An audit trail

Introduction
An audit trail is a series of records of computer events, about an operating system, an application, or user activities. It is generated by an auditing system that monitors system activity. Audit trails have many uses in the realm of computer security : Individual Accountability : An individual's actions are tracked in an audit trail allowing users to be personally accountable for their actions. This deters the users from circumventing security policies. Even if they do, they can be held accountable. Reconstructing Events : Audit trails can also be used to reconstruct events after a problem has occurred. The amount of damage that occurred with an incident can be assessed by reviewing audit trails of system activity to pinpoint how, when, and why the incident occurred. Problem Monitoring : Audit trails may also be used as on-line tools to help monitor problems as they occur. Such real time monitoring helps in detection of problems like disk failures, over utilization of system resources or network outages. Intrusion Detection : Intrusion detection refers to the process of identifying attempts to penetrate a system and gain unauthorized access. Audit trails can help in intrusion detection if they record appropriate events. Determining what events to audit so that audit trails can be used in an effective manner to aid intrusion detection is one of the present research issues being looked into by the research community.

Model of Auditing System

A simple model of an auditing system consists of two parts : Audit Data Collector : This is responsible for collecting the audit data Audit Data Analyzer : This is responsible for analyzing the audit data transferred to it by the Audit Data Collector Often a file is used to transfer the audit data from the collector to the analyzer. This leads to problems when the audit data is collected from different systems. This is due to the lack of a standard interface for audit trails. Developing standards for the format and content of audit trails is an ongoing research effort.

Audit Trail Standards

Gabriel Mbugua

Development of audit trail standards for audit format and content that support security goals and that gain wide acceptance is an important step in overcoming incompatibility issues.

Format Standards
A standard format with wide acceptance would help overcome incompatibility and interoperability issues faced by the developers of audit data analysis systems. It would also allow the exchange of audit data from audit sources on different systems and facilitate collaborative analysis of data in a networked environment. 1. Bishop's Standard Audit Trail Format Bishop [Bis95] states that a standard format must be both extensible and portable to meet the needs of different heterogeneous systems and transportability across various systems and network protocols. Bishop defines a standard log record format that is both portable and extensible. Each log record consists of fields separated by a field separator ('#') and delimited by start and stop symbols ('S' and 'E'). The number of fields is not fixed to meet the need for extensibility. All values are ASCII strings. This avoids the issues of byte ordering and floating point format. This format however does not attempt to standardize the fields of an audit trail record. 2. Normalized Audit Data Format (NADF) The Normalized Audit Data Format (NADF) [Mou93, Mou97] was defined by the developers of the ASAX misuse detection system to provide a degree of operating system independence. A NADF audit trail is a sequential file of NADF records. Any audit trail can be converted to the NADF format. During conversion, the audit records of the native audit trail are abstracted into a sequence of audit data values. Each audit data value is stored in a separate NADF record consisting of three fields: Identifier : the type of the audit data value. Length : the length of the audit data value. Value : the audit data value. 3. svr4++ Common Audit Trail Interchange Format for UNIX This is a standard meant specifically for the Unix systems. The attributes entered in a audit record are time, event type, process identifier, result, user and group information, session identifier, labeling information for the process, information about the object and miscellaneous data. The attributes are all in ASCII. This standard approaches portability but lacks the features for extensibility.

Content Standards
Gabriel Mbugua

The content of the audit trails also needs to be standardized. This would help analyzing audit data from different audit sources and improve interoperability in a networked environment. Some of the proposed standards are : 1. DoD Trusted Computer System Evaluation Criteria This is a standard created by the National Computer Security Center against which a computing system can be evaluated for security assurance. There are four classes of criteria namely A, B, C, and D, with systems meeting the criteria of the highest division (A) providing the best level of security assurance. There are a number of subdivisions in classes B and C. Classes C2 through A1 require the ability to audit security relevant activities on the system. This standard specifies what events are to be audited and what each event should contain. For example, in a C2 system, events that must be audited include use of identification and authentication mechanisms, introduction and deletion of objects, administrative actions, and other security relevant events. Moreover, each audited event should contain the following information : date and time of the event,user identifier, type of event, success or failure of the event, origin of request for identification/authentication events and name of object for object introduction/deletion events. 2. Security Criteria for Distributed Systems This is a standard created by the Institute for Defense Analyses in 1995 for distributed systems. This standard specifies various types of events to be audited. The events are grouped into six categories: 1. Access Control and Administrative Policy Events 2. Data Confidentiality and Integrity Policy Events 3. Non-Discretionary Policy Events 4. Availability Policy Events 5. Cryptographic Policy Events 6. Default and Dependent Events The standard specifies the information to be recorded in each event to be: date and time, subject attribute information, identity of host generating the audit record, event class and event identifier within the class, and event outcome (success or failure).

