Chapter 4 Audit
4.1 Overview of Audit
The audit is an indispensable part of the modern security computer system. It further enhances the credibility of the system based on various security measures such as identification, access control, information flow control and encryption technology. The security audit of computer systems' audit tracking technology and electronic data processing system (EDP) is two different concepts. The latter is a computer system security assessment method that evaluates the obtained data by evaluating the survey system and its environmental continuity and integrity management, and evaluating the security of the computer system. Here, auditing is a mechanism for simulating social monitoring agencies to monitor, record, and control user activities in computer systems. Its goal is to detect and determine malicious attacks and misuse of the system, as an effective means of postpartum analysis and tracing to protect the system security. It plays a deterrent for illegal activities of users to provide further security reliability for the system.
As early as the 1970s, the popularity of multiple users, the time-time computer system, the audit as a technology guaranteed computer system security has also gradually developed. Early Burrogh's MCP, Honeywell's GCOS, IBM's MVS, ICL's VME 2900 and other computers have audit functions. With the wide application of computer technology, traditional audit techniques continue to develop and strengthen, modern computer systems, such as VAX / VMS, Unix, Oracle, etc. have audit functions.
As an effective security measures, auditing is based on user behavior levels, but not only according to each independent user operation. The so-called user behavior refers to a series of operations in a period of time and a logical relationship between these operations. Many hazardous behaviors do not show hazards during operation, and at the entire behavior level, attackability and damage (such as abuse privilege or inferior behavior), in the secure computer system, audit usually designed A relatively independent subsystem. In addition, in the system, the privileged user of the system auditor is set, which is responsible for managing affairs related to system auditing.
4.2 The function of the audit subsystem
To complete the functionality of the audit, the audit subsystem should contain the following functions to the user behavior.
1. Event collection function
In frequent user activities, not all events are harmful to the security of the system, and the audit subsystem should be analyzed according to the system auditor or user requirements. The implementation method is often used to set up audit switches to the event. The switching or off state of the switch determines whether the event belongs to the collection range, that is, whether it belongs to the regulatory scope.
2. Event filtering
Due to the difference between the incident, the severity of the system security is also different. The audit subsystem should filter the collected events according to the system auditor or user, and write the contents of the event recorded to the audit log. The implementation method is often by setting the audit threshold for the event. The audit threshold is a certain value of the severity of the event results. When the result of the event is more serious than the value of the audit threshold, it is considered that the event meets the criteria that the event filtering must be recorded. Such an event is called an auditing event, otherwise it is called a non-auditing event. The audit event is an event that satisfies the set audit switch and audit threshold.
3. Analysis and Control Function of Events
The audit subsystem must have control functions to seriously endangering the system security. When the frequency of illegal events exceeds the set value, it is possible to make a warning to the user in time; when the incident is extremely harsh, the user will take the user The system no longer allows him to log in, unless there is system administrator intervention, once again grant him login. This part of the function is often achieved by setting alarm threshold and penalty threshold in the system.
The alarm threshold is defined as the maximum number of illegal incidents that can be tolerated (such as 10 times) in a certain period of time (such as 1 hour). The penalty threshold is defined as the user's maximum number of the alarm events that can be tolerated in the system. 4. Log maintenance and query function
The behavior of endangered system security may have a long time, and it is often unable to discover, but also for future analysis, the needs of the investigation, the information obtained by collecting, filtration cannot be easily lost, must be saved for a long time, and provide inquiry at any time . The carrier used to record the audit information is called the audit log. On the other hand, after collecting, filtered auditing events, the amount of information is very large, so in the maintenance of the audit log, the re-filtering and data compression of the event must also be performed.
5. Audit information security protection
The audit information is about user behavior, often containing many confidential information, and audit subsystems must ensure that they will not be stealing. In the system, the user is allowed to have query power to the audit log, but when providing user queries, it should make users only query the information he has the right. In addition, in order to provide a reliable basis for future tracing, auditing information must be unable to change, which requires the audit subsystem to protect audit information confidentiality and integrity.
