Computer security audit
Encyclopedia
A computer security audit is a manual or systematic measurable technical assessment of a system or application. Manual assessments include interviewing staff, performing security vulnerability scans, reviewing application and operating system access controls, and analyzing physical access to the systems. Automated assessments, or CAAT's, include system generated audit reports or using software to monitor and report changes to files and settings on a system. Systems can include personal computers, servers, mainframes, network routers, switches. Applications can include Web Services, Microsoft Project Central, Oracle Database. (examples only).
and Hewlett Packard, auditing was considered a mission-critical function. Over the last thirty years, commercial off-the-shelf
(COTS) software applications and components, and micro computers have gradually replaced custom software and hardware as more cost-effective business management solutions.…
During this transition, the critical nature of audit event reporting gradually transformed into low priority customer requirements. Software consumers, having little else to fall back on, have simply accepted the lesser standards as normal. The consumer licenses of existing COTS software disclaim all liability for security, performance and data integrity issues.
process, or the Microsoft Windows
System, Security
or Application event logs. Java
applications often fall back to the standard Java logging facility, log4j
. These text messages usually contain information only assumed to be security-relevant by the application developer, who is often not a computer- or network-security expert.
The fundamental problem with such free-form event records is that each application developer individually determines what information should be included in an audit event record, and the overall format in which that record should be presented to the audit log. This variance in formatting among thousands of instrumented applications makes the job of parsing audit event records by analysis tools (such as the Novell
Sentinel product, for example) difficult and error prone. Such domain and application specific parsing code included in analysis tools is also difficult to maintain, as changes to event formats inevitably work their way into newer versions of the applications over time.
, Solaris, Mac OS X
, and FreeBSD
(via the TrustedBSD Project) support audit event logging due to requirements in the Common Criteria
(and more historically, the Orange Book). Both FreeBSD and Mac OS X make use of the open source OpenBSM
library and command suite to generate and process audit records.
The importance of audit event logging has increased with recent new (post-2000) US and worldwide legislation mandating corporate and enterprise auditing requirements.
Open source projects such as OpenXDAS, a Bandit project
identity component, have begun to take their place in software security reviews as not only an improvement, but a requirement. OpenXDAS is based on the Open Group Distributed Auditing Service specification, and has begun to show prominence in the security community as a more structured alternatives to free-form text audit logging. The XDAS specification defines a well-considered event format for security-related events, an event taxonomy with event types that cover most security-related event scenarios, and a standardized API for event submission and management.
Audit Event Reporting
During the last few decades systematic audit record generation (also called audit event reporting) can only be described as ad hoc. Ironically, in the early days of mainframe and mini-computing with large scale, single-vendor, custom software systems from companies such as IBMIBM
International Business Machines Corporation or IBM is an American multinational technology and consulting corporation headquartered in Armonk, New York, United States. IBM manufactures and sells computer hardware and software, and it offers infrastructure, hosting and consulting services in areas...
and Hewlett Packard, auditing was considered a mission-critical function. Over the last thirty years, commercial off-the-shelf
Commercial off-the-shelf
In the United States, Commercially available Off-The-Shelf is a Federal Acquisition Regulation term defining a nondevelopmental item of supply that is both commercial and sold in substantial quantities in the commercial marketplace, and that can be procured or utilized under government contract...
(COTS) software applications and components, and micro computers have gradually replaced custom software and hardware as more cost-effective business management solutions.…
During this transition, the critical nature of audit event reporting gradually transformed into low priority customer requirements. Software consumers, having little else to fall back on, have simply accepted the lesser standards as normal. The consumer licenses of existing COTS software disclaim all liability for security, performance and data integrity issues.
Traditional Logging
Using traditional logging methods, applications and components submit free-form text messages to system logging facilities such as the Unix SyslogSyslog
Syslog is a standard for computer data logging. It allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them...
process, or the Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
System, Security
Windows Security Log
The Security Log, in Microsoft Windows, is a log that contains records of login/logout activity or other security-related events specified by the system's audit policy. Auditing allows administrators to configure Windows to record operating system activity in the Security Log. The Security Log is...
or Application event logs. Java
Java (programming language)
Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
applications often fall back to the standard Java logging facility, log4j
Log4j
Apache log4j is a Java-based logging utility. It was originally written by Ceki Gülcü and is now a project of the Apache Software Foundation. log4j is one of several Java Logging Frameworks....