Distributed Auditing
Distributed Auditing allows the audit data to be collected in different systems in the network. This is necessary to provide security in a networked environment because the correlation of user activities taking place at different hosts in the same network might reveal a malicious behavior
Gabriel Mbugua

while the same behavior might seem legitimate at a single host level. [SM91] discusses a lot of issues that affect auditing in a distributed environment. These include collection and storage, protection, integration and analysis. In [BEF+91], a Distributed Auditing System (DAS) architecture for the distribution and collection of audit data in a distributed environment is presented. It addresses issues of migrating audit data from a collection point to an analysis point, and management of audit functions from a remote location.

Audit Trail Analysis

The audit trails need to be analyzed to determine vulnerabilities, establish accountability, assess damage and recover the system. Manual analysis of audit trails though cumbersome is often resorted to because of the difficulty to construct queries to extract complex information from the audit logs. There are many tools that help in browsing the audits. The major obstacle in developing effective audit analysis tools is the copious amounts of data that logging mechanisms generate. ComputerWatch Audit Trail Analysis Tool

Automated Audit Analysis

There has been a lot of work done in the area of automated audit analysis, mainly for intrusion detection purposes. These tools use the audit data as input. These tools are based on three approaches namely : Statistical Automated statistical systems such as SRIs IDES [Denn87, Javi91] and Haystack Laboratory's Haystack [Sma88] focus primarily on defining characteristics of a normal user or group, which generally involves a period of training; then they employ statistical measures to determine if a current users characteristics match his previously observed behavior. This approach is also called "Anomaly Detection." Rule-based expert systems Automated expert systems such as portions of IDES [Lunt89, Garv91], DIDS [Snap91a], Wisdom & Sense (W&S)[Vacc89], and signature analysis [Snap91b] pursue a different

Gabriel Mbugua

approach. Instead of detecting anomalies, these systems attempt "misuse detection" by using a priori rules that are indicative to a human expert of an intrusion. Machine learning Application of machine learning to intrusion detection problem is a relatively new approach. Machine learning attempts to monitor and learn the normal activities of users. By knowing past events, inductive learning algorithms try to predict later events.

Distributed Audit Analysis

Distributed Audit Analysis is needed for network security because as said before, the correlation of users actions taking place at different hosts could reveal a malicious behavior while the same actions may seem legitimate at a single host level. This has the following benefits over a centralized audit trail analysis : 1. It drastically reduces the network traffic when compared to the centralized analysis where all audit data are sent to a central host for analysis. 2. It also achieves a balance of the CPU time over several machines as the analysis is being done on several machines instead of overloading the central host as in centralized audit analysis. [MCZH95] discusses in detail about the architecture for distributed audit trail analysis and its benefits over single audit trail analysis.

Research Issues
The various issues in audit trails that are being looked into by the research community are listed below :

Audit Content
This area of research aims at determining the format and content of the audit data that is needed for detecting computer intrusions and misuse. The Audit Trails Format Group at CERIAS, Purdue is pursuing this research issue.

Audit Analysis

Gabriel Mbugua

This area of research deals with issues like automated analysis, distributed analysis, more efficient and effective ways of audit analysis for intrusion detection. Most of the research groups working on intrusion detection are involved in this.

Audit Compression
This area of research aims to develop techniques and, ultimately, tools to efficiently reduce audit data, both in the sense of economizing storage space and in the sense of abstracting higher-level, more useful information for security administrators. The Audit Trail Reduction Group at CERIAS, Purdue is pursuing this research issue.

Audit Tamperproofing
This area of research aims at securing the audit logs from tampering. [SK99] deals with the issue of securing audit logs to support computer forensics. The other papers related to this issue are [SK98] and [SK99(2)] .

Commercial OS Audit Trail Formats

The audit trail formats in commercial operating systems like those listed below can be obtained from operating system administration and reference manuals. They are well summarized in [KP97]. The main features are listed below :

Solaris
The Solaris operating system from Sun Microsystems includes a security extension called the Basic Security Module or BSM. This BSM provides enhanced security auditing that is designed to achieve the C2 level in the Trusted Computer System Evaluation Criteria [Nat85].

