System audit records are generally used to monitor and fine-tune system performance. Application audit trails may be used to discern flaws in applications, or violations of security policy committed within an application. User audits records are generally used to hold individuals accountable for their actions. An analysis of user audit records may expose a variety of security violations, which might range from simple browsing to attempts to plant Trojan horses or gain unauthorized privileges.
The system itself enforces certain aspects of policy (particularly system-specific policy) such as access to files and access to the system itself. Monitoring the alteration of systems configuration files that implement the policy is important. If special accesses (e.g., security administrator access) have to be used to alter configuration files, the system should generate audit records whenever these accesses are used.
Sometimes a finer level of detail than system audit trails is required.
Application audit trails can provide this greater level of recorded detail.
If an application is critical, it can be desirable to record not only who invoked the application, but certain details specific to each use. For example, consider an e-mail application. It may be desirable to record who sent mail, as well as to whom they sent mail and the length of messages.
Another example would be that of a database application. It may be useful to record who accessed what database as well as the individual rows or columns of a table that were read (or changed or deleted), instead of just recording the execution of the database program.
A user audit trail monitors and logs user activity in a system or application by recording events initiated by the user (e.g., access of a file, record or field, use of a modem).
Flexibility is a critical feature of audit trails. Ideally (from a security point of view), a system administrator would have the ability to monitor all system and user activity, but could choose to log only certain functions at the system level, and within certain applications. The decision of how much to log and how much to review should be a function of application/data sensitivity and should be decided by each functional manager/application owner with guidance from the system administrator and the computer security manager/officer, weighing the costs and benefits of the logging. Audit logging can have privacy implications; users should be aware of applicable privacy laws, regulations, and policies that may apply in such situations.
Leave a Reply
You must be logged in to post a comment.