To overcome the disadvantages of notion of roles, Audit trails can be maintained.
An audit trail is a time-stamped record of significant activities on a system. Recorded events can include user logins and logouts to the system, as well as what commands were issued by the user to the system while logged in. Audit trails helps in detecting security violations, performance problems, and flaws in applications.
Audit trails keep a record of data accesses i.e. logging file creation, reading, updating and deleting for each user. Uses of system resources may also be logged, such as printing of files or copying data from one storage location to another. Unsuccessful access attempts may also be tracked.
An audit trail keeps track of who did what, to what, and when they did it, as well as who tried to do something but was unsuccessful.
A computer system may have several audit trails, each devoted to a particular type of activity.
Audit trails may be used as either a support for regular system operations or a kind of insurance policy or as both of these. As insurance, audit trails are maintained but are not used unless needed, such as after a system outage. As a support for operations, audit trails are used to help system administrators ensure that the system or resources have not been harmed by hackers, insiders, or technical problems.
Uses of Audit Trails: Audit trails are a fundamental part of computer security, particularly useful for tracing unauthorized users and uses. They can also be used to assist with information recovery in the event of a system failure.
1. Advantages of Audit Trails
Audit trails help to accomplish many security-related issues such as individual accountability, reconstruction of events, intrusion detection, and problem analysis.
- Individual Accountability: Audit trails are a technical mechanism that helps managers maintains individual By advising users that they are personally accountable for their actions, which are tracked by an audit trail that logs user activities, managers can help promote proper user behavior. Users are less likely to attempt to evade security policy if they know that their actions will be recorded in an audit log.
- Reconstruction of Events: Audit trails can also be used to reconstruct events after a problem has Damage can be more easily assessed by reviewing audit trails of system activity to pinpoint how, when, and why normal operations ceased. Audit trail analysis can often distinguish between operator-induced errors or system-created errors.
- Intrusion Detection: Intrusion detection refers to the process of identifying attempts to penetrate a system and gain unauthorized If audit trails have been designed and implemented to record appropriate information, they can assist in intrusion detection. Intrusions can be detected in real time, by examining audit records as they are created or after the fact.
- Problem Analysis: Audit trails may also be used as on-line tools to help identify problems other than intrusions as they This is often referred to as real-time auditing or monitoring. If a system or application is deemed to be critical to an organization’s business or mission, real-time auditing may be implemented to monitor the status of these processes.
2. Audit Trails and Logs
A system can maintain several different audit trails concurrently. There are typically two kinds of audit records
- An event-oriented log. An audit trail should include sufficient information to establish what events occurred and who or what caused In general, an event record should specify when the event occurred, the user ID associated with the event, the program or command used to initiate the event, and the result. Date and time can help determine if the user was a masquerader or the actual person specified. Event- based logs usually contain records describing system events, application events, or user events.
- Keystroke Monitoring. It is also called record of every keystroke. Keystroke monitoring is the process used to view or record both the keystrokes entered by a computer user and the computer’s response during an interactive Keystroke monitoring is usually considered a special case of audit trails. Examples of keystroke monitoring would include viewing characters as they are typed by users, reading users’ electronic mail, and viewing other recorded information typed by users.
Keystroke monitoring is conducted in an effort to protect systems and data from intruders who access the systems without authority or in excess of their assigned authority. Monitoring keystrokes typed by intruders can help administrators assess and repair damage caused by intruders.
3. Review of Audit Trails
Audit trails can be used to review what occurred after an event, for periodic reviews, and for real-time analysis. Reviewers should know what to look for to be effective in spotting unusual activity. They need to understand what normal activity looks like. Audit trail review can be easier if the audit trail function can be queried by user ID, terminal ID, application name, date and time, or some other set of parameters to run reports of selected information. There are many types of reviews. Some of them are as follows:
- Audit Trail Review after an Event. Following a known system or application software problem, a known violation of existing requirements by a user, or some unexplained system or user problem, the appropriate system-level or application-level administrator should review the audit trails. Review by the application/data owner would normally involve a separate report, based upon audit trail data, to determine if their resources are being misused.
- Periodic Review of Audit Trail Data. The persons associated with the security of data such as system administrators, function managers, and computer security managers should determine how much review of audit trail records is necessary, based on the importance of identifying unauthorized This determination should have a direct correlation to the frequency of periodic reviews of audit trail data.
- Real-Time Audit Traditionally, audit trails are analyzed in a batch mode at regular intervals e.g., daily. Audit records are archived during that interval for later analysis. Audit analysis tools can also be used.
Source: Gupta Satinder Bal, Mittal Aditya (2017), Introduction to Basic Database Management System, 2nd Edition-University Science Press (2017)