Deck 18: Security Auditing

Means are needed to generate and record a security audit trail and to
review and analyze the audit trail to discover and investigate attacks and security compromises.

Although important,security auditing is not a key element in computer
security.

Audit trails are different from audit logs.

Protection of the audit trail involves both integrity and confidentiality.

Event and audit trail analysis software,tools,and interfaces may be
used to analyze collected data as well as for investigating data trends and anomalies.

The foundation of a security auditing facility is the initial capture of
the audit data.

Thresholding is a form of baseline analysis.

The audit analyzer prepares human-readable security reports.

The basic audit objective is to establish accountability for system
entities that initiate or participate in security-relevant events and actions.

Applications,especially applications with a certain level of privilege,
present security problems that may not be captured by system-level or user-level auditing data.

All UNIX implementations will have the same variants of the syslog
facility.

The first order of business in security audit trail design is the selection
of data items to capture.

According to ISO 27002,the person(s)carrying out the audit should be
independent of the activities audited.

The security administrator must define the set of events that are
subject to audit.

Windows is equipped with three types of event logs: system event log,security event log,and ________ event log.

The audit _______ are a permanent store of security-related events on a system.

A _______ is an independent review and examination of a system's records and activities.

A _________is a chronological record of system activities that is sufficient to enable the reconstruction and examination of the sequence of environments and activities surrounding or leading to an operation,procedure,or event in a security-relevant transaction from inception to final results.

______ is UNIX's general-purpose logging mechanism found on all UNIX variants and Linux.

RFC 2196 (Site Security Handbook)lists three alternatives for storing audit records: read/write file on a host,write-once/read-many device,and ______.

________ audit trail traces the activity of individual users over time and can be used to hold a user accountable for his or her actions.

Monitoring areas suggested in ISO 27002 include: authorized access,all privileged operations,unauthorized access attempts,changes to (or attempts to change)system security settings and controls,and __________.

_________ is a form of auditing that focuses on the security of an organization's IS assets.

The ________ is an application or user who examines the audit trail and the audit archives for historical trends,for computer forensic purposes,and for other analysis.

SIEM software has two general configuration approaches: agentless and ______.

______ is the process of defining normal versus unusual events and patterns.

Messages in the BSD syslog format consist of three parts: PRI,Header,and ___.

The ______ repository contains the auditing code to be inserted into an application.

______ is detection of events within a given set of parameters,such as within a given time period or outside a given time period.