an audit trail

7/31/2019 An Audit Trail

1/9


2/9

Gabriel Mbugua 2

Development of audit trail standards for audit format and content that support security goals and

that gain wide acceptance is an important step in overcoming incompatibility issues.

Format Standards

A standard format with wide acceptance would help overcome incompatibility andinteroperability issues faced by the developers of audit data analysis systems. It would also allow

the exchange of audit data from audit sources on different systems and facilitate collaborativeanalysis of data in a networked environment.

1. Bishop's Standard Audit Trail Format

Bishop [Bis95] states that a standard format must be both extensible and portable to meet the

needs of different heterogeneous systems and transportability across various systems and

network protocols. Bishop defines a standard log record format that is both portable andextensible. Each log record consists of fields separated by a field separator ('#') and delimited by

start and stop symbols ('S' and 'E'). The number of fields is not fixed to meet the need forextensibility. All values are ASCII strings. This avoids the issues of byte ordering and floatingpoint format. This format however does not attempt to standardize the fields of an audit trail

record.

2. Normalized Audit Data Format (NADF)

The Normalized Audit Data Format (NADF) [Mou93,Mou97] was defined by the developers of

theASAXmisuse detection system to provide a degree of operating system independence. A

NADF audit trail is a sequential file of NADF records. Any audit trail can be converted to the

NADF format. During conversion, the audit records of the native audit trail are abstracted into a

sequence of audit data values. Each audit data value is stored in a separate NADF recordconsisting of three fields:

Identifier : the type of the audit data value.

Length : the length of the audit data value.

Value : the audit data value.

3. svr4++ Common Audit Trail Interchange Format for UNIX

This is a standard meant specifically for the Unix systems. The attributes entered in a audit

record are time, event type, process identifier, result, user and group information, session

identifier, labeling information for the process, information about the object and miscellaneousdata. The attributes are all in ASCII. This standard approaches portability but lacks the features

for extensibility.

Content Standards
http://seclab.cs.ucdavis.edu/~bishop/scriv/Bish95.pshttp://seclab.cs.ucdavis.edu/~bishop/scriv/Bish95.pshttp://seclab.cs.ucdavis.edu/~bishop/scriv/Bish95.psftp://ftp.info.fundp.ac.be/pub/users/amo/papers/design.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/papers/design.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/papers/design.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/thesis.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/thesis.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/thesis.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/papers/esorics92.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/papers/esorics92.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/papers/esorics92.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/papers/esorics92.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/thesis.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/papers/design.ps.Zhttp://seclab.cs.ucdavis.edu/~bishop/scriv/Bish95.ps


3/9

Gabriel Mbugua 3

The content of the audit trails also needs to be standardized. This would help analyzing audit

data from different audit sources and improve interoperability in a networked environment.Some of the proposed standards are :

1.DoD Trusted Computer System Evaluation Criteria

This is a standard created by the National Computer Security Center against which a computing

system can be evaluated for security assurance. There are four classes of criteria namely A, B, C,and D, with systems meeting the criteria of the highest division (A) providing the best level of

security assurance. There are a number of subdivisions in classes B and C. Classes C2 through

A1 require the ability to audit security relevant activities on the system. This standard specifieswhat events are to be audited and what each event should contain.

For example, in a C2 system, events that must be audited include use of identification andauthentication mechanisms, introduction and deletion of objects, administrative actions, and

other security relevant events. Moreover, each audited event should contain the following

information : date and time of the event,user identifier, type of event, success or failure of theevent, origin of request for identification/authentication events and name of object for object

introduction/deletion events.

2. Security Criteria for Distributed Systems

This is a standard created by the Institute for Defense Analyses in 1995 for distributed systems.This standard specifies various types of events to be audited. The events are grouped into six

categories:

1. Access Control and Administrative Policy Events

2. Data Confidentiality and Integrity Policy Events3. Non-Discretionary Policy Events4. Availability Policy Events

5. Cryptographic Policy Events

6. Default and Dependent Events

The standard specifies the information to be recorded in each event to be: date and time, subject

attribute information, identity of host generating the audit record, event class and event identifierwithin the class, and event outcome (success or failure).

