Auditing, or monitoring, is the process through which a subject's actions could be tracked and/or recorded for the purpose of holding the subject accountable for their actions once authenticated on a system. Auditing can also help monitor and detect unauthorized or abnormal activities on a system. Auditing includes capturing and preserving activities and/or events of a subject and its objects as well as recording the activities and/or events of core system functions that maintain the operating environment and the security mechanisms.
The minimum events that need to be captured in an audit log are as follows:
- User ID
- Username
- Timestamp
- Event type (such as debug, access, security)
- Event details
- Source identifier (such as IP address)
The audit trails created by capturing system events to logs can be used to assess the health and performance of a system. In case of a system failure, the root cause can be traced back using the event logs. Log files can also provide an audit trail for recreating the history of an event, backtracking an intrusion, or system failure. Most of the operating systems, applications, and services have some kind of native or default auditing function for at least providing bare-minimum events.
Common attacks on auditing include the following:
- Log tampering: This includes unauthorized modification of audit logs
- Unauthorized access to logs: An attacker can have unauthorized access to logs with an intent to extract sensitive information
- Denial of service through audit logs: An attacker can send a large number of garbage requests just with the intention to fill the logs and subsequently the disk space resulting in a denial of service attack