an audit trail
TRANSCRIPT
-
7/31/2019 An Audit Trail
1/9
-
7/31/2019 An Audit Trail
2/9
Gabriel Mbugua 2
Development of audit trail standards for audit format and content that support security goals and
that gain wide acceptance is an important step in overcoming incompatibility issues.
Format Standards
A standard format with wide acceptance would help overcome incompatibility andinteroperability issues faced by the developers of audit data analysis systems. It would also allow
the exchange of audit data from audit sources on different systems and facilitate collaborativeanalysis of data in a networked environment.
1. Bishop's Standard Audit Trail Format
Bishop [Bis95] states that a standard format must be both extensible and portable to meet the
needs of different heterogeneous systems and transportability across various systems and
network protocols. Bishop defines a standard log record format that is both portable andextensible. Each log record consists of fields separated by a field separator ('#') and delimited by
start and stop symbols ('S' and 'E'). The number of fields is not fixed to meet the need forextensibility. All values are ASCII strings. This avoids the issues of byte ordering and floatingpoint format. This format however does not attempt to standardize the fields of an audit trail
record.
2. Normalized Audit Data Format (NADF)
The Normalized Audit Data Format (NADF) [Mou93,Mou97] was defined by the developers of
theASAXmisuse detection system to provide a degree of operating system independence. A
NADF audit trail is a sequential file of NADF records. Any audit trail can be converted to the
NADF format. During conversion, the audit records of the native audit trail are abstracted into a
sequence of audit data values. Each audit data value is stored in a separate NADF recordconsisting of three fields:
Identifier : the type of the audit data value.
Length : the length of the audit data value.
Value : the audit data value.
3. svr4++ Common Audit Trail Interchange Format for UNIX
This is a standard meant specifically for the Unix systems. The attributes entered in a audit
record are time, event type, process identifier, result, user and group information, session
identifier, labeling information for the process, information about the object and miscellaneousdata. The attributes are all in ASCII. This standard approaches portability but lacks the features
for extensibility.
Content Standards
http://seclab.cs.ucdavis.edu/~bishop/scriv/Bish95.pshttp://seclab.cs.ucdavis.edu/~bishop/scriv/Bish95.pshttp://seclab.cs.ucdavis.edu/~bishop/scriv/Bish95.psftp://ftp.info.fundp.ac.be/pub/users/amo/papers/design.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/papers/design.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/papers/design.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/thesis.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/thesis.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/thesis.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/papers/esorics92.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/papers/esorics92.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/papers/esorics92.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/papers/esorics92.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/thesis.ps.Zftp://ftp.info.fundp.ac.be/pub/users/amo/papers/design.ps.Zhttp://seclab.cs.ucdavis.edu/~bishop/scriv/Bish95.ps -
7/31/2019 An Audit Trail
3/9
Gabriel Mbugua 3
The content of the audit trails also needs to be standardized. This would help analyzing audit
data from different audit sources and improve interoperability in a networked environment.Some of the proposed standards are :
1.DoD Trusted Computer System Evaluation Criteria
This is a standard created by the National Computer Security Center against which a computing
system can be evaluated for security assurance. There are four classes of criteria namely A, B, C,and D, with systems meeting the criteria of the highest division (A) providing the best level of
security assurance. There are a number of subdivisions in classes B and C. Classes C2 through
A1 require the ability to audit security relevant activities on the system. This standard specifieswhat events are to be audited and what each event should contain.
For example, in a C2 system, events that must be audited include use of identification andauthentication mechanisms, introduction and deletion of objects, administrative actions, and
other security relevant events. Moreover, each audited event should contain the following
information : date and time of the event,user identifier, type of event, success or failure of theevent, origin of request for identification/authentication events and name of object for object
introduction/deletion events.
2. Security Criteria for Distributed Systems
This is a standard created by the Institute for Defense Analyses in 1995 for distributed systems.This standard specifies various types of events to be audited. The events are grouped into six
categories:
1. Access Control and Administrative Policy Events
2. Data Confidentiality and Integrity Policy Events3. Non-Discretionary Policy Events4. Availability Policy Events
5. Cryptographic Policy Events
6. Default and Dependent Events
The standard specifies the information to be recorded in each event to be: date and time, subject
attribute information, identity of host generating the audit record, event class and event identifierwithin the class, and event outcome (success or failure).
