1 / 9

Logging and Audit

Logging and Audit. CS498IA Spring 2007. Reading. Bishop, Ch. 24 Skim only, we will touch on high-level points. Definitions. Logging Recording of information about system events Audit Analysis of logs to check policy compliance. Audit log uses. Detect policy violations

illias
Download Presentation

Logging and Audit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Logging and Audit CS498IA Spring 2007

  2. Reading • Bishop, Ch. 24 • Skim only, we will touch on high-level points

  3. Definitions • Logging • Recording of information about system events • Audit • Analysis of logs to check policy compliance

  4. Audit log uses • Detect policy violations • A form of intrusion detection • Trace back policy violations • Find person responsible, vulnerability, ... • Discourage policy violations • E.g. HIPAA • Comply with policy • E.g. SOX

  5. Audit Challenges • Where to collect • Reference monitor • Applications • System implementation

  6. What to collect? • What to collect • Anything that can be used for above purposes • Everything? • How do you detect policy violations? • Track objects relevant to policy • E.g. BLP: track object/subject security level • ... but this only catches obvious violations • Track object transitions with weak tranquility

  7. How to prevent tampering? • Logs need to resist tampering • E.g. rootkits will change system logs to erase infection traces • DoS: fill up log before attack • Tamper-resistance techniques • Append-only files (can be defeated with kernel compromise) • WORM storage • Remote logging • Evidence of audit log gap

  8. Privacy Issues • Audit logs contain sensitive material • Personal information • Business secrets • Security-relevant information • Log anonymization • Remove sensitive information from logs • Translate data into pseudonyms • Possibly share anonymized logs • http://flaim.ncsa.uiuc.edu/

  9. Key Points • Logging and auditing key part of security solutions • Audit systems must be designed to: • Correspond with security policies / requirements • To resist tampering • Logs contain sensitive information

More Related