Audit Trails
Introduction
An audit trail is a series of records of computer events, about an operating system, an
application, or user activities. It is generated by an auditing system that monitors system
activity. Audit trails have many uses in the realm of computer security :
Individual Accountability : An individual's actions are tracked in an audit trail allowing
users to be personally accountable for their actions. This deters the users from
circumventing security policies. Even if they do, they can be held accountable.
Reconstructing Events : Audit trails can also be used to reconstruct events after a
problem has occurred. The amount of damage that occurred with an incident can be
assessed by reviewing audit trails of system activity to pinpoint how, when, and why the
incident occurred.
Problem Monitoring
: Audit trails may also be used as on-line tools to help
monitor problems as they occur. Such real time monitoring helps in detection of
problems like disk failures, over utilization of system resources or network outages.
Intrusion Detection
: Intrusion detection refers to the process of identifying
attempts to penetrate a system and gain unauthorized access. Audit trails can help in
intrusion detection if they record appropriate events. Determining what events to audit so
that audit trails can be used in an effective manner to aid intrusion detection is one of the
present research issues being looked into by the research community.
Model of Auditing System
A simple model of an auditing system consists of two parts :
Audit Data Collector : This is responsible for collecting the audit data
Audit Data Analyzer : This is responsible for analyzing the audit data transferred to it
by the Audit Data Collector
Often a file is used to transfer the audit data from the collector to the analyzer. This leads
to problems when the audit data is collected from different systems. This is due to the
lack of a standard interface for audit trails. Developing standards for the format and
content of audit trails is an ongoing research effort.
Audit Trail Standards
Development of audit trail standards for audit format and content that support security
goals and that gain wide acceptance is an important step in overcoming incompatibility
issues.
Format Standards
A standard format with wide acceptance would help overcome incompatibility and
interoperability issues faced by the developers of audit data analysis systems. It would
also allow the exchange of audit data from audit sources on different systems and
facilitate collaborative analysis of data in a networked environment.
Some of the proposed standards for the format of audit trails are :
1. Bishop's Standard Audit Trail Format
Bishop [Bis95] states that a standard format must be both extensible and portable to meet
the needs of different heterogeneous systems and transportability across various systems
and network protocols. Bishop defines a standard log record format that is both portable
and extensible. Each log record consists of fields separated by a field separator ('#') and
delimited by start and stop symbols ('S' and 'E'). The number of fields is not fixed to meet
the need for extensibility. All values are ASCII strings. This avoids the issues of byte
ordering and floating point format. This format however does not attempt to standardize
the fields of an audit trail record.
2. Normalized Audit Data Format (NADF)
The Normalized Audit Data Format (NADF) [Mou93, Mou97] was defined by the
developers of the ASAX misuse detection system to provide a degree of operating system
independence. A NADF audit trail is a sequential file of NADF records. Any audit trail
can be converted to the NADF format. During conversion, the audit records of the native
audit trail are abstracted into a sequence of audit data values. Each audit data value is
stored in a separate NADF record consisting of three fields:
Identifier : the type of the audit data value.
Length : the length of the audit data value.
Value
: the audit data value.
3. svr4++ Common Audit Trail Interchange Format for UNIX
This is a standard meant specifically for the Unix systems. The attributes entered in a
audit record are time, event type, process identifier, result, user and group information,
session identifier, labeling information for the process, information about the object and
miscellaneous data. The attributes are all in ASCII. This standard approaches portability
but lacks the features for extensibility.
Content Standards
The content of the audit trails also needs to be standardized. This would help analyzing
audit data from different audit sources and improve interoperability in a networked
environment. Some of the proposed standards are :
1. DoD Trusted Computer System Evaluation Criteria
This is a standard created by the National Computer Security Center against which a
computing system can be evaluated for security assurance. There are four classes of
criteria namely A, B, C, and D, with systems meeting the criteria of the highest division
(A) providing the best level of security assurance. There are a number of subdivisions in
classes B and C. Classes C2 through A1 require the ability to audit security relevant
activities on the system. This standard specifies what events are to be audited and what
each event should contain.
For example, in a C2 system, events that must be audited include use of identification
and authentication mechanisms, introduction and deletion of objects, administrative
actions, and other security relevant events. Moreover, each audited event should contain
the following information : date and time of the event,user identifier, type of event,
success or failure of the event, origin of request for identification/authentication events
and name of object for object introduction/deletion events.
2. Security Criteria for Distributed Systems
This is a standard created by the Institute for Defense Analyses in 1995 for distributed
systems. This standard specifies various types of events to be audited. The events are
grouped into six categories:
1. Access Control and Administrative Policy Events
2. Data Confidentiality and Integrity Policy Events
3. Non-Discretionary Policy Events
4. Availability Policy Events
5. Cryptographic Policy Events
6. Default and Dependent Events
The standard specifies the information to be recorded in each event to be: date and time,
subject attribute information, identity of host generating the audit record, event class and
event identifier within the class, and event outcome (success or failure).
