120 likes | 456 Views
Logging and Audit. CS498IA Spring 2007. Reading. Bishop, Ch. 24 Skim only, we will touch on high-level points. Definitions. Logging Recording of information about system events Audit Analysis of logs to check policy compliance. Audit log uses. Detect policy violations
E N D
Logging and Audit CS498IA Spring 2007
Reading • Bishop, Ch. 24 • Skim only, we will touch on high-level points
Definitions • Logging • Recording of information about system events • Audit • Analysis of logs to check policy compliance
Audit log uses • Detect policy violations • A form of intrusion detection • Trace back policy violations • Find person responsible, vulnerability, ... • Discourage policy violations • E.g. HIPAA • Comply with policy • E.g. SOX
Audit Challenges • Where to collect • Reference monitor • Applications • System implementation
What to collect? • What to collect • Anything that can be used for above purposes • Everything? • How do you detect policy violations? • Track objects relevant to policy • E.g. BLP: track object/subject security level • ... but this only catches obvious violations • Track object transitions with weak tranquility
How to prevent tampering? • Logs need to resist tampering • E.g. rootkits will change system logs to erase infection traces • DoS: fill up log before attack • Tamper-resistance techniques • Append-only files (can be defeated with kernel compromise) • WORM storage • Remote logging • Evidence of audit log gap
Privacy Issues • Audit logs contain sensitive material • Personal information • Business secrets • Security-relevant information • Log anonymization • Remove sensitive information from logs • Translate data into pseudonyms • Possibly share anonymized logs • http://flaim.ncsa.uiuc.edu/
Key Points • Logging and auditing key part of security solutions • Audit systems must be designed to: • Correspond with security policies / requirements • To resist tampering • Logs contain sensitive information