Exam 18: Security Auditing

Data representing behavior that does not trigger an alarm cannot serve as input to intrusion detection analysis.

Data items to capture for a security audit trail include:

The audit analyzer prepares human-readable security reports.

The foundation of a security auditing facility is the initial capture of the audit data.

Applications,especially applications with a certain level of privilege, present security problems that may not be captured by system-level or user-level auditing data.

The basic audit objective is to establish accountability for system entities that initiate or participate in security-relevant events and actions.

Although important,security auditing is not a key element in computer security.

_________ identifies the level of auditing,enumerates the types of auditable events,and identifies the minimum set of audit-related information provided.

According to ISO 27002,the person(s)carrying out the audit should be independent of the activities audited.

Windows allows the system user to enable auditing in _______ different categories.

Means are needed to generate and record a security audit trail and to review and analyze the audit trail to discover and investigate attacks and security compromises.

______ is UNIX's general-purpose logging mechanism found on all UNIX variants and Linux.

Messages in the BSD syslog format consist of three parts: PRI,Header,and ___.

A _________is a chronological record of system activities that is sufficient to enable the reconstruction and examination of the sequence of environments and activities surrounding or leading to an operation,procedure,or event in a security-relevant transaction from inception to final results.

Thresholding is a form of baseline analysis.

With _________ the linking to shared library routines is deferred until load time so that if changes are made any program that references the library is unaffected.

The security administrator must define the set of events that are subject to audit.

All UNIX implementations will have the same variants of the syslog facility.

System conditions requiring immediate attention is a(n)_______ severity.

Monitoring areas suggested in ISO 27002 include: authorized access,all privileged operations,unauthorized access attempts,changes to (or attempts to change)system security settings and controls,and __________.