Logging and AuditCS498IASpring 2007Reading• Bishop, Ch. 24− Skim only, we will touch on high-level pointsDefinitions• Logging− Recording of information about system events• Audit− Analysis of logs to check policy complianceAudit log uses• Detect policy violations− A form of intrusion detection• Trace back policy violations− Find person responsible, vulnerability, ...• Discourage policy violations− E.g. HIPAA• Comply with policy− E.g. SOXAudit Challenges• Where to collect− Reference monitor− Applications− System implementationWhat to collect?• What to collect− Anything that can be used for above purposes− Everything?• How do you detect policy violations?− Track objects relevant to policy• E.g. BLP: track object/subject security level− ... but this only catches obvious violations− Track object transitions with weak tranquilityHow to prevent tampering?• Logs need to resist tampering− E.g. rootkits will change system logs to eraseinfection traces− DoS: fill up log before attack• Tamper-resistance techniques− Append-only files (can be defeated with kernelcompromise)− WORM storage− Remote logging− Evidence of audit log gapPrivacy Issues• Audit logs contain sensitive material− Personal information− Business secrets− Security-relevant information• Log anonymization− Remove sensitive information from logs− Translate data into pseudonyms− Possibly share anonymized logs− http://flaim.ncsa.uiuc.edu/Key Points• Logging and auditing key part of securitysolutions• Audit systems must be designed to:− Correspond with security policies / requirements− To resist tampering• Logs contain sensitive
View Full Document