Add to collection(s) Add to saved
  1. No category
Uploaded by firewithpk

Anatomy of an Auditing System

advertisement 
Anatomy of an Auditing System
An auditing system consists of three components:
1. Logger
Collect data
2. Analyzer
Analyze the data
3. Notifier
Report the results
Logger
The logging mechanism records the information. The type and quantity of information are determined by the
system or program configuration parameters. That recorded information may be
Binary in which case you will need a viewing tool.
Textual which is what we saw in the previous section.
The information may be transmitted directly to an analysis mechanism.
e.g.
Windows NT has three different sets of logs
System Event Log
system crashes
component failures
etc
Application Event Log
applications
Security Event Log (Admins only)
Security-critical events
logging in and out
system resource overuses
access to system files
One issue relative to logging is what do you do when file system is full?
disable logging
over write old records
shut system down
Analyzer
An analyzer takes a log file as input and analyzes it. The results of the analysis may lead to changes in the
data being recorded, to the detection of some event or problem, or both.
e.g.
An intrusion detection system detects attacks by analyzing log records for unexpected activity or for
activity that is known to be an attempt to compromise the system. The analysis mechanism of the
intrusion detection system is an example of an audit analysis mechanism.
e.g.
Often an analysis tool is written to extract selected information from the auditing logs. The extracted
information is then reviewed by humans to determine if any suspicious activity or violations of system
security policy occurred. TECNET example.
Notifier
The analyzer passes the results of the analysis to the notifier. The notifier informs the analyst and other
entities of the results of the audit. The entities may take some action in response to these results.
e.g.
We have talked about systems that freeze an account if there are 3 consecutive login failures. The
logging mechanism records each attempt. The audit mechanism checks the number of consecutive
failed login attempts. When this number reaches 3, the audit mechanism invokes the notifier which
reports the problem to the system administrator and disables the account.
e.g.
talk about TECNET system
Download
advertisement