Distributed Auditing
Distributed Auditing allows the audit data to be collected in different systems in the
network. This is necessary to provide security in a networked environment because the
correlation of user activities taking place at different hosts in the same network might
reveal a malicious behavior while the same behavior might seem legitimate at a single
host level. [SM91] discusses a lot of issues that affect auditing in a distributed
environment. These include collection and storage, protection, integration and analysis.
In [BEF+91], a Distributed Auditing System (DAS) architecture for the distribution and
collection of audit data in a distributed environment is presented. It addresses issues of
migrating audit data from a collection point to an analysis point, and management of
audit functions from a remote location.
Audit Trail Analysis
The audit trails need to be analyzed to determine vulnerabilities, establish accountability,
assess damage and recover the system. Manual analysis of audit trails though
cumbersome is often resorted to because of the difficulty to construct queries to extract
complex information from the audit logs. There are many tools that help in browsing the
audits. The major obstacle in developing effective audit analysis tools is the copious
amounts of data that logging mechanisms generate.
ComputerWatch Audit Trail Analysis Tool
Automated Audit Analysis
There has been a lot of work done in the area of automated audit analysis, mainly for
intrusion detection purposes. These tools use the audit data as input. These tools are
based on three approaches namely :
Statistical
Automated statistical systems such as SRI s IDES [Denn87, Javi91] and Haystack
Laboratory's Haystack [Sma88] focus primarily on defining characteristics of a normal
user or group, which generally involves a period of training; then they employ statistical
measures to determine if a current user s characteristics match his previously observed
behavior. This approach is also called "Anomaly Detection."
Rule-based expert systems
Automated expert systems such as portions of IDES [Lunt89, Garv91], DIDS [Snap91a],
Wisdom & Sense (W&S)[Vacc89], and signature analysis [Snap91b] pursue a different
approach. Instead of detecting anomalies, these systems attempt "misuse detection" by
using a priori rules that are indicative to a human expert of an intrusion.
Machine learning
Application of machine learning to intrusion detection problem is a relatively new
approach. Machine learning attempts to monitor and learn the normal activities of users.
By knowing past events, inductive learning algorithms try to predict later events.
Distributed Audit Analysis
Distributed Audit Analysis is needed for network security because as said before, the
correlation of users actions taking place at different hosts could reveal a malicious
behavior while the same actions may seem legitimate at a single host level. This has the
following benefits over a centralized audit trail analysis :
1. It drastically reduces the network traffic when compared to the centralized analysis
where all audit data are sent to a central host for analysis.
2. It also achieves a balance of the CPU time over several machines as the analysis is
being done on several machines instead of overloading the central host as in centralized
audit analysis.
[MCZH95] discusses in detail about the architecture for distributed audit trail analysis
and its benefits over single audit trail analysis.
Research Issues
The various issues in audit trails that are being looked into by the research community
are listed below :
Audit Content
This area of research aims at determining the format and content of the audit data that is
needed for detecting computer intrusions and misuse. The Audit Trails Format Group at
CERIAS, Purdue is pursuing this research issue.
Audit Analysis
This area of research deals with issues like automated analysis, distributed analysis,
more efficient and effective ways of audit analysis for intrusion detection. Most of the
research groups working on intrusion detection are involved in this.
Audit Compression
This area of research aims to develop techniques and, ultimately, tools to efficiently
reduce audit data, both in the sense of economizing storage space and in the sense of
abstracting higher-level, more useful information for security administrators. The Audit
Trail Reduction Group at CERIAS, Purdue is pursuing this research issue.
Audit Tamperproofing
This area of research aims at securing the audit logs from tampering. [SK99] deals with
the issue of securing audit logs to support computer forensics. The other papers related to
this issue are [SK98] and [SK99(2)] .
Commercial OS Audit Trail Formats
The audit trail formats in commercial operating systems like those listed below can be
obtained from operating system administration and reference manuals. They are well
summarized in [KP97]. The main features are listed below :
Solaris
The Solaris operating system from Sun Microsystems includes a security extension called
the Basic Security Module or BSM. This BSM provides enhanced security auditing that
is designed to achieve the C2 level in the Trusted Computer System Evaluation Criteria
[Nat85].
HP-UX
The HP-UX trusted operating system [Hew95, Hew96] from Hewlett Packard provides
auditing capability. The auditing system records occurrences of access by subjects to
objects for detection of attempts to bypass protection mechanisms or to misuse privileges.
Audit records are generated both by the system as well as by self-auditing applications.
OpenVMS VAX
The OpenVMS VAX operating system [Dig96a, Dig96b] from Digital Equipment
Corporation provides an auditing system that supports monitoring of security relevant
activities. It can record both successful and unsuccessful security relevant activity and
allows applications to contribute security relevant event information to audit log.
Windows NT
The Windows NT operating system [Mic95b, Mic95a] from Microsoft Corporation
includes mechanisms for recording significant events related to both the operating system
and the applications. Windows NT is designed for C2-level security of the Trusted
Computer System Evaluation Criteria [Nat85]. Each application is allowed to define and
log its own auditable events.