|
|
ANALYZE/AUDIT generates a report from the log file so thatyou become familiar with normal activity on your system and caneasily spot atypical activity. It summarizes events for you andplots where activity is occurring on the cluster. The utility alsohelps you analyze atypical activity because it is capable of selectinga subset of information from an audit report and of providing fullerinformation for your analysis. While the analysis of a single auditlog file might not be significant, audit records can, over time,reveal a pattern of activity that indicates security violations.
Recommended Procedure
This section describeshow to analyze audit log files on your system. Although the wayyou use ANALYZE/AUDIT depends upon the security needs at your site,there are a number of common steps that you should follow, regardlessof the extent to which you use the utility. Before you can recognizepotential security problems, you need to become familiar with thenormal operation of your system. Then you can develop a procedurefor generating and reviewing audit reports on a periodic basis.Whenever your regular analysis of audit log files leads you to suspecta security problem, you should perform a detailed investigation ofselected security events.
As a security administrator, you should be able to answerthe following questions before analyzing an audit log file:
By knowing the answers to these questions, you can eliminatefalse alarms, which otherwise may cause you to wrongly suspect asecurity problem.
Step 2: Periodically Analyze the Audit Report
The most common type of report to generate is a brief, dailylisting of events. You can create a command procedure that runsin a batch job every evening before midnight to generate a reportof the day's security event messages. (You can use the same procedureto create a new version of the audit log [see Maintaining the File].)
The following example shows the ANALYZE/AUDIT command lineto generate this report:
$
ANALYZE/AUDIT/SINCE=TODAY/OUTPUT=31DEC2000.AUDIT -
[1]
_$
SYS$MANAGER:SECURITY.AUDIT$JOURNAL
$
MAIL/SUBJECT="Security Events" 31DEC2000.AUDIT SYSTEM
[2]
Depending on the number of security events that you are auditingon your system, it can be impractical to review every audit recordwritten to the audit log file. In this case, you can select a specificset of records from the log file, such as all audit records relatedto changes in the authorization database and break-in attempts, orall events occurring outside normal business hours.
Analyze any subprocess-related audits with the knowledge thata pipe subprocess (created by the DCL PIPE command) can generatethe audits. The PIPE command can create a large number of subprocessesto execute a single PIPE command. This can mean a potential increasein auditing events that are related to subprocess activities (forexample, process creation, process deletion, login, logfailure,and logout).
It is important that you review audit reports as soon as possible.The sooner you inspect the reports, the sooner you become awareof any possible breach of security on the system and can determinethe extent of the problem. You can make the inspection of the previousday's audit report a regular part of your morning routine, or youcan create a program that reviews the report and notifies you throughthe Mail utility (MAIL) when suspicious events appear.
Step 3: Scrutinize Suspicious Activity
If, during your review, you find any security events thatappear suspicious or out of place, like login attempts outside normalbusiness hours, then use the Audit Analysis utility to perform amore detailed inspection of the security audit log file. A fullreport can help you determine which security events logged to theaudit log file warrant a more thorough investigation.
The following command generates a full report of selectedsecurity audit records:
The audit report for December 31, 2000 contains informationon all intrusion attempts and all modifications to the system userauthorization file (SYSUAF.DAT) and the rights database (RIGHTSLIST.DAT).$
ANALYZE/AUDIT/FULL/SINCE=TODAY/OUTPUT=31DEC2000.AUDIT -
_$
/EVENT_TYPE=(BREAKIN,RIGHTSDB,SYSUAF)
$
MAIL/SUBJECT="Security Events" 31DEC2000.AUDIT SYSTEM
Invokingthe Audit Analysis Utility
The Audit Analysis utility is the tool you use to producea meaningful report from a binary log file. This section and thesections that follow describe how to use the utility, but referto the HP OpenVMS System Management Utilities ReferenceManual for complete documentation of the utility's commandsand qualifiers.
To invoke the Audit Analysis utility, use the following DCLcommand:ANALYZE/AUDIT file-name
For the file-name parameter, substitutethe name of the file from which audit reports are to be generated.The default name of the security audit log file is SECURITY.AUDIT$JOURNAL.You must specify the directory: SYS$MANAGER.
Providing Report Specifications
With the Audit Analysis utility, you are able to extract allor some of the security event messages from a single audit log andproduce reports with various levels of detail.
The audit report reflects events from the set of event classesa site has enabled (see Reporting Security-Relevant Events). You can tailor the report so only a subset of eventsare extracted. The selection criteria can be based on time, on eventclass, or on field of data within the event message. (See the documentationof the /SELECT qualifier in the HP OpenVMS System ManagementUtilities Reference Manual.) Qualifiers for the Audit Analysis Utility summarizes the qualifiers that determine the contentof the report.