The workflow of the audit subsystem is shown in Figure 4.1.
Analysis results
control commands
user
collect
analysis
control
filter
Log maintenance
Log
Audit incident
user behavior
Figure 4.1 Auditing subsystem workflow chart
4.3 Implementation mechanism of audit subsystem
The audit subsystem should contain the following functional modules:
Initialization
In order to accurately implement the functions of collecting, filtering, analyzing, and control, the audit subsystem requires many reference information, which is stored in the form of data dictionary, and the content of the audit event is completed, and the audit subsystem is still Audit temporary log list is required. Establishing a data dictionary related to auditing, generating reference information and establishing a temporary log table must be completed by the initialization module of the audit during the installation of the system.
2. On the opening and closing of the audit function
The audit function does not have any monitoring of user behavior before opening. Once the audit function is turned on, the event that occurs in the system is monitored and recorded until it is closed. Users who have the right to open audit function should be auditors. For a general user in the system, a portable manner can be given to the power of the audit function, but only the auditor has the power to turn off the audit function. Any other users in the system (including system administrators and system security officers) have no right to turn off the audit function. The opening and closing state of the audit function is represented by a switch.
3. Settings of switches and thresholds
Events involving system security in computer systems can be divided into two categories: user-level events and system-level events, and corresponding to two types of switches: user-level switch and system-level switch.
User-level events are the most happened and most common events in the system. For example, in the database system, the data is inserted, deleted, modified, and queries, such an event, such an event, is more appropriate to audit the incident as granularity. In the database system, set the switch to modify the structure, authorization, or recycling, reagent, reagent, query, modification, deletion, etc. Any user created in the system can use these switches to audit settings with these switches. System Auditor can audit settings in the system. Therefore, the state of these switches can be different for different objects.
The number of system-level events is much less than the user-level event, but their security impact on the entire system is large, for example, the user's login and exits, system administrators, system security officers, and system auditors, and creation Objects such as system resources. This event is more appropriate to monitor the particle size of the event class, and the five types of operations may each correspond to each other.
For the result of the event, it can be classified according to the degree of influence of system security, as the range of value of the audit threshold. For example, the event results can be divided into four: 1 success: the operation is successfully completed.
2 Failure: A general error in the process of operation, which is slightly threatening to system security. Such as syntax errors, the main body or object's name is wrong, and excessive columns are set to a table.
3 Error: When the operation is executed, it violates the security strategy, but does not constitute a serious threat to system security. Such as creating an existing object, deleting a table that is not empty, and the password error is wrong when logging in.
4 illegal: When performing execution, violation of security strategy, and constitute a serious threat to system security. Such as non-system auditor privilege shutdown auditing function, trying to write access to the safe level.
