Information System Audit Configuration

Ensuring that meaningful security related information is gathered through the logging process can be challenging.  There must be an understanding of the information that can paint an accurate picture of what is happening on the information system.  The purpose of the information system may dictate what information should be gathered.  In a Microsoft environment, these items can be configured using the Advanced Auditing options within the Group Policy.  These settings are found under Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies.  There are a number of audit policy settings that are configurable from this menu.

So what would be some useful events to audit on user workstations?  There are several options under each of the items in the System Audit Policies.  To track potential malicious behavior by an insider, it may be of value to audit the success and failure of process termination under detailed tracking.  Another valuable setting is to audit the success and failure of registry changes under the Object Access menu.  Also, monitoring the use of a privileged access