Computer Security:

Principles and Practice

Fourth Edition

By: William Stallings and Lawrie Brown

Chapter 18
Security Auditing
 Table 18.1
Security Audit Terminology
(RFC 4949)
 Event Definition
• Must define the set of events that are subject to
audit

Common criteria suggests:

• Introduction of objects
• Deletion of objects
• Distribution or revocation of access rights or capabilities
• Changes to subject or object security attributes
• Policy checks performed by the security software
• Use of access rights to bypass a policy check
• Use of identification and authentication functions
• Security-related actions taken by an operator/user
• Import/export of data from/to removable media
 Event Detection
• Appropriate hooks must be available in the application and
system software to enable event detection
• Monitoring software needs to be added to the system and to
appropriate places to capture relevant activity
• An event recording function is needed, which includes the
need to provide for a secure storage resistant to tampering or
deletion
• Event and audit trail analysis software, tools, and interfaces
may be used to analyze collected data as well as for
investigating data trends and anomalies
• There is an additional requirement for the security of the
auditing function
• Auditing system should have a minimal effect on functionality
 Implementation Guidelines
Audit tests that could
Agree on audit affect system availability All access should be
requirements with should be run outside monitored and logged to
appropriate management business hours produce a reference trail

Requirements for special

Scope of technical audit
or additional processing
tests should be agreed
should be identified and
and controlled
agreed

Audit tests should be Access other than read-

limited to read-only only should only be
access to software and allowed for isolated
data copies of system files
 What to Collect
• Events related to the use of the auditing software
• Events related to the security mechanisms on the system
• Events that are collected for use by the various security
detection and prevention mechanisms
• Events related to system management and operation
• Operating system access
• Application access for selected applications
• Remote access
 Table
18.2

Auditable
Items
Suggested
in X.816
 Table 18.3
Monitoring Areas Suggested in ISO 27002
Physical Access Audit Trails
• Generated by equipment that controls physical
access
• Card-key systems, alarm systems
• Sent to central host for analysis and storage
• Data of interest:
• Date/time/location/user of access attempt
• Both valid and invalid access attempts
• Attempts to add/modify/delete physical access privileges
• May send violation messages to personnel
Protecting Audit Trail Data
Read/write file on Write-once/read-
host many device
• Easy, least resource • More secure but less
intensive, instant convenient
access • Need steady supply of
• Vulnerable to attack by recordable media
intruder • Access may be delayed
and not available
immediately

Write-only device Must protect both

• Provides paper trail integrity and
• Impractical for capturing
detailed audit data on
confidentiality
large or networked • Encryption, digital
systems signatures, access
• Useful when a controls
permanent, immediately
available log is required
 Implementing Logging
• Foundation of security auditing facility is the initial
capture of the audit data
• Software must include hooks (capture points) that
trigger data collection and storage as preselected events
occur
• Dependent on the nature of the software
• Varies depending on operating system and applications
involved
 Windows Event Log
• Event is an entity that describes some
interesting occurrence
• Contains:
• A numeric identification code
• A set of attributes
• Optional user-supplied data
• Three types of event logs:
• System: system related apps and drivers
• Application: user-level apps
• Security: Windows LSA
 Table 18.4

Windows
Event
Schema
Elements

(Table can be found on page 560 in

textbook.)
Windows Event Categories
Account logon
events

Account
Privilege use
management

Policy Directory
changes service access

Object access Logon events

 UNIX Syslog
• UNIX's general-purpose logging
mechanism
• Found on all UNIX / Linux variants

Elements:

syslog() logger /etc/syslog.conf syslogd

API referenced by
Command used to Configuration file
several standard Daemon to
add single-line used to control the
system utilities and receive/route log
entries to the system logging and routing
available to events
log of system log events
application programs
 Syslog Service
Basic service provides:

A means of capturing
relevant events
Extra add-on features may
include:
A storage facility

A protocol for Robust Log Event

Alternative
Log file Database Rate
transmitting syslog message
filtering analysis response encryption storage limiting
messages from other formats
machines to a central
machine that acts as a
syslog server
 Syslog Protocol
• A transport allowing hosts to send IP event notification
messages to syslog servers
• Provides a very general message format
• Allowing processes and applications to use suitable conventions for their
logged events
• Common version of the syslog protocol was originally
developed on the University of California Berkeley
Software Distribution (BSD) UNIX/TCP/IP system
implementations
• Messages in the BSD syslog format consist of:
• PRI - facilities/severity code
• Header – timestamp and hostname/IP address
• Msg - program name and content
 Table 18.5

