| 
| 
Home IT SecuritySecurity Audit
Security Audit
Security auditing is the formal review of system users.
This process conducted to determine the effectiveness of existing security controls, watch for system misuse or abuse by users, verify compliance with current security policies, validate that documented procedures are followed, and the detection of anomalies or intrusions. Effective auditing requires that the correct data to be recorded and that is undergoes periodic review.
In order to provide individual user accountability, the computing system must be able to correctly identify and authenticate each user.
This is the distinguishing factor between system log data and user audit data. Log data, captured by for example, is typically generated by system processes and daemons that report significant events or information. It does not correspond to specific user actions, nor is it directly traceable to a specific user. Audit data generated by the system corresponds directly to recorded actions taken by identifiable and authenticated users, associated under a unique audit identifier (audit ID). Additionally, all processes associated with a user must inherit the audit ID.
Once the audit data is recorded, it must be reviewed on a regular basis in order to maintain effective operational security. Administrators that review the audit data must watch for events that may signify misuse or abuse of the system and user privileges or intrusions.
Some examples include:
- accessing files requiring higher privilege
- killing system processes
- opening a different user's files, mail, etc.
- probing the system
- installing of unauthorized, potentially damaging software (backdoors, Trojan Horses, etc.)
- exploiting a security vulnerability to gain higher or different privileges
- modifying or deleting sensitive information
