Author: Neftaly Malatjie

If a system-level audit capability exists, the audit trail should capture, at a minimum, any attempt to log on (successful or unsuccessful), the log-on ID, date and time of each log-on attempt, date and time of each log-off, the devices used, and the function(s) performed once logged on (e.g., the applications that the user tried, successfully or unsuccessfully, to invoke).  System-level logging also typically includes information that is not specifically security-related, such as system operations, cost-accounting charges, and network performance.

System audit records are generally used to monitor and fine-tune system performance.  Application audit trails may be used to discern flaws in applications, or violations of security policy committed within an application.  User audits records are generally used to hold individuals accountable for their actions.  An analysis of user audit records may expose a variety of security violations, which might range from simple browsing to attempts to plant Trojan horses or gain unauthorized privileges.

The system itself enforces certain aspects of policy (particularly system-specific policy) such as access to files and access to the system itself.  Monitoring the alteration of systems configuration files that implement the policy is important.  If special accesses (e.g., security administrator access) have to be used to alter configuration files, the system should generate audit records whenever these accesses are used.

Sometimes a finer level of detail than system audit trails is required.

Application audit trails can provide this greater level of recorded detail.

If an application is critical, it can be desirable to record not only who invoked the application, but certain details specific to each use.  For example, consider an e-mail application.  It may be desirable to record who sent mail, as well as to whom they sent mail and the length of messages.

Another example would be that of a database application.  It may be useful to record who accessed what database as well as the individual rows or columns of a table that were read (or changed or deleted), instead of just recording the execution of the database program.

A user audit trail monitors and logs user activity in a system or application by recording events initiated by the user (e.g., access of a file, record or field, use of a modem).

Flexibility is a critical feature of audit trails.  Ideally (from a security point of view), a system administrator would have the ability to monitor all system and user activity, but could choose to log only certain functions at the system level, and within certain applications.  The decision of how much to log and how much to review should be a function of application/data sensitivity and should be decided by each functional manager/application owner with guidance from the system administrator and the computer security manager/officer, weighing the costs and benefits of the logging.  Audit logging can have privacy implications; users should be aware of applicable privacy laws, regulations, and policies that may apply in such situations.

Keystroke monitoring is the process used to view or record both the keystrokes entered by a computer user and the computer’s response during an interactive session.  Keystroke monitoring is usually considered a special case of audit trails.  Examples of keystroke monitoring would include viewing characters as they are typed by users, reading users’ electronic mail, and viewing other recorded information typed by users.  (See the CSL Bulletin of March 1993, for guidance on the legality of keystroke monitoring.)

Some forms of routine system maintenance may record user keystrokes.  This could constitute keystroke monitoring if the keystrokes are preserved along with the user identification so that an administrator could determine the keystrokes entered by specific users.  Keystroke monitoring is conducted in an effort to protect systems and data from intruders who access the systems without authority or in excess of their assigned authority.  Monitoring keystrokes typed by intruders can help administrators assess and repair damage caused by intruders.

A system can maintain several different audit trails concurrently.  There are typically two kinds of audit records, (1) an event-oriented log and (2) a record of every keystroke, often called keystroke monitoring.

Event-based logs usually contain records describing system events, application events, or user events. 

An audit trail should include sufficient information to establish what events occurred and who (or what) caused them.  In general, an event record should specify when the event occurred, the user ID associated with the event, the program or command used to initiate the event, and the result.

Date and time can help determine if the user was a masquerade or the actual person specified. 

Audit trails may also be used as on-line tools to help identify problems other than intrusions as they occur.  This is often referred to as real-time auditing or monitoring.  If a system or application is deemed to be critical to an organization’s business or mission, real-time auditing may be implemented to monitor the status of these processes (although, as noted above, there can be difficulties with real-time analysis).  An analysis of the audit trails may be able to verify that the system operated normally (i.e., that an error may have resulted from operator error, as opposed to a system-originated error).  Such use of audit trails may be complemented by system performance logs.  For example, a significant increase in the use of system resources (e.g., disk file space or outgoing modem use) could indicate a security problem.