a system log that stores records of events that Microsoft has identified as critical for the functioning of events (system failure, component failure, etc.);
  •  application log, events in which user applications add;
  •  a security log containing records of security-related events (logging on to the system, access to files, etc.); access to this log is available only to system administrators.

Windows defines the following main categories of audit events:

  •  Privilege use – use of privileges;
  •  System – system events;
  •  Object access – access to objects;
  •  Process tracking – process activity;
  •  Logon – login;
  •  Account logon – login information;
  •  Policy change – security policy change;
  •  Account management – account management.

Microsoft has provided an event viewer to view events in audit logs. The system administrator can determine the response of the system to the audit log overflow: system shutdown, prohibition of the functioning of the audit subsystem or deletion of old records.
The functionality of the audit mechanism is described as follows.

Each system object is associated with a system audit list, which consists of two types: system audit ACE and system audit-object ACE. These types determine which operations performed on objects by specific users or groups are subject to audit. Audit data is stored in the system audit log. Registration can be subject to both successful and unsuccessful operations. System audit objects contain identifiers that indicate the types of objects or subobjects and an optional identifier that controls the transfer of system audit objects to child objects of specific types.

Audit events can be generated by the object manager based on the results of access control checks. They can also be generated directly by the application programming interface functions available to user applications. The kernel mode code has the same right.

161 thoughts on “Security Audit Methods”

  1. Hi there. I discovered your web site by means of Google whilst looking for a similar matter, your site got here up. It looks good. I have bookmarked it in my google bookmarks to come back then. Alfy Ches Florin

  2. Can I recently say thats a relief to locate someone who in fact knows what theyre preaching about on-line. You actually realize how to bring a challenge to light making it critical. More people should check out this and see why side of the story. I cant believe youre no more well-known simply because you definitely possess the gift. Kimberly Florian Dekow

  3. After looking into a handful of the articles on your web site, I truly appreciate your way of writing a blog. I bookmarked it to my bookmark website list and will be checking back soon. Take a look at my web site as well and let me know your opinion. Farrah Burnard Lilithe

  4. I feel anything in moderation is okay anc as you say, right videos and apps should be given to children. Well written post! Tabbie Bertram Uund

  5. Way cool! Some extremely valid points! I appreciate you penning this write-up and also the rest of the website is extremely good. Brier Richmound Hax Gennie Lindsay Archibaldo

  6. Magnificent beat ! I wish to apprentice even as you amend your web site, how could i subscribe for a blog web site?
    The account helped me a applicable deal.
    I were a little bit familiar of this your broadcast offered shiny clear concept

  7. I blog often and I really appreciate your information.
    The article has truly peaked my interest. I’m going to book mark your website and keep checking for new information about once per week.
    I opted in for your Feed too.

    Look into my homepage … CBD for sale

  8. You could definitely see your expertise in the article
    you write. The arena hopes for more passionate writers such as
    you who aren’t afraid to mention how they believe. At all times follow
    your heart.

  9. Hi, I do believe this is a great blog. I stumbledupon it 😉 I will revisit once again since i have book-marked
    it. Money and freedom is the greatest way to change, may you be rich and
    continue to guide other people.

  10. Greetings from Idaho! I’m bored to tears at work so I decided
    to browse your website on my iphone during lunch break.

    I enjoy the knowledge you provide here and can’t wait to take a
    look when I get home. I’m amazed at how fast your blog loaded on my phone ..

    I’m not even using WIFI, just 3G .. Anyways, wonderful blog!

  11. I’ve learn a few good stuff here. Definitely price bookmarking for revisiting.

    I surprise how a lot effort you put to create any such magnificent informative website.

  12. It’s perfect time to make some plans for the future and it
    is time to be happy. I’ve read this post and if I could
    I wish to suggest you few interesting things or advice.
    Maybe you could write next articles referring to this article.
    I wish to read even more things about it!

    my blog post :: CBD gummies for sale

  13. I will right away clutch your rss as I can not in finding
    your email subscription link or newsletter service.
    Do you’ve any? Kindly permit me realize so that I could subscribe.
    Thanks.

  14. You really make it seem really easy along with your presentation but I in finding
    this topic to be really something which I think I might never understand.
    It sort of feels too complex and very vast for me.
    I’m taking a look forward for your subsequent
    post, I’ll attempt to get the hold of it!

  15. Hi just wanted to give you a quick heads up and let you know a few
    of the images aren’t loading correctly. I’m not sure why but I think
    its a linking issue. I’ve tried it in two different web browsers and both
    show the same results.

  16. I’ve been exploring for a little for any high quality articles
    or blog posts in this sort of house . Exploring in Yahoo I ultimately stumbled
    upon this web site. Studying this info So i am
    happy to convey that I’ve an incredibly good uncanny feeling I discovered just what I needed.
    I so much undoubtedly will make sure to don?t put out of
    your mind this website and give it a glance on a constant basis.

  17. When I originally commented I clicked the “Notify me when new comments are added” checkbox and now each time a comment is added I get three emails with the same comment.
    Is there any way you can remove me from that service?
    Bless you!

  18. Having read this I believed it was really enlightening.
    I appreciate you spending some time and energy to put this
    short article together. I once again find myself
    personally spending a lot of time both reading and commenting.
    But so what, it was still worth it!

  19. Good day! I know this is kinda off topic however I’d figured I’d ask.
    Would you be interested in trading links or maybe guest authoring a blog article or vice-versa?
    My website goes over a lot of the same topics as yours and I think
    we could greatly benefit from each other. If you might be interested feel free to send me an e-mail.

    I look forward to hearing from you! Excellent blog by the way!

    Stop by my web page – CBD gummies for sleep

  20. Does your site have a contact page? I’m having problems locating
    it but, I’d like to shoot you an e-mail. I’ve got some suggestions
    for your blog you might be interested in hearing. Either way, great
    blog and I look forward to seeing it grow over time.

    Feel free to surf to my webpage: best delta 8 thc

  21. I have been surfing online more than three hours lately, yet I never found any
    attention-grabbing article like yours. It is lovely worth sufficient
    for me. Personally, if all webmasters and bloggers
    made just right content material as you probably did, the internet can be much more useful than ever
    before.

  22. It’s the best time to make some plans for the longer term and it’s time to be happy.

    I have read this submit and if I could I wish to recommend you few fascinating things or tips.
    Maybe you could write next articles regarding this article.
    I wish to read even more issues about it!

  23. My programmer is trying to persuade me to move to .net from PHP.
    I have always disliked the idea because of the costs.
    But he’s tryiong none the less. I’ve been using Movable-type on a variety
    of websites for about a year and am worried about switching to another platform.
    I have heard fantastic things about blogengine.net.

    Is there a way I can import all my wordpress posts into it?
    Any help would be really appreciated!

  24. Thanks for your handy post. As time passes, I have come to be able to understand that the symptoms of mesothelioma are caused by your build up of fluid between your lining of the lung and the upper body cavity. The ailment may start in the chest area and get distributed to other areas of the body. Other symptoms of pleural mesothelioma include losing weight, severe respiration trouble, temperature, difficulty taking in food, and irritation of the neck and face areas. It really should be noted that some people having the disease never experience virtually any serious signs and symptoms at all.

Leave a Reply

Your email address will not be published.