AUDIT TRAIL

Audit trails are records of computer events i-e

about operating system, applications and user
activities. A computer system may have
different audit trails according to different
types of activities. These audit trails help
auditor in audit of computer systems of client.
USES OF AUDIT TRAIL
 Audit trails may be used as:

 to support regular system operations

 a kind of insurance policy

 both of these

 to support regular system operations

 Audit trails help system administrators to protect the system
applications
from outsiders, hackers, unauthorized persons inside
organization and technical problems or work as support to solve
problems occur in the regular system operations.
 a kind of insurance policy
 As insurance policy audit trails are maintained but not used
unless needed. It helps
 to review data after occurring any special event.
 BENEFITS AND OBJECTIVES
OF AUDIT TRAIL

Audit trails provides a lot of security related benefits

which includes:

 Individual accountability
 Reconstruction of events
 Intrusion detection
 Problem analysis
 BENEFITS AND OBJECTIVES
OF AUDIT TRAIL
 Individual accountability
Audit trails maintain individual accountability.
Every person is liable for his/her
own actions. Audit trail traced and record all the
activities done by users. This may restrict the usage
of computer resources. Only the authorized person
can access the required resources and this will help to
save resources from misuse.

 Reconstruction of events
Audit trail can also help to reconstruct the events if
any problem occur in the events. Audit trail can easily
access the damages in normal operations and suggest
how, when and why normal operation are damaged
and how it can be recovered. Audit trail helps to
distinguish operator induced error and system
created error
BENEFITS AND OBJECTIVES
OF AUDIT TRAIL

• Intrusion detection
intrusion detection is a process that
helps to identify attempts to penetrate
a system and unauthorized access.
These are of two types
Real time intrusion
After the fact intrusion

• Problem analysis
AUDIT TRAIL AND LOGS

There are two types of audit records:

1. Event oriented logs

2. keystroke monitoring
AUDIT TRAIL AND LOGS

Event oriented logs

An event records should specify when an
event occurred, the user’ ID associated with
the event and the command used to initiate
the event and the result.

Keystroke monitoring
It records the keystroke entered by the
computer user and the computer’ response .
 AUDIT EVENTS
Audit trail may be used in to discern flaws in
application analysis, or violations of security
policy committed within an application.

It monitor and logs user’ activity in a system or

application by recording events initiated by the
users.

User should be aware of applicable laws,

regulations, and policies that may apply in such
situation
 System-Level Audit Trails

The audit trail should capture, at a minimum,

any attempt to log on the log-on ID, date and
time of each log-on attempt, date and time of
each log-off, the devices used, and the functions
performed once logged on.
 APPLICATION-LEVEL
AUDIT TRAILS

Application-level audit trails monitor and log

user activities, including data files opened and
closed, specific actions, such as reading,
editing, and deleting records or fields, and
printing reports..
USER AUDIT TRAILS
User audit trails can usually log:
all commands directly initiated by the
user;
all identification and authentication
attempts;
files and resources accessed.

It is most useful if options and parameters are

also recorded from commands. It is much more
useful to know that a user tried to delete a log file
(e.g., to hide unauthorized actions) than to know
the user merely issued the delete command,
possibly for a personal data file.
IMPLEMENTATION
ISSUES
Audit trail data requires protection, since
the data should be available for use when
needed and is not useful if it is not accurate.

 Protecting Audit Trail

 Data Review of Audit Trails:

Audit Trail Review After an Event

Periodic Review of Audit Trail Data.
Real-Time Audit Analysis.
Tools for audit trail analysis

Cost consideration
 PROTECTING AUDIT
TRAIL
Data Access to on-line audit logs should be
strictly controlled. Computer security managers
and system administrators or managers should
have access for review purposes. Audit trail
records should be protected by strong access
controls to help prevent unauthorized access.

 Use digital signals

 Write once device
 REVIEW OF AUDIT
TRAIL
Audit trails can be used to review what occurred
after an event, for periodic reviews, and for real-
time analysis. Reviewers should know what to
look for to be effective in spotting unusual
activity. They need to understand what normal
activity looks like. Audit trail review can be
easier if the audit trail function can be queried
by user ID, terminal ID, application name, date
and time, or some other set of parameters to
run reports of selected information.
 AUDIT TRAIL REVIEW
AFTER AN EVENT

Review by the application owner would

normally involve a separate report base upon
audit trail data to determine if their resources
are being misused
 PERIODIC REVIEW OF
AUDIT TRAIL

Application owners, data owners, system

administrators, data processing function
managers, and computer security managers
should determine how much review of audit
trail records is necessary, based on the
importance of identifying unauthorized
activities.
 REAL TIME AUDIT
ANALYSIS

audit trails are analyzed in a batch mode

at regular intervals (e.g., daily).
TOOLS FOR AUDIT TRAIL
ANALYSIS
Many types of tools have been developed to help to
reduce the amount of information contained in audit
records. Especially on larger systems, audit trail
software can create very large files, which can be
extremely difficult to analyze manually. Some of the
types of tools include:

 Audit reduction tools

 Trends /variance detection tools
 Attack signature-detection tools
 AUDIT REDUCTION
TOOLS
These are preprocessors designed to reduce
the volume of audit records to facilitate
manual review.
Before a security review, these tools can
remove many audit records known to have
little security significance.
(This alone may cut in half the number of
records in the audit trail.) These tools
generally remove records generated by
specified classes of events.
TRENDS / VARIANCE DETECTION
TOOLS

It look for anomalies in user or system

behavior. It is possible to construct more
sophisticated processors that monitor usage
trends and detect major variations.
For example, if a user typically logs in at 9
a.m., but appears at 4:30 a.m. one morning,
this may indicate a security problem that
may need to be investigated.
ATTACK SIGNATURE-DETECTION
TOOLS

It look for an attack signature, which is

a specific sequence of events indicative
of an unauthorized access attempt.

A simple example would be

repeated failed log-in attempts.
 COST
CONSIDERATIONS
Audit trails involve many costs:

system overhead
human and machine time required to do the
analysis.
cost of investigating anomalous events.