Auditing (Linktionary term)

Site home page
(news and notices)

Get alerts when Linktionary is updated

Book updates and addendums

Get info about the Encyclopedia of Networking and Telecommunicatons, 3rd edition (2001)

Download the electronic version of the Encyclopedia of Networking, 2nd edition (1996). It's free!

Contribute to this site

Electronic licensing info

Auditing

Note: Many topics at this site are reduced versions of the text in "The Encyclopedia of Networking and Telecommunications." Search results will not be as extensive as a search of the book's CD-ROM.

Auditing is the collection and monitoring of events on servers and networks for the purpose of tracking security violations and to keep track of how systems are used. A network auditing system logs details of what users are doing on the network so that malicious or unintended activities can be tracked. When auditing is in place, vast amounts of information may be recorded and even archived for future reference. Some audit systems provide event alarms to warn administrators when certain levels or conditions are met.

Another form of auditing is security auditing, which uses scanners and other tools to detect security problems in servers and networks. Refer to "Security Auditing" for details.

Resource auditing is the most common form of auditing. You use it to track how users are using resources. Disk space usage is most often tracked, and many network operating systems allow administrators to set a disk usage limit. When a user reaches his or her limit, more disk space can be allocated. This may require that the user contact the administrator to request more space, at which time the user and administrator can evaluate disk space requirements and determine why the user has gone over their allocation (maybe they installed games or images from the Web).

In some environments, users are charged for the use of resources like disk space, printers, and so on. Auditing can provide the records need to charge for these resources. The charge may not be monetary, but only serve as a measure that indicates how users are using network resources.

Software metering and licensing is another area that requires auditing. Some operating systems and some software packages include metering functions that help companies track when the number of allowable licensed users for a software package has been exceeded so additional licenses can be purchased.

Network management systems provide centralized management features that help administrators and auditors keep track of systems throughout a network. Refer to "Network Management" for more details.

Auditing System Examples

NetWare 4.x provides a good example of an auditing system. It designates a network user known as the auditor to track events on the network. The events fall into two categories: volume tracking and container tracking. Each auditing category can have a distinct password, so, for example, the auditor who tracks volume events cannot track container events without the container password. However, one auditor can track all events if necessary.

One of the primary users to track with the auditing system is the network administrator, who basically has unlimited rights to the system. An auditor can keep administrators "honest" by passively tracking and monitoring all their activities. Initially, the network administrator creates a special auditor account, usually as directed by higher-level management. The auditor then logs in to the account and immediately changes the password, effectively blocking all access to the account, even by the network administrator.

The auditor can then set up auditing features, view audit logs, and work in designated audit directories. A record is kept for every activity that is designated for tracking. Events that can be tracked are listed here:

Directory creation and deletion

Creating, opening, closing, deleting, renaming, writing, and salvaging files

Modifying directory entries

Queue activities

Server events, such as changing the date and time, downing the server, and mounting or dismounting volumes

User events, such as logon, logoff, connection termination, space restrictions, granting of trustee rights, and disabling of accounts

Directory services events, such as changes in passwords, security, and logon restrictions

Activities of a specific user, such as a supervisor or network administrator

Auditing records can be viewed using special filters to produce reports that show specific activities. Filters can be applied to show specific date and time ranges, specified events, file and directory events, or user events.

The Windows NT auditing system lets you track events that occur on individual servers related to security policies, system events, and application events. Two types of auditing events can be tracked. The first is user account auditing, which tracks security events and logs them in the server's security log. The second is file system auditing, which tracks file system events. For example, to set up auditing in Windows NT, you open the dialog box shown in Figure A-18. Note that you can track the success and/or failure of an event. For example, you might want to always track logon failures.

[Figure 18: See book]

The syslog facility exists in the UNIX operating system to create audit trails. It is necessary to protect the audit records from alteration or destruction. They can, for example, be copied to another system that is accessible only by administrators or an auditor.

Administrators should be on the lookout for a large number of failed logon attempts or logins that take place at odd hours, which usually indicate that an intruder is attempting to access the system.

Section 4.6 in RFC 2196 (Site Security Handbook, September 1997) provides useful information about auditing such as collecting and handling auditing information, and preserving it for investigations and prosecutions. Also see RFC 2903 (Generic AAA Architecture, August 2000).