Type | Qualifier | Description |
---|---|---|
Content | /BEFORE | Extracts event messageslogged before the specified time. |
/SINCE | Extracts event messageslogged after the specified of time. | |
/EVENT_TYPE | Extracts event messagesof a specific event class (see Kinds of Security Events the System Can Report ). | |
/SELECT | Extracts event messagesbased on data in the messages. (For example, /SELECT=USERNAME=JSNOOPlists only security event messages generated by user JSNOOP.) | |
/IGNORE | Excludes event messagesfrom the report based on data in the messages. | |
Format | /BRIEF | Produces a report with oneline of information about each record in the audit log file, suchas the type of event, when it occurred, and the terminal from whichit originated (see Brief Audit Report). This is the default. |
/FULL | Provides all possible datafor each record in the audit log file being processed (see One Record from a Full Audit Report). Alarm Messages provides sample alarm messages for each eventclass. | |
/SUMMARY | Lists the total number ofaudit messages for each event class in the log file being analyzed(see Summary of Events in an Audit Log File). It can alsoplot the aggregate events per hour on each node. | |
/BINARY | Produces a binary file soyou can extract records for further analysis using your own datareduction tools. See the HP OpenVMS System ManagementUtilities Reference Manual for a description of theaudit message record format. | |
Destination | /OUTPUT | Specifies the report destination. Bydefault, it goes to SYS$OUTPUT. |
ANALYZE/AUDITproduces audit reports in different formats (see Qualifiers for the Audit Analysis Utility). The utility produces a one-line summaryof each record in the log file by default. Brief, one-line reportsare most useful for routine analysis of a log file. The more detailedfull reports provide the detail necessary for analyzing recordsof a suspicious nature. If you are interested in archiving portionsof a log file, the binary listing lets you store a subset of an auditlog file.
A summary report helps you identify potential security problemsquickly. For each class of security event, a summary report canlist the total number of audit messages extracted from the securityaudit log file being analyzed. A summary report can also displaya plot of auditing activity, based on the system generating the eventmessage, the time when it occurred, and the total number of eventsseen.
Brief Audit Report showsa brief report of all the security audit events logged to the systemsecurity audit log file. In the ANALYZE/AUDIT command that generatesthe report, substitute the name of your audit log file.
One Record from a Full Audit Report shows one recordfrom a full format audit report. In the ANALYZE/AUDIT command that generatesthe report, substitute the name of your audit log file.
Summary of Events in an Audit Log File shows asummary report. In the ANALYZE/AUDIT command that generates thereport, substitute the name of your audit log file.
Using the Audit Analysis Utility Interactively
When you send outputto a terminal, you can analyze an audit log file interactively.At any time during the display of a listing, you can interrupt thereport being displayed by pressing Ctrl/C. This automatically initiatesa full listing and gives you the Command> prompt. In commandmode, you can advance or return to earlier records in the reportand study them in greater detail.
At the Command> prompt, you can enter any of theANALYZE/AUDIT commands listed in the HP OpenVMS SystemManagement Utilities Reference Manual to modify theanalysis criteria, to change position within the audit report, orto toggle between full and brief displays. To return to an auditreport listing, enter the CONTINUE command.
Examining the Report
When a routineanalysis of an audit log file leads you to suspect that the securityof your system has been compromised (through an actual or attemptedintrusion, repeated login failures, or any other suspicious securityevents), you can investigate the source of the security event througha more detailed inspection of the security audit log file.
For example, assume that you see the security events shownin Identifying Suspicious Activity in the Audit Report during a routineinspection of the previous day's audit report.
The security events displayed in the report shown in Identifying Suspicious Activity in the Audit Report indicate that user Kovacslogged in to the system following four unsuccessful login attempts.Shortly after logging in, user Kovacs created a new account in thesystem user authorization file (SYSUAF.DAT).
At this point, you must determine whether this behavior isnormal or abnormal. Is user Kovacs authorized to add new user accountsto the system? If you believe that the security of your system hasbeen compromised, use the following command to generate a more detailedreport from the security audit log file to determine if damage hasbeen done to your system:
The command in this example generates a full report of allsecurity audit events written to the audit log file since user Kovacsfirst attempted to log in to the system. In a full format report,all the data for each record in the audit log file is displayed.Using the full report, you can determine the name of the remoteuser who logged in under the local KOVACS account and the node fromwhich the login was made, as shown in Scrutinizing a Suspicious Record.$
ANALYZE/AUDIT/FULL/SINCE=01-JUN-2003:16:06
The information displayed in Scrutinizing a Suspicious Record indicates that the login failures and subsequentsuccessful login were made by user Follen from the remote node NACHWA.Your next step is to determine whether the security events weregenerated by user Follen or by someone who has broken into the remotenode NACHWA through the FOLLEN account.
|
|