Distributed Auditing

Distributed Auditing allows the audit data to be collected in different systems in the network.This is necessary to provide security in a networked environment because the correlation of user

activities taking place at different hosts in the same network might reveal a malicious behavior
http://tecnet0.jcte.jcs.mil:9000/htdocs/teinfo/directives/soft/ds5200.281.htmlhttp://tecnet0.jcte.jcs.mil:9000/htdocs/teinfo/directives/soft/ds5200.281.htmlhttp://tecnet0.jcte.jcs.mil:9000/htdocs/teinfo/directives/soft/ds5200.281.htmlhttp://tecnet0.jcte.jcs.mil:9000/htdocs/teinfo/directives/soft/ds5200.281.html


4/9

Gabriel Mbugua 4

while the same behavior might seem legitimate at a single host level. [SM91] discusses a lot of

issues that affect auditing in a distributed environment. These include collection and storage,protection, integration and analysis.

In [BEF+91], a Distributed Auditing System (DAS) architecture for the distribution and

collection of audit data in a distributed environment is presented. It addresses issues of migratingaudit data from a collection point to an analysis point, and management of audit functions from

a remote location.

Audit Trail Analysis

The audit trails need to be analyzed to determine vulnerabilities, establish accountability, assessdamage and recover the system. Manual analysis of audit trails though cumbersome is often

resorted to because of the difficulty to construct queries to extract complex information from theaudit logs. There are many tools that help in browsing the audits. The major obstacle indeveloping effective audit analysis tools is the copious amounts of data that logging mechanisms

generate.

ComputerWatch Audit Trail Analysis Tool

Automated Audit Analysis

There has been a lot of work done in the area of automated audit analysis, mainly for intrusiondetection purposes. These tools use the audit data as input. These tools are based on threeapproaches namely :

Statistical

Automated statistical systems such as SRIs IDES [Denn87, Javi91] and Haystack Laboratory'sHaystack [Sma88] focus primarily on defining characteristics of a normal user or group, which

generally involves a period of training; then they employ statistical measures to determine if a

current users characteristics match his previously observed behavior. This approach is also called

"Anomaly Detection."

Rule-based expert systems

Automated expert systems such as portions of IDES [Lunt89, Garv91], DIDS [Snap91a],

Wisdom & Sense (W&S)[Vacc89], and signature analysis [Snap91b] pursue a different
http://www.att.com/press/0293/930202.fsa.htmlhttp://www.att.com/press/0293/930202.fsa.htmlhttp://www.att.com/press/0293/930202.fsa.html


5/9

Gabriel Mbugua 5

approach. Instead of detecting anomalies, these systems attempt "misuse detection" by using a

priori rules that are indicative to a human expert of an intrusion.

Machine learning

Application of machine learning to intrusion detection problem is a relatively new approach.Machine learning attempts to monitor and learn the normal activities of users. By knowing past

events, inductive learning algorithms try to predict later events.

Distributed Audit Analysis

Distributed Audit Analysis is needed for network security because as said before, the

correlation of users actions taking place at different hosts could reveal a malicious behaviorwhile the same actions may seem legitimate at a single host level. This has the following benefits

over a centralized audit trail analysis :

1. It drastically reduces the network traffic when compared to the centralized analysis where all

audit data are sent to a central host for analysis.2. It also achieves a balance of the CPU time over several machines as the analysis is being done

on several machines instead of overloading the central host as in centralized audit analysis.

[MCZH95] discusses in detail about the architecture for distributed audit trail analysis and its

benefits over single audit trail analysis.

Research Issues

The various issues in audit trails that are being looked into by the research community are listed

below :

Audit Content

This area of research aims at determining the format and content of the audit data that is needed

for detecting computer intrusions and misuse. TheAudit Trails Format GroupatCERIAS,

Purdueis pursuing this research issue.

