Auditing

Purpose of Auditing

Auditing is the third component of the Authentication Authorization Accounting (AAA) framework. Authentication verifies a user's identity, authorization determines what resources and actions they are permitted to access, auditing tracks and logs the activities that take place.

The key purposes are:

• Accountability: Tracking user actions to maintain accountability and Nonrepudiation.
• Compliance: Providing documented evidence of activities to meet regulatory or organizational security requirements.
• Incident Response: Enabling the investigation of security incidents or policy violations by reviewing audit logs.
• Monitoring: Detecting suspicious or malicious activities that may indicate an ongoing attack or data breach.

What to Audit

It's important to strike a balance when defining audit policies. Auditing too little can leave critical activities unmonitored, while auditing too much can result in a massive log file that is difficult to manage and analyze.

A typical audit policy setting includes:

• Successful and failed user logon/logoff events.
• Access to sensitive files or folders.
• Changes to user accounts or security policies
• Privileged user actions (running programs with elevated privileges)
• System startup/shutdown and other critical system events

Implementing Audit Policies

In a Windows environment, audit policies can be configured at the local machine level and the domain level (via Group Policy):

• Local Audit Policies: Configured using the Local Security Policy editor (secpol.msc).
• Domain Audit Policies: Centrally managed and applied to all systems within an Active Directory domain.

As with Password Policies, centrally managed domain-level audit policies are more consistent and easier to manage when compared to individual local policies.

Reviewing Audit Logs

Results of auditing are captured in event logs, which can be viewed using the Windows Event Viewer. The Security log will contain the most relevant audit events, such as logon/logoff, privileged actions, and access to sensitive resources. Whereas the Event logs provide information like the user account, timestamp, and description of the event to allow administrators to investigate and respond to suspicious activities.