Security Monitoring and auditing System

-Implementation considerations

K.BalamuruganM.Tech-CSE-1st yearNetwork Security

AuditingO Auditing is used to determining

security violations.O Logging-recording system events

and actions.O Auditing-analysis of these records.O Violations of security policies will be

detectedO Problems: 1.which information to log 2.which information to audit.

Auditing system components

O Solution: based on security policies

O Auditing system consist of 3 components

1.Logger- collect data 2.Analyzer –analyse the data 3.Notifier –report the resultsLog viewing tool-if information is recorded

Case Study: Microsoft Windows NT

O MS NT has three different sets of logs:O 1.System event log-System crashes,

Component failures, etc.O 2.Application event log-application

oriented logs.O 3.Security event log-logging in and out,

system resources overuses, and access to system files.

O Event viewerO Header and description

Case Study: Microsoft Windows NT

O Security log typically has following fields:

O Date and time, source ,user, computer, event id, type, etc.

O Description: when IE Executed successfully by administrator also get logged

O Analyser component will take log as input and start analyses it.

O Notifier : describes problem to user.

Implementation Considerations

O Designing auditing system involves some implementation considerations.

O Analysing the specific rules and axioms of a model reveal specific requirements for logging enough information to detect security violations.