Audit Analysis
ftp://ftp.info.fundp.ac.be/pub/publications/RP/RP-94-007.ps.Zftp://ftp.info.fundp.ac.be/pub/publications/RP/RP-94-007.ps.Zftp://ftp.info.fundp.ac.be/pub/publications/RP/RP-94-007.ps.Zhttp://www.cerias.purdue.edu/coast/projects/audit-trails-format.htmlhttp://www.cerias.purdue.edu/coast/projects/audit-trails-format.htmlhttp://www.cerias.purdue.edu/coast/projects/audit-trails-format.htmlhttp://www.cerias.purdue.edu/http://www.cerias.purdue.edu/http://www.cerias.purdue.edu/http://www.purdue.edu/http://www.purdue.edu/http://www.purdue.edu/http://www.cerias.purdue.edu/http://www.cerias.purdue.edu/coast/projects/audit-trails-format.htmlftp://ftp.info.fundp.ac.be/pub/publications/RP/RP-94-007.ps.Z


6/9

Gabriel Mbugua 6

This area of research deals with issues like automated analysis, distributed analysis, more

efficient and effective ways of audit analysis for intrusion detection. Most of the research groupsworking on intrusion detection are involved in this.

Audit Compression

This area of research aims to develop techniques and, ultimately, tools to efficiently reduce audit

data, both in the sense of economizing storage space and in the sense of abstracting higher-level,more useful information for security administrators. TheAudit Trail Reduction Groupat

CERIAS,Purdueis pursuing this research issue.

Audit Tamperproofing

This area of research aims at securing the audit logs from tampering. [SK99] deals with the issue

of securing audit logs to support computer forensics. The other papers related to this issue are

[SK98] and [SK99(2)] .

Commercial OS Audit Trail Formats

The audit trail formats in commercial operating systems like those listed below can be obtained

from operating system administration and reference manuals. They are well summarized in[KP97]. The main features are listed below :

Solaris

The Solaris operating system from Sun Microsystems includes a security extension called the

Basic Security Module or BSM. This BSM provides enhancedsecurity auditingthat is designed

to achieve the C2 level in the Trusted Computer System Evaluation Criteria [Nat85].

HP-UX

The HP-UX trusted operating system [Hew95, Hew96] from Hewlett Packard provides auditing

capability. The auditing system records occurrences of access by subjects to objects for detection

of attempts to bypass protection mechanisms or to misuse privileges. Audit records are

generated both by the system as well as by self-auditing applications.

OpenVMS VAX

The OpenVMS VAX operating system [Dig96a, Dig96b] from Digital Equipment Corporation

provides an auditing system that supports monitoring of security relevant activities. It can record
http://www.cerias.purdue.edu/coast/projects/audit-trails-reduce.htmlhttp://www.cerias.purdue.edu/coast/projects/audit-trails-reduce.htmlhttp://www.cerias.purdue.edu/coast/projects/audit-trails-reduce.htmlhttp://www.cerias.purdue.edu/http://www.cerias.purdue.edu/http://www.cerias.purdue.edu/http://www.cerias.purdue.edu/http://www.purdue.edu/http://www.purdue.edu/http://www.purdue.edu/http://www.counterpane.com/audit-logs.htmlhttp://www.counterpane.com/audit-logs.htmlhttp://www.counterpane.com/audit-logs.htmlhttp://www.counterpane.com/secure-logs.htmlhttp://www.counterpane.com/secure-logs.htmlhttp://www.counterpane.com/secure-logs.htmlhttp://www.counterpane.com/auditlog2.htmlhttp://www.counterpane.com/auditlog2.htmlhttp://www.counterpane.com/auditlog2.htmlhttp://www.cerias.purdue.edu/techreports/public/97-15.pshttp://www.cerias.purdue.edu/techreports/public/97-15.pshttp://www.cerias.purdue.edu/techreports/public/97-15.pshttp://docs.sun.com/ab2/coll.47.4/SHIELD/@Ab2PageView/12922?Ab2Lang=C&Ab2Enc=iso-8859-1http://docs.sun.com/ab2/coll.47.4/SHIELD/@Ab2PageView/12922?Ab2Lang=C&Ab2Enc=iso-8859-1http://docs.sun.com/ab2/coll.47.4/SHIELD/@Ab2PageView/12922?Ab2Lang=C&Ab2Enc=iso-8859-1http://docs.sun.com/ab2/coll.47.4/SHIELD/@Ab2PageView/12922?Ab2Lang=C&Ab2Enc=iso-8859-1http://www.cerias.purdue.edu/techreports/public/97-15.pshttp://www.counterpane.com/auditlog2.htmlhttp://www.counterpane.com/secure-logs.htmlhttp://www.counterpane.com/audit-logs.htmlhttp://www.purdue.edu/http://www.cerias.purdue.edu/http://www.cerias.purdue.edu/http://www.cerias.purdue.edu/coast/projects/audit-trails-reduce.html


7/9


8/9

Gabriel Mbugua 8

computer from other individual computers across the network. In addition, your computer

becomes part of this network as well, enabling other individuals on the Internet to begindownloading music from your computer. You are then responsible for downloading and

distributing copyrighted material illegally.