Distributed Auditing
Distributed Auditing allows the audit data to be collected in different systems in the network.This is necessary to provide security in a networked environment because the correlation of user
activities taking place at different hosts in the same network might reveal a malicious behavior
http://tecnet0.jcte.jcs.mil:9000/htdocs/teinfo/directives/soft/ds5200.281.htmlhttp://tecnet0.jcte.jcs.mil:9000/htdocs/teinfo/directives/soft/ds5200.281.htmlhttp://tecnet0.jcte.jcs.mil:9000/htdocs/teinfo/directives/soft/ds5200.281.htmlhttp://tecnet0.jcte.jcs.mil:9000/htdocs/teinfo/directives/soft/ds5200.281.html -
7/31/2019 An Audit Trail
4/9
Gabriel Mbugua 4
while the same behavior might seem legitimate at a single host level. [SM91] discusses a lot of
issues that affect auditing in a distributed environment. These include collection and storage,protection, integration and analysis.
In [BEF+91], a Distributed Auditing System (DAS) architecture for the distribution and
collection of audit data in a distributed environment is presented. It addresses issues of migratingaudit data from a collection point to an analysis point, and management of audit functions from
a remote location.
Audit Trail Analysis
The audit trails need to be analyzed to determine vulnerabilities, establish accountability, assessdamage and recover the system. Manual analysis of audit trails though cumbersome is often
resorted to because of the difficulty to construct queries to extract complex information from theaudit logs. There are many tools that help in browsing the audits. The major obstacle indeveloping effective audit analysis tools is the copious amounts of data that logging mechanisms
generate.
ComputerWatch Audit Trail Analysis Tool
Automated Audit Analysis
There has been a lot of work done in the area of automated audit analysis, mainly for intrusiondetection purposes. These tools use the audit data as input. These tools are based on threeapproaches namely :
Statistical
Automated statistical systems such as SRIs IDES [Denn87, Javi91] and Haystack Laboratory'sHaystack [Sma88] focus primarily on defining characteristics of a normal user or group, which
generally involves a period of training; then they employ statistical measures to determine if a
current users characteristics match his previously observed behavior. This approach is also called
"Anomaly Detection."
Rule-based expert systems
Automated expert systems such as portions of IDES [Lunt89, Garv91], DIDS [Snap91a],
Wisdom & Sense (W&S)[Vacc89], and signature analysis [Snap91b] pursue a different
http://www.att.com/press/0293/930202.fsa.htmlhttp://www.att.com/press/0293/930202.fsa.htmlhttp://www.att.com/press/0293/930202.fsa.html -
7/31/2019 An Audit Trail
5/9
Gabriel Mbugua 5
approach. Instead of detecting anomalies, these systems attempt "misuse detection" by using a
priori rules that are indicative to a human expert of an intrusion.
Machine learning
Application of machine learning to intrusion detection problem is a relatively new approach.Machine learning attempts to monitor and learn the normal activities of users. By knowing past
events, inductive learning algorithms try to predict later events.
Distributed Audit Analysis
Distributed Audit Analysis is needed for network security because as said before, the
correlation of users actions taking place at different hosts could reveal a malicious behaviorwhile the same actions may seem legitimate at a single host level. This has the following benefits
over a centralized audit trail analysis :
1. It drastically reduces the network traffic when compared to the centralized analysis where all
audit data are sent to a central host for analysis.2. It also achieves a balance of the CPU time over several machines as the analysis is being done
on several machines instead of overloading the central host as in centralized audit analysis.
[MCZH95] discusses in detail about the architecture for distributed audit trail analysis and its
benefits over single audit trail analysis.
Research Issues
The various issues in audit trails that are being looked into by the research community are listed
below :
Audit Content
This area of research aims at determining the format and content of the audit data that is needed
for detecting computer intrusions and misuse. TheAudit Trails Format GroupatCERIAS,
Purdueis pursuing this research issue.