Generally, the event results are defined as a full-order relationship, such as success, fail The audit threshold is defined as one of the above four results. When the event result ≥ the audit threshold, the event is an audit event and needs to be recorded. For example, if the audit threshold of an event is defined is an error, the result is recorded when the result is an error and the illegal event. The audit threshold, alarm threshold, and penalty threshold are only meaningful if the audit switch is opened. Of course, even if the audit switch is opened, if the alarm and penalty threshold are not set, the alarm and punishment can be considered by default. 4. Event collection, filtering, and control The purpose of event collection and filtration is to discriminate whether the current event is an audit event, whether the audit subsystem is recorded in the information. For system-level events, it can first read the category number of the event from the table when it is discrimmitted, and the audit threshold corresponding to the corresponding table is identified according to the category number. If the audit threshold is not empty, the event is indicated. Meet the setting of the audit switch, further discriminating the event result ≥ Whether the audit threshold is established, if it is established, the event is an audit event. For user-level events, it is prior to the system dictionary table to see if the audit settings of the object involved in the event are first discriminated. If there is any auditing threshold corresponding to it, it is further obtained by discriminating the event result category ≥ auditing Whether the threshold is established to determine if the event is an audit event. For the result of the result, it should be considered an audit event regardless of whether the audit switch is open or the threshold is set. If a user is in the time period set by the system, the number of illegal or alarm events ≥ the corresponding threshold, the event is a alarm or penalty event, and the system maintains a alarm lin list for each user for each user. A penalty linked list is used to record the time of illegal and alarm events every time. If the current event is determined to be a penalty event, except for the corresponding information, the audit subsystem will reclaim the user's login power and terminate the operation of the program, so that he can no longer enter the system until the system administrator re-enters the system. that power. 5. Maintenance of audit logs The audit log is a carrier that records the audit content, divided into two levels: temporary logs and archive logs. The time of each audit incident, the subject, the object, the operation type of the event, the results of the event, and some content related to system security constitute the audit content, and write audit logs in a certain format. The audit log should be easily inquired, and the temporary log is an area that is temporarily stored in the recent period, which is equivalent to a buffer, which can be stored in the form of the table in the database. It can be composed of a primary table and several auxiliary tables, and all events are stored in the primary table and the various signs related to the audit log. The public content of the event includes: the main body of the event and the object of the object, the operation number of the event, the result class, the time of occurrence. The symbols related to the audit log include: related auxiliary table names, record numbers in related auxiliary tables, record flags, alarm event logos, penalties in related auxiliary tables, etc. In addition to other content other than common content in the auxiliary table, these contents may vary from events (such as authorized main body identifiers). When the temporary log expands to a certain limit, the system will stop working and prompt the system auditor to unload the temporary log. Store it into the archive log, only the auditor has the right to archive. Although it has been collected and filtered, the amount of information is recorded, its data is still very large, and it needs a large amount of space for a long time to use data compression technology. In addition, this information is very sensitive and must be processed by an encryption method. Since the file needs to be saved for a long time, the key to file encryption needs to be saved for a long time. This is very unsafe if you save the key directly. The method of the key dynamic generated can be taken, only the parameters of the generated key are saved. If the data is directly utilized as a parameter, the connection parameter is not saved, and the method of generating the key can make the same file. The file segment uses different keys to a certain extent, also enhanced the security of the log. 6. Inquiry of the audit log The audit log is recorded in the contents of the audit event in time order, but the audit log should provide a variety of ways. If the object object, according to the object object, according to the user or by the event type, even more. In order to obtain a complete audit content, the corresponding secondary information is read from the auxiliary table while reading a record from the primary table, and the complete audit information is submitted to the user. In general, users can query audit contents in the temporary logs generated by himself, and system auditors can query all temporary logs and archive logs. 7. Safety self-maintenance The audit subsystem should have a security module to safety inspection and control of an event related to the audit function to a certain extent, to ensure the safety of the audit subsystem and the audit log, and its security maintenance is as follows: 1 The system is at least one guest user and system auditor executive audit function to open commands, but only the system auditor can use the audit function to close the command. 2 Users can only set audits to the objects they have, and the system auditor can set up an audit of all objects in the system. Only the system auditor can set up audits for system-level events. 3 General users can only look at the audit content obtained by himself, and cannot view the audit information obtained by the system auditor settings. System Auditor can query all audit information. 4 The maintenance and archiving of the audit log can only be done by the system auditor. The relationship between the structure of the audit subsystem and the function modules are shown in Figure 4.2. Total control module Setup module Log maintenance module Collect filter module Log query module Turn on the closure module Safety self-maintenance module Data Dictionary Audit log Figure 4.2 Structure of the audit subsystem 4.4 Related questions 4.4.1 Auditing Particle Size The audit switch determines the collection range of the event. According to the different needs of the actual system, different objects can be selected as the audit particle size for different switching settings. The following auditing granular selection can be considered for user-level events: (1) Both objects (such as documents and relationships) are auditing particle size In the system, the audit setting is performed with the object as the particle size, and a set of audit switches is configured for each object to realize the audit of all or part of the operation of the object. This approach can realize key monitoring of certain objects. This is the most common way of setting. (2) Use the user as auditing particle size In the system, the audit setting is performed as the particle size, and a set of audit switches is configured for each user, and the audit of all or part of the user is implemented. This approach enables key monitoring of certain users. This audit method is very useful for the definition of financial sectors from preventing and discovering internal untrusted subjects. (3) Audit particle size with (user, object) The audit settings are performed in the system (user, object) for auditing granularity, configure a set of audit switches to monitor the target-like malicious attacks that may not be trusted. 4.4.2 Audit of Multi-level Safety System In a system implemented multi-level security access control, the design of audit subsystems must follow multi-level security strategies. Therefore, in terms of user auditing, the audit of the general system is different in terms of user auditing power, threshold settings, and the logs and queries. First, in the system, although the user who has the object can open the audit function, it can also be audited to the object of the object, but he can't audit the security level than his own user, at least he can't see these users. Operation and its operation results. In addition, in a multi-level security system, the body and the object are allocated with a security level (ie, security tag), and for the filtering of the event, it is sometimes necessary to perform according to the security level. In order to meet this needs, the audit threshold can be defined as two parts by the security level threshold and the severity threshold. The value range of the security stage threshold is the security level, the severity threshold, the audit, the audit of the main body and the object in the system. Threshold, its value range is the result of the event. If the event return result is success, the minimum value of the severity is indicated. If it is illegal, the maximum value of the severity is indicated. Therefore, the audit threshold is given by a binary group K = ({C1, C2, ..., CN}, A), where C1, C2, ..., CN are the safety stage threshold, and A is a severity threshold. In an audit with the portrait of the guest, the severity value of the main body of the security stage is CI (i = 1, 2, ..., n) with K, which is greater than or equal to A. Conduct audits. Because the security level is often a predecessor relationship rather than a full order relationship, it allows the selection of several security level thresholds to be convenient to the audit object here. In the audit of the user as the auditing granularity, the severity value of the security stage is CI (i = 1, 2, ..., n) can be used to use K, and the severity value of the event result of the user's access is greater than or equal to A Event Audit. In an audit of (user, guest) as auditing granularity, since the user and the object have been specified, it can determine whether it is an audit event as long as the result of the collected event is discriminated. Therefore, the corresponding audit threshold k = (φ, a), that is, only a severity threshold is required. In multipart security systems, the audit content of the event not only contains the main, object of the event, often needs to record the main, object security level. At the same time, the audit subsystem must also define security levels for each audit information to ensure that low security-level users will not obtain information about high security-level users he should not be obtained from the audit log. In the query of the audit log, you should also provide the system auditor or user to query the audit content of the event involved in the user who specifies the security level or the specified security level. 4.4.3 Conflict With regard to the opening of the audit function, the most simple design is only allowed to have the power of the system auditor, and other users cannot be turned on. This centralized management model simplifies the management of the system and has good security, but it is inconvenient to the user. Make at least one of the users with a client with the power to turn on the audit function, which is necessary in modern large enterprises and office automation systems. However, the system auditor has the power of closed audit functions, which may cause conflicts, especially when users need to be audited and the system auditor has turned off the audit. In addition, users can set up audits to their own objects, and system auditors can audit all the object settings in the system. If they set up audits to the same object, the set thresholds are different, and conflicts will occur. For these conflicts, audit subsystems must give appropriate priority policies based on the application background, which is the system audit priority, or the audit threshold is priority. The audit occupation system has a large amount of time and space in the actual system, and it is often impossible to collect and audit all incidents in the actual system. This must not be collected and audited, which must be taken, and it is light. Exercise four 4.1 What is the status and role of auditing in computer information system? 4.2 What functions should the audit subsystem should have? 4.3 What thresholds need to set during the audit process? What roots do they work? 4.4 What is an audit log? What role is it in the audit? 4.5 Why is the behavior of system administrators and system security officers to be audited?