For more information see Wikipedia's article onFile Sharing.

Why is file sharing illegal?

Not all file sharing is illegal. For instance, the sharing of non-copyrighted material or materialwith permission of the creator is legal. However, the majority of P2P file sharing involves

sharing copyrighted or restricted material such as music, which is illegal.

A copyright grants the creator/owner of the material exclusive rights to the material and its

distribution. By distributing this material without permission, the person distributing the material

is violating copyright law and is subject to penalties under the law.

For more information see Wikipedia's article onFile Sharing and the Lawand Wikipedia's article

onCopyright.

Can I install file sharing peer-to-peer (P2P) software to play music or videos only?

Yes, you can, but why would you? Both Mac and Windows computers come with media players

installed (QuickTime, Windows Media Player).

In addition, most P2P software turns file sharingon by default as soon as the software is

installed. This means that others may access materials on your computer without yourknowledge, whether you have given permission or not. Downloading copyrighted music or

movie files without permission is illegal. It is also illegal to share even purchased music or

movie files with others, whether you know you have done so or not.

If you install P2P software to play music or video only,be sure to turn the file sharing options

off. If you legally own and are playing copyrighted materials, but are sharing them inadvertently,you are still liable for violating copyright law.

How do I turn off P2P file sharing?

Indiana University maintains an article entitledDisabling Peer-to-Peer File Sharing. This articlelists the more common P2P file sharing programs along with instructions on how to turn off thefile sharing functions in these programs. We also recommend checking the manufacturer's web

site for instructions.

What harm can P2P software do to my computer?

Several commercial P2P file sharing programs install adware and/or spyware on your computer.
http://en.wikipedia.org/wiki/File_sharinghttp://en.wikipedia.org/wiki/File_sharinghttp://en.wikipedia.org/wiki/File_sharinghttp://en.wikipedia.org/wiki/File_sharing_and_the_lawhttp://en.wikipedia.org/wiki/File_sharing_and_the_lawhttp://en.wikipedia.org/wiki/File_sharing_and_the_lawhttp://en.wikipedia.org/wiki/Copyrighthttp://en.wikipedia.org/wiki/Copyrighthttp://en.wikipedia.org/wiki/Copyrighthttps://protect.iu.edu/cybersecurity/safeonline/filesharing/disablehttps://protect.iu.edu/cybersecurity/safeonline/filesharing/disablehttps://protect.iu.edu/cybersecurity/safeonline/filesharing/disablehttps://protect.iu.edu/cybersecurity/safeonline/filesharing/disablehttp://en.wikipedia.org/wiki/Copyrighthttp://en.wikipedia.org/wiki/File_sharing_and_the_lawhttp://en.wikipedia.org/wiki/File_sharing


9/9

Gabriel Mbugua 9

In addition to serving up unwanted advertisements, these programs may gather personal data

from your computer to send back to the parent company, alter your computer settings, and mayinterfere with your computer performance.

For more information visit the Help Desk'sSpyware - FAQarticle or see Wikipedia's article on

Spyware.

What is the RIAA?

RIAA stands for the Recording Industry Association of America. RIAA is the trade group thatrepresents the US recording industry.
http://kb.wisc.edu/helpdesk/page.php?id=1886http://kb.wisc.edu/helpdesk/page.php?id=1886http://kb.wisc.edu/helpdesk/page.php?id=1886http://en.wikipedia.org/wiki/Spywarehttp://en.wikipedia.org/wiki/Spywarehttp://en.wikipedia.org/wiki/Spywarehttp://kb.wisc.edu/helpdesk/page.php?id=1886

an audit trail

Documents