HP-UX
The HP-UX trusted operating system [Hew95, Hew96] from Hewlett Packard provides auditing capability. The auditing system records occurrences of access by subjects to objects for detection of attempts to bypass protection mechanisms or to misuse privileges. Audit records are generated both by the system as well as by self-auditing applications.

OpenVMS VAX
The OpenVMS VAX operating system [Dig96a, Dig96b] from Digital Equipment Corporation provides an auditing system that supports monitoring of security relevant activities. It can record
Gabriel Mbugua

both successful and unsuccessful security relevant activity and allows applications to contribute security relevant event information to audit log.

Windows NT
The Windows NT operating system [Mic95b, Mic95a] from Microsoft Corporation includes mechanisms for recording significant events related to both the operating system and the applications. Windows NT is designed for C2-level security of the Trusted Computer System Evaluation Criteria [Nat85]. Each application is allowed to define and log its own auditable events.

Understanding File Sharing

This document provides answers to commonly asked questions about file sharing. The questions typically come from members of the university community accused of illegal file sharing by the RIAA. It is for informational purposes only. Please note that peer-to-peer (P2P) file sharing applications are not supported by the DoIT Help Desk.

What is file sharing? Why is file sharing illegal? Can I install file sharing peer-to-peer (P2P) software to play music or video only? How do I turn off file sharing? What harm can P2P software do to my computer? What is the RIAA? Where can I get more information?

What is file sharing?

In general, file sharing is the practice of making files available for other individuals to download. It can be as simple as sharing a file for general consumption via My WebSpace or enabling file sharing on your computers operating system so that you can access your home computer files at work. The most common and controversial method of file sharing, however, is the use of peer-to-peer (P2P) software. This includes software such as Limewire, Morpheus and BitTorrent. A more complete list of P2P file sharing software can be found here. P2P software packages are installed by the computer owner and appear somewhat innocuous in their behavior; you install them and then use these programs to download "free" music, videos, etc. However, this "free" music is generally copyrighted material that is downloaded to your
Gabriel Mbugua

computer from other individual computers across the network. In addition, your computer becomes part of this network as well, enabling other individuals on the Internet to begin downloading music from your computer. You are then responsible for downloading and distributing copyrighted material illegally. For more information see Wikipedia's article on File Sharing.
Why is file sharing illegal?

Not all file sharing is illegal. For instance, the sharing of non-copyrighted material or material with permission of the creator is legal. However, the majority of P2P file sharing involves sharing copyrighted or restricted material such as music, which is illegal. A copyright grants the creator/owner of the material exclusive rights to the material and its distribution. By distributing this material without permission, the person distributing the material is violating copyright law and is subject to penalties under the law. For more information see Wikipedia's article on File Sharing and the Law and Wikipedia's article on Copyright.
Can I install file sharing peer-to-peer (P2P) software to play music or videos only?

Yes, you can, but why would you? Both Mac and Windows computers come with media players installed (QuickTime, Windows Media Player). In addition, most P2P software turns file sharing on by default as soon as the software is installed. This means that others may access materials on your computer without your knowledge, whether you have given permission or not. Downloading copyrighted music or movie files without permission is illegal. It is also illegal to share even purchased music or movie files with others, whether you know you have done so or not. If you install P2P software to play music or video only, be sure to turn the file sharing options off. If you legally own and are playing copyrighted materials, but are sharing them inadvertently, you are still liable for violating copyright law.
How do I turn off P2P file sharing?

Indiana University maintains an article entitled Disabling Peer-to-Peer File Sharing. This article lists the more common P2P file sharing programs along with instructions on how to turn off the file sharing functions in these programs. We also recommend checking the manufacturer's web site for instructions.
What harm can P2P software do to my computer?

Several commercial P2P file sharing programs install adware and/or spyware on your computer.
Gabriel Mbugua

In addition to serving up unwanted advertisements, these programs may gather personal data from your computer to send back to the parent company, alter your computer settings, and may interfere with your computer performance. For more information visit the Help Desk's Spyware - FAQ article or see Wikipedia's article on Spyware.
What is the RIAA?

RIAA stands for the Recording Industry Association of America. RIAA is the trade group that represents the US recording industry.

Gabriel Mbugua