Auditing

Auditing is a way of tracking predefined events of a user or group of users on a particular computer system. Most modern day operating systems offer a built-in auditing tool or utility for tracking certain events. Windows 2000, for example, offers the ability for administrators to audit, log, and track the following events:

• Account log-on

• Account management

• Directory service access

• Log-on events

• Object access

• Policy change

• Privilege use

• Process tracking

• System events

Auditing too many and unnecessary events on a workstation or server computer can hamper drastically the system’s performance. In order to minimize the threat or risk of threat on a system, Microsoft offers several recommendations for certain important events that should be audited.

Enabling failure of user log-ons and log-offs can assist with identifying the threat of possible random password attacking programs or hacks. To avoid the misuse of user privileges, you should enable auditing for security change policies and certain system events, such as system shutdown and restart. After auditing has been enabled in Windows NT or Windows 2000, the results of the audited events can be viewed in the Windows Event Viewer.

As mentioned earlier in this chapter, different operating systems offer various ways to enable, track, and view the results of auditing. If you are responsible for protecting the welfare of your networked environment, you should have a good working knowledge of the auditing tools available within the operating systems you are running.

Auditing tools such as those used in Windows 2000 and UNIX can track system and user events as well as abnormalities. These tools are considered a detective control. These tools produce log files that should be reviewed continuously. In UNIX, a network administrator should audit and log the following operating system conditions and events:

• The UNIX kernel

• Lib files

• Bin files

• Use of Setgid

• Use of Setuid

• Changes made to the /etc/password and .rhosts. files

As a general rule, audit logs should be kept for at least a year. This retention period can vary depending on your company’s needs and policies. You should also remember for the exam that log files should be encrypted if they are ever transmitted over a network. They should always be kept secure to avoid deletion, modification, or destruction.