Home > Uncategorized > Issues Concerning System Auditing

Issues Concerning System Auditing

About 25 years ago when I started working in the information security arena, one of the first issues that caught my attention was a debate concerning whether system auditing was necessary. Advocates of system auditing argued that enabling system auditing was essential for security in that without it, unauthorized activity was almost impossible to detect. On the other hand, detractors argued that nobody looked at system audit log data anyway, and, worse yet, enabling system auditing consumed a large amount of system resources as well as disc space.

Twenty five years later, many things have changed considerably. Whereas 25 years ago intrusion detection systems (IDSs) were in their infancy and intrusion prevention systems (IPSs) were unheard of, today both types of systems are deployed in a significant percentage of information security practices in medium and large businesses and organizations. Additionally, an abundance of network security monitoring tools and utilities now exists. Furthermore, one of the first things intruders typically do in an attempt to masquerade their dire activities is to disable system auditing and/or to erase existing audit logs. Frankly speaking, one of the least trustable pieces of evidence from a potentially compromised system is audit log data. So the issue very much persists—should system auditing be enabled?

The current answer is yes, but the primary reason is substantially different from any reason 25 years ago. Enabling and inspecting system auditing is now required by numerous compliance regulations and standards. The Payment Card Industry Data Security Standard (PCI-DSS) requirement 10, for example, mandates that all access to network resources and cardholder data be monitored. It would be difficult to demonstrate compliance with this requirement if auditing in systems that held cardholder data were not enabled. Similarly, section 10.10.1 in ISO/IEC 27001 requires continuous audit logging.

Additionally, system auditing has become an increasingly necessary part of a defense-in-depth approach to information security. With the sophistication of attacks rising to the level it has, it is unlikely that an abundance of clues concerning the nature of any attack is likely to be available. System audit data may be one of only a few available clues. These data can also be used in event correlation, thereby enabling individuals to discover patterns of attack activity that would not otherwise be recognizable. Even if attackers have disabled system auditing, the fact that it has been disabled provides a valuable clue concerning a security breach. The real issue concerning system auditing is thus currently not whether system auditing should be enabled, but rather how much auditing needs to be turned on in which particular systems. The general rule is the more there is to lose, the more auditing needs to be enabled.

Despite how critical system auditing is to information security, not everyone in the IT arena has jumped aboard the auditing bandwagon. In particular, some system administrators still oppose enabling and inspecting system auditing on the basis that audit data fill up the hard drive. And, believe it or not, to some degree these individuals have actually pulled the proverbial wool over some auditors’ eyes, something that I find to be incredible because today’s computing systems almost invariably have such huge amounts of disk space. Furthermore, many tools and scripts that purge old audit data are widely available. Auditors would thus be well-advised to quickly dismiss claims that system auditing cannot be enabled because of disk space limitations.

A final question concerns whether system auditing needs to be enabled on workstations. Workstations, after all, generally do not process or hold the kinds of valuable information that servers do. The answer to this question depends on the business and operational needs of each organization. In a very small organization with a paucity of valuable information, it might not make sense to enable auditing on workstations, even though audit data from such systems might contribute to a defense-in-depth approach in monitoring. In a much larger organization in which critical data are likely to be downloaded from servers to workstations, the opposite is likely to be true. I’ll close by saying that if there is any doubt whatsoever, system auditing should be enabled, even on workstations, because the cost of doing so usually far outweighs the liabilities.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.