Figure 9.3: sensible-dataplatform.
9.3 Implementation
In its current implementation, sensible-data system is a Django web-based solu-tion which provides its services through REST APIs. The system is hosted on a Rackspace server with backed databases on MongoLab (Database As A Service for MongoDB) that will be replaced in the future by custom instances. User authenti-cation is now managed through the Django authentiauthenti-cation system, by which each user has is own account registered and authenticated. In the future, sensible-data will offer authentication through OpenID open protocol. App authorizations are granted using OAuth2.0.
50 sensible-data
Part III
Auditing
Chapter 10
Introduction to Auditing
Loggers record the dynamics of a system, keeping track of the noteworthy past events that changed a system’s state. Each (digital) record includes when an event occurred, which entity triggered it, and which resource it involved. Examples of such events are users’ activities, program execution status, resources usages, data changes, and so on. Logging systems are useful tools for troubleshooting prob-lems, identifying policy violations, enforcing accountability and generally to monitor interactions with resources.
There are scenarios in which logs must be available for public inspection. In these cases, the number and the identities of the verifiers and the frequency of the ver-ifications highly affect the design of logging system. When record reviewing is a fundamental feature,logging becomesauditing.
Logging systems can be adopted as security components to record – in secure man-ner – the events in an environment ("a-posteriori" mechanism). The quality and the quantity of the retained data make logs important sources of digital evidence for re-constructing complex events, detect intrusions, and investigate malicious activities.
For these reasons, they need to be protected from misuses.
Although logs are usually kept behind secured systems and adequately protected, it cannot be guaranteed that those defences will never be compromised. Therefore, it is necessary to strengthen auditing systems to resist security breaches. Unfortunately,
54 Introduction to Auditing
once the machine has been taken over by an intruder, there is not much that can be done to prevent him from corrupting the audit trail at his pleasure. On the other hand, it is possible to limit the attacker’s ability to corrupt the records generated prior the machine’s compromise (tamper resistance) through the use of Trusted Computing Modules or Write Once Read Many (WORM) storage disks. Without recurring to such expensive and uncommon solutions, it is also possible to build tamper evident audit trails. These are logs that make it impossible to undetectably alter pre-compromise entries. Integrityverification of audit logs becomes the primary security requirement for thesecure auditing systems.
Outsourcing logs Long-term storage of logs can be expensive both in terms of physical resources and integrity revision processes. Therefore more and more of-ten organizations are delegating the management to the cloud, sending the data to remote hosts before purging the local copies [RBS+12] (Logging As A Service -LaaS). Outsourcing the maintenance of logs can reduce costs, but remote auditabil-ity requires further enhancements to integrauditabil-ity and authenticauditabil-ity. When the owner of the hosting machine is not the same owner of the secrets within the device it is essential that audit mechanisms are able to detect attempted fraud. Remote audit-ing can benefit from replication, a good measure to safeguard data integrity trough redundancy, based on the assumption that an attacker will not able to compromise all the remote hosts. On the other hand, data replication risesconfidentiality issues, since all the multiple copies of the audit trails must be secured against unauthorized viewers.
10.1 Definitions
- Auditing system. System that comprehends all the components for auditing.
- Auditing, auditing process. In computer technology, auditing is defined as the process of storing and examining digital records regarding the events happening in well-defined environment constituted by a set of entities. Typical examples are: the list of read/write operations occurring on a machine’s operative system or message transactions among different end-points in a network1. The purpose is to collect enough information to be able to carry an assessment to identify and quantify future environment’s characteristics.
- Log event, audit event, event. With event is defined an occurrence observ-able in the monitored environment. A logged event is the digital representation
1Historically, by auditing, is intended the"examination of data belonging to an entity performed by an (external) independent examiner".
10.1 Definitions 55
of the event once appended to the audit trail. The set of which log events have to be stored is defined at system design. The format of the logged event must be concise but rich enough for later analysis.
- Audit, audit trail, audit log, log trail, trail. It is some form of non-volatile memory such as a local disk or database or a remote log storage that holds the events and can be later verified.
- Auditor, examiner, verifier. The entity which performs the examination of the audit trail.
- Auditing report, report. Result of the auditing examination process.
- Append, write, update, store, logging, registration, recording. Action of appending a new entry at the end of the audit log.
- Verification, integrity check, check, inspection, review. Action of assess-ing the integrity of the audit trail.
56 Introduction to Auditing
Chapter 11
Auditing Model
This section describes the how an auditing system can be modelled. As all the models, it is an abstraction from reality, a representation of how an ideal auditing system should appear.
11.1 Auditing Protocol
Auditing Types. TheAuditing processcan be scheduled according to predefined time-triggered procedure (Time-driven) or performed ad-hoc, when a specific event requires the generation and the inspection of the audit trail (Event-triggered).
Auditing Trail Format. TheAudit trailscan besequential, when every event is appended to an ever increasing audit trail or circular, where the maximum length of the audit trail is defined and when reached, new entries overwrite old ones.
Event Format. Log event’s format are not required to have a specific format, but it must be defined in a way that a later reader will unambiguously understand.
58 Auditing Model
Design has important consequences in the implementation. In fact, it affects mem-ory consumption (storage) and performances (time) in logging and retrieving. For these reasons, it is crucial to determine the necessary and sufficient format for both trail and log entries. Common fields are:
- Timestamp: identifies when the event occurred. This is usually expressed in the format of date and time of day, with different degrees of accuracy (i.e.the granularity can variate from hours to milliseconds).
- Description : human readable description of the event, used for later trail inspection.
- Entry type : tag used to classify different events under the same category.
Useful during inspection operations for fast retrieval (e.g.: administration event, data event, ...).
- Severity level : keyword that defines the severity of the event. Common cases, in increasing order are: debug, informational, notice, warning, error, critical, alert, emergency.
- Author : is the entity that writes into the audit trail.
- Id : event unique identifier.
- Other : optional information peculiar to the particular auditing case.
- Security fields : optional fields regarding confidentiality, integrity checks or other security properties.
Roles
- Event generator : the entity/device that creates the event.
- Relay: (optional) is a proxy that forwards the events from devices to collec-tors.
- Event receiver : receives the events.
- Filter : decides whether the log event must be recorded or not according to the rules specified by the auditing designer.
- Logger: generates the corresponding log file (also called audit trail). It might apply cryptographic operations to protect recorded entries against illegal read-ing, deletion, modification.