. These text messages usually contain information only assumed to be security-relevant by the application developer, who is often not a computer- or network-security expert.
The fundamental problem with such free-form event records is that each application developer individually determines what information should be included in an audit event record, and the overall format in which that record should be presented to the audit log. This variance in formatting among thousands of instrumented applications makes the job of parsing audit event records by analysis tools (such as the Novell
Novell
Novell, Inc. is a multinational software and services company. It is a wholly owned subsidiary of The Attachmate Group. It specializes in network operating systems, such as Novell NetWare; systems management solutions, such as Novell ZENworks; and collaboration solutions, such as Novell Groupwise...
Sentinel product, for example) difficult and error prone. Such domain and application specific parsing code included in analysis tools is also difficult to maintain, as changes to event formats inevitably work their way into newer versions of the applications over time.
Modern Auditing Services
Most contemporary enterprise operating systems, including Microsoft WindowsMicrosoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
, Solaris, Mac OS X
Mac OS X
Mac OS X is a series of Unix-based operating systems and graphical user interfaces developed, marketed, and sold by Apple Inc. Since 2002, has been included with all new Macintosh computer systems...
, and FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
(via the TrustedBSD Project) support audit event logging due to requirements in the Common Criteria
Common Criteria
The Common Criteria for Information Technology Security Evaluation is an international standard for computer security certification...
(and more historically, the Orange Book). Both FreeBSD and Mac OS X make use of the open source OpenBSM
OpenBSM
OpenBSM is an open source implementation of Sun's Basic Security Module Audit API and file format. BSM, which is a system used for auditing, describes a set of system call and library interfaces for managing audit records as well as a token stream file format that permits extensible and...
library and command suite to generate and process audit records.
The importance of audit event logging has increased with recent new (post-2000) US and worldwide legislation mandating corporate and enterprise auditing requirements.
Open source projects such as OpenXDAS, a Bandit project
Bandit project
The Bandit project is an open source collection of loosely-coupled components to provide consistent identity services.It implements open standard protocols and specifications such that identity services can be constructed, accessed, and integrated from multiple identity sources. Portions of the...
identity component, have begun to take their place in software security reviews as not only an improvement, but a requirement. OpenXDAS is based on the Open Group Distributed Auditing Service specification, and has begun to show prominence in the security community as a more structured alternatives to free-form text audit logging. The XDAS specification defines a well-considered event format for security-related events, an event taxonomy with event types that cover most security-related event scenarios, and a standardized API for event submission and management.
Performing an Audit
Generally, computer security audits are performed by:- Federal or State Regulators - Certified accountants, CISA. Federal OTS, OCC, DOJ, etc.
- Corporate Internal Auditors - Certificated accountants, CISA.
- Corporate Security Staff - Security managers, CISSP, CISM.
- IT Staff - subject matter experts, oversight support.
See also
- Computer insecurityComputer insecurityComputer insecurity refers to the concept that a computer system is always vulnerable to attack, and that this fact creates a constant battle between those looking to improve security, and those looking to circumvent security.-Security and systems design:...
- Computer securityComputer securityComputer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
- Defensive computingDefensive computingDefensive computing is a form of practice for computer users to help reduce the risk of computing problems, by avoiding dangerous computing practices. The primary goal of this method of computing is to be able to anticipate and prepare for potentially problematic situations prior to their...
- Information securityInformation securityInformation security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction....
- IT Baseline Protection CatalogsIT Baseline Protection CatalogsThe IT Baseline Protection Catalogs, or IT-Grundschutz-Kataloge, are a collection of documents from the German Federal Office for Security in Information Technology that provide useful information for detecting weaknesses and combating attacks in the information technology environment...
- Penetration testPenetration testA penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders...
- Security breach
- Ethical hack