Audit Analysis
ftp://ftp.info.fundp.ac.be/pub/publications/RP/RP-94-007.ps.Zftp://ftp.info.fundp.ac.be/pub/publications/RP/RP-94-007.ps.Zftp://ftp.info.fundp.ac.be/pub/publications/RP/RP-94-007.ps.Zhttp://www.cerias.purdue.edu/coast/projects/audit-trails-format.htmlhttp://www.cerias.purdue.edu/coast/projects/audit-trails-format.htmlhttp://www.cerias.purdue.edu/coast/projects/audit-trails-format.htmlhttp://www.cerias.purdue.edu/http://www.cerias.purdue.edu/http://www.cerias.purdue.edu/http://www.purdue.edu/http://www.purdue.edu/http://www.purdue.edu/http://www.cerias.purdue.edu/http://www.cerias.purdue.edu/coast/projects/audit-trails-format.htmlftp://ftp.info.fundp.ac.be/pub/publications/RP/RP-94-007.ps.Z -
7/31/2019 An Audit Trail
6/9
Gabriel Mbugua 6
This area of research deals with issues like automated analysis, distributed analysis, more
efficient and effective ways of audit analysis for intrusion detection. Most of the research groupsworking on intrusion detection are involved in this.
Audit Compression
This area of research aims to develop techniques and, ultimately, tools to efficiently reduce audit
data, both in the sense of economizing storage space and in the sense of abstracting higher-level,more useful information for security administrators. TheAudit Trail Reduction Groupat
CERIAS,Purdueis pursuing this research issue.
Audit Tamperproofing
This area of research aims at securing the audit logs from tampering. [SK99] deals with the issue
of securing audit logs to support computer forensics. The other papers related to this issue are
[SK98] and [SK99(2)] .
Commercial OS Audit Trail Formats
The audit trail formats in commercial operating systems like those listed below can be obtained
from operating system administration and reference manuals. They are well summarized in[KP97]. The main features are listed below :
Solaris
The Solaris operating system from Sun Microsystems includes a security extension called the
Basic Security Module or BSM. This BSM provides enhancedsecurity auditingthat is designed
to achieve the C2 level in the Trusted Computer System Evaluation Criteria [Nat85].
HP-UX
The HP-UX trusted operating system [Hew95, Hew96] from Hewlett Packard provides auditing
capability. The auditing system records occurrences of access by subjects to objects for detection
of attempts to bypass protection mechanisms or to misuse privileges. Audit records are
generated both by the system as well as by self-auditing applications.
OpenVMS VAX
The OpenVMS VAX operating system [Dig96a, Dig96b] from Digital Equipment Corporation
provides an auditing system that supports monitoring of security relevant activities. It can record
http://www.cerias.purdue.edu/coast/projects/audit-trails-reduce.htmlhttp://www.cerias.purdue.edu/coast/projects/audit-trails-reduce.htmlhttp://www.cerias.purdue.edu/coast/projects/audit-trails-reduce.htmlhttp://www.cerias.purdue.edu/http://www.cerias.purdue.edu/http://www.cerias.purdue.edu/http://www.cerias.purdue.edu/http://www.purdue.edu/http://www.purdue.edu/http://www.purdue.edu/http://www.counterpane.com/audit-logs.htmlhttp://www.counterpane.com/audit-logs.htmlhttp://www.counterpane.com/audit-logs.htmlhttp://www.counterpane.com/secure-logs.htmlhttp://www.counterpane.com/secure-logs.htmlhttp://www.counterpane.com/secure-logs.htmlhttp://www.counterpane.com/auditlog2.htmlhttp://www.counterpane.com/auditlog2.htmlhttp://www.counterpane.com/auditlog2.htmlhttp://www.cerias.purdue.edu/techreports/public/97-15.pshttp://www.cerias.purdue.edu/techreports/public/97-15.pshttp://www.cerias.purdue.edu/techreports/public/97-15.pshttp://docs.sun.com/ab2/coll.47.4/SHIELD/@Ab2PageView/12922?Ab2Lang=C&Ab2Enc=iso-8859-1http://docs.sun.com/ab2/coll.47.4/SHIELD/@Ab2PageView/12922?Ab2Lang=C&Ab2Enc=iso-8859-1http://docs.sun.com/ab2/coll.47.4/SHIELD/@Ab2PageView/12922?Ab2Lang=C&Ab2Enc=iso-8859-1http://docs.sun.com/ab2/coll.47.4/SHIELD/@Ab2PageView/12922?Ab2Lang=C&Ab2Enc=iso-8859-1http://www.cerias.purdue.edu/techreports/public/97-15.pshttp://www.counterpane.com/auditlog2.htmlhttp://www.counterpane.com/secure-logs.htmlhttp://www.counterpane.com/audit-logs.htmlhttp://www.purdue.edu/http://www.cerias.purdue.edu/http://www.cerias.purdue.edu/http://www.cerias.purdue.edu/coast/projects/audit-trails-reduce.html -
7/31/2019 An Audit Trail
7/9
-
7/31/2019 An Audit Trail
8/9
Gabriel Mbugua 8
computer from other individual computers across the network. In addition, your computer
becomes part of this network as well, enabling other individuals on the Internet to begindownloading music from your computer. You are then responsible for downloading and
distributing copyrighted material illegally.
