Expect the unexpected: The importance of audit logging
Planning and policies are essential to good security, but it’s also important to expect the unexpected whenever humans and computers mix. Having a log of user activities can help you deal with those unforeseen circumstances.
In our previous posts in this series, we talked about verifying people’s identities with authentication, and then using authorization and access control to enforce access policies. In this post we’ll talk about audit logging, and how it can help you track and identify security violations, performance problems, and flaws in applications.
What is audit logging?
If you’ve been an administrator for any length of time, you know that users can be remarkably creative about doing things you would not expect. If you don’t know what you don’t know about what’s happening in your network, it could lead to a lot of sleepless nights. But this does not have to be accepted as inevitable; audit logging can give you that view into what’s going on, so that you can try to retrace the user’s steps if something strange happens.
Audit logging records attempted or complete actions. Those records should include when, where and by whom the action was taken (naturally, the ‘whom’ is provided by authentication). Logging user actions can help you improve security in a variety of ways. For example, it can help you reconstruct events, detect intrusions, and analyze problems such as poor performance or unexpected system behavior. It can also help promote good behavior and a sense of accountability among your users, if they know that their actions can be reviewed.
These records can be taken at the operating system level, or at the application or service level. Having logs at various levels can give you granularity that can be particularly helpful if you’re having issues in certain areas, such as misuse of email or internet browser.
Naturally, for all of this logged activity to be truly useful, someone needs to view the logs periodically. It they just pile up forever without anyone sifting through them regularly, they’re just another way to fill up disk space. You can set alarms to be triggered upon certain actions taking place or thresholds being met, which can prompt you to view the records. This need not be done manually; you can employ parsing-scripts or software applications designed to make this task simpler.
The National Institute of Standards and Technology has a fantastic paper that goes into great detail about how and why you should use audit logging. It includes a very compelling summary of scenarios in which it could be useful:
“Audit trail analysis can often distinguish between operator-induced errors (during which the system may have performed exactly as instructed) or system-created errors (e.g. arising from a poorly tested piece of replacement code). If, for example, a system fails or the integrity of a file (either program or data) is questioned, an analysis of the audit trail can reconstruct the series of steps taken by the system, the users, and the application.
“Knowledge of the conditions that existed at the time of, for example, a system crash, can be useful in avoiding future outages. Additionally, if a technical problem occurs (e.g. the corruption of a data file) audit trails can aid in the recovery process (e.g. by using the record of changes made to reconstruct the file).”
There are a variety of articles and documents available about how to parse logs with various scripts, and for particular applications. This article, while it is written specifically about parsing Windows security logs, is also an excellent introduction to log file parsing.
When implemented thoughtfully, audit logging can be a very effective way to make sure your access policies are living – and continuously updated – documents that reflect the reality of the way your users interact in your environment. By using the four “A”s of account management in combination, they can help you see and understand what’s going on in your environment, so that you can keep it safer.