UNIX syslog
Facilities and
Severity Levels

(Table can be found on

Page 564-565 in the textbook.)
Logging at Application Level
• Privileged applications present security issues
• May not be captured by system/user-level audit data

• Constitute a large percentage of reported vulnerabilities

• Vulnerabilities exploited:
• Lack of dynamic checks on input data

• Errors in application logic

• May be necessary to capture behavior of application

beyond its access to system services and file systems
• Two approaches to collecting audit data:
• Interposable libraries
 Interposable Libraries
• Statically linked libraries
• A separate copy of the linked library
function is loaded into the program’s
• Allows the generation of audit virtual memory
data without needing to • Statically linked shared libraries
recompile either the system • Referenced shared object is
libraries or the application incorporated into the target executable
at link time by the link loader
• Audit data can be generated
• Each object is assigned a fixed virtual
without changing the system’s address
shared libraries or needing access • Link loader connects external
to the source code for the referenced objects by assigning their
executable virtual addresses when the executable
is created
• Exploits the use of dynamic • Dynamically linked shared
libraries in UNIX libraries
• The linking to shared library routines is
deferred until load time
• If changes are made to the library prior
to load time any program that
references the library is unaffected
Dynamic Binary Rewriting
• Can be used with both statically and dynamically linked
programs
• Postcompilation technique that directly changes the binary
code of executables
• Change is made at load time and modifies only the memory image of a
program
• Does not require recompilation of the application binary

• Implemented on Linux using two modules:

• Loadable kernel module
• Monitoring daemon

• Loadable modules
• Can be automatically loaded and unloaded on demand
 Audit Trail Analysis
• Analysis programs and procedures vary widely
• Must understand context of log entries
• Relevant information may reside in other entries in the
same logs, other logs, and nonlog sources

• Audit file formats contain mix of plain text and

codes
• Must decipher manually/automatically

• Ideally regularly review entries to gain

understanding of baseline
Types of Audit Trail Analysis

Audit trails can be

Possibilities include:
used in multiple ways
• Audit trail review after an event
• This depends in part • Triggered by event to diagnose
on when done cause and remediate
• Focuses on the audit trail entries
that are relevant to the specific event
• Periodic review of audit trail data
• Review bulk data to identify
problems and behavior
• Real-time audit analysis
• Part of an intrusion detection
function
 Audit Review
• Audit review capability provides administrator with
information from selected audit records
• Actions of one or more users
• Actions on a specific object or resource
• All or a specified set of audited exceptions
• Actions on a specific system/security attribute

• May be filtered by time/source/frequency

• Used to provide system activity baseline
• Level of security related activity
Approaches to Data Analysis
Basic alerting
• Indicate interesting type of event has occurred

Baselining
• Define normal versus unusual events/patterns
• Compare with new data to detect changes
• Thresholding is the identification of data that exceed a particular baseline
value

Windowing
• Detection of events within a given set of parameters

Correlation
• Seeks relationships among events
 SIEM Systems
• Software is a centralized logging software package
similar to, but much more complex than, syslog
• Provide a centralized, uniform audit trail storage facility
and a suite of audit data analysis programs
• There are two general configuration approaches:
• Agentless
• SIEM server receives data from the individual log generating hosts without
needing to have any special software installed on those hosts
• Agent-based
• An agent program is installed on the log generating host to perform event
filtering and aggregation and log normalization for a particular type of log,
and then transmit the normalized log data to a SIEM server, usually on a
real-time or near-real-time basis for analysis and storage
SIEM Software
SIEM software is able to recognize a variety of log formats, including
those from a variety of OSs, security software, application servers, and
even physical security control devices such as badge readers

Software normalizes these various log entries so that the same format is
used for the same data item in all entries

Software can delete fields in log entries that are not needed for the
security function and log entries that are not relevant

SIEM server analyzes the combined data from the multiple log sources,
correlates events among the log entries, identifies and prioritizes
significant events, and initiates responses to events if desired
 Summary
• Security auditing • Implementing the
architecture logging function
• Security audit and alarms model • Logging at the system level
• Security auditing functions • Logging at the application
• Requirements level
• Implementation guidelines • Interposable libraries
• Dynamic binary rewriting
• Security audit trail
• What to collect • Audit trail analysis
• Protecting audit trail data • Preparation
• Timing
• Security information and • Audit review
event management • Approaches to data analysis
• SIEM systems