For more information see Wikipedia's article onFile Sharing.
Why is file sharing illegal?
Not all file sharing is illegal. For instance, the sharing of non-copyrighted material or materialwith permission of the creator is legal. However, the majority of P2P file sharing involves
sharing copyrighted or restricted material such as music, which is illegal.
A copyright grants the creator/owner of the material exclusive rights to the material and its
distribution. By distributing this material without permission, the person distributing the material
is violating copyright law and is subject to penalties under the law.
For more information see Wikipedia's article onFile Sharing and the Lawand Wikipedia's article
onCopyright.
Can I install file sharing peer-to-peer (P2P) software to play music or videos only?
Yes, you can, but why would you? Both Mac and Windows computers come with media players
installed (QuickTime, Windows Media Player).
In addition, most P2P software turns file sharingon by default as soon as the software is
installed. This means that others may access materials on your computer without yourknowledge, whether you have given permission or not. Downloading copyrighted music or
movie files without permission is illegal. It is also illegal to share even purchased music or
movie files with others, whether you know you have done so or not.
If you install P2P software to play music or video only,be sure to turn the file sharing options
off. If you legally own and are playing copyrighted materials, but are sharing them inadvertently,you are still liable for violating copyright law.
How do I turn off P2P file sharing?
Indiana University maintains an article entitledDisabling Peer-to-Peer File Sharing. This articlelists the more common P2P file sharing programs along with instructions on how to turn off thefile sharing functions in these programs. We also recommend checking the manufacturer's web
site for instructions.
What harm can P2P software do to my computer?
Several commercial P2P file sharing programs install adware and/or spyware on your computer.
http://en.wikipedia.org/wiki/File_sharinghttp://en.wikipedia.org/wiki/File_sharinghttp://en.wikipedia.org/wiki/File_sharinghttp://en.wikipedia.org/wiki/File_sharing_and_the_lawhttp://en.wikipedia.org/wiki/File_sharing_and_the_lawhttp://en.wikipedia.org/wiki/File_sharing_and_the_lawhttp://en.wikipedia.org/wiki/Copyrighthttp://en.wikipedia.org/wiki/Copyrighthttp://en.wikipedia.org/wiki/Copyrighthttps://protect.iu.edu/cybersecurity/safeonline/filesharing/disablehttps://protect.iu.edu/cybersecurity/safeonline/filesharing/disablehttps://protect.iu.edu/cybersecurity/safeonline/filesharing/disablehttps://protect.iu.edu/cybersecurity/safeonline/filesharing/disablehttp://en.wikipedia.org/wiki/Copyrighthttp://en.wikipedia.org/wiki/File_sharing_and_the_lawhttp://en.wikipedia.org/wiki/File_sharing -
7/31/2019 An Audit Trail
9/9
Gabriel Mbugua 9
In addition to serving up unwanted advertisements, these programs may gather personal data
from your computer to send back to the parent company, alter your computer settings, and mayinterfere with your computer performance.
For more information visit the Help Desk'sSpyware - FAQarticle or see Wikipedia's article on
Spyware.
What is the RIAA?
RIAA stands for the Recording Industry Association of America. RIAA is the trade group thatrepresents the US recording industry.
http://kb.wisc.edu/helpdesk/page.php?id=1886http://kb.wisc.edu/helpdesk/page.php?id=1886http://kb.wisc.edu/helpdesk/page.php?id=1886http://en.wikipedia.org/wiki/Spywarehttp://en.wikipedia.org/wiki/Spywarehttp://en.wikipedia.org/wiki/Spywarehttp://kb.wisc.edu/helpdesk/page.php?id=1886