Security Audits

Security Audit

An independent review and examination of a system's records and activities to determine the adequacy of system controls,, ensure compliance with security policy and procedures, detect breaches, and recommend changes.

audit review

as available to authorized users to assist in audit data review.

Audit Recorder

For each detected event, the event discriminator transmits the information to an audit recorder.

PRI

consists of a code theat represents the facilities and serverity values of the message, described subsequently

Header

contains a timestamp of and an inde cation of the hostname or IP

MSG

contains two fields: the TAG field is the name of the program and the CONTENT field contains detail sof the message

event storage

creation and maintenance of the secure audit trail

Thresholding

data exceeding a baseline value

event definition

define the set of events that are subject to an audit

automatic response

defines reactions taken following detection of events

Security audit trail

The audit recorder creates a formatted record of each event and stores it in the security audit trail

Event discriminator

This is a logic embedded into the software of the system that monitors system activity and detects security related alarms

application event log

events for all user-level applications. this log is not secured and it is open to any applications.

data generation

identifies the level of auditing, enumerates the type of auditable events, and identifies the minimum set of audit-related information provided

event selection

inclusion or exclusion of events from the auditable set

Audit trail examiner

is an application or user who examines the audit trail and the audit archives for historical trends, for computer forensic purposes, and for other analysis

windowing

looks for data within certain parameters

Anomaly detection

looks for similarity

statically linked shared library

more flexible the referenced shared object is incorporated into the target executable at the time by the link loader. Assigned to a virtual fixed address

Statically linked library

on loading a separate copy of the linked library is loaded to a specific program's virtual memory

Robust filtering

original syslog implementation allowed mesages to be handled differently based on their facility an dpriority only

log analysis

originally sys log servers did not perform any analys of log data

audit analysis

provided via automated mechanisms to analyze system activity and audit data

Alarm processor

some of the events detected by the event discriminator are defined to be alarm events. For such events an alarm is issued to an alarm processor. The alarm processor takes some action based on the alarm.

agentless

the SIEM server recieves data from a log generating hosts without needing to have any special software installed on those hosts

Archives

the audit archives are a permanent store of security related events

Audit provider

the audit provider is an application or user interface to the audit trial

security reports

the audit trial examiner prepares human-readable security reports

dynamically linked shared library

the linking to a shared library routines is deferred until load time.

Audit analyzer

the security audit trial is available to the audit analyzer which based on a pattern of activity may define a new auditable event that is sent to the audit recorder and may generate an alarm.

security event log

the windows audit log. this has event logs for exclusive use of the windows local security authority

Audit archiver

this is software module that periodically extracts records from the audit trail to create a permanent archive of auitable events

System event log

used by applications running under system service accounts, drivers, or a computer or application that has events that relate to the health of a computer system

Account log on events

user authentication activity from the perspective of the system that validated the attempt

direcorty service access

user-level access to Active Directory

logger

a UNIX command used to add single-line entries to the system log

Audit trail collector

a module on a centralized system that collects audit trial records from other systems and creates a combined audit trail

account management

administrative activity related to the creation, management, and deletion of accounts

agent-based

an agent program is installed on the log generating host to perform event filtering

syslog()

an application program inerface referenced by several standard system utilities and available application programs

Security Audit Trails

A chronological record of system activities that is sufficient to enable the reconstruction and examination of the sequence of environments and activities

Audit dispatcher

A module that transmits the audit trial records from its local system to the centralized audit trail collector