Audit policy

Develop a policy for auditing based on the amount of security the site requires, the types of users administered, and the costs of auditing. Document the policies, perform periodic reviews, and update policies as needed. Based on the policy, take the following decisions as part of planning:

Decide which users and events to audit based on the site policy.

Decide whether to audit the selected events for success, for failure, or both. Auditing for failure locates abnormal events; auditing for success monitors system use.

Determine level and format of audit info depending on the site policy.

Define roles (who gets to do what)

Security Administrator

Plans what to audit according to site security policy and goal; implements policies; and develops an archive strategy and encryption of archives.

System Administrator

Plans for disk space (local and remote) and other resources; configures automatic backup, archiving, and log rotation; and for centralized management, determines audit server and network layout of audited systems.

HP-UX RBAC

Implement roles such as readers of audit trails to protect audit trails from snooping.

Establish standard operational procedures to support and maintain the policies. For example:

Decide whether audit subsystem must block, suspending system activities so no audit data is ever lost, or must discard records rather than suspending system activities when the disk space is exceeded on audit file systems.

Determine a regular maintenance schedule that can automatically back up and free up space for more audit records.

Audit generation and capture

Collecting sufficient data to meet the requirements of regulations and forensic analysis is a big challenge. For example, the payment card industry standard requires organizations to track and monitor all access to network resources and cardholder data. Data must be collected from many sources including security systems, operating and storage systems, and applications. Events that must be recorded include the following:

Privileged, administrative or root access.

Enabling and disabling of security system and accesses to audit logs.

System and service startup and shutdown.

File accesses and changes to access rights on servers.

Rejected system, application, file, or data access attempts and other failed actions.

Login attempts and the amount of data sent and received during the session on remote access and wireless access system.

Note:

Log sources typically reference an internal clock when placing a time stamp on a log entry. Ensure all log sources internal clocks are synchronized to a trusted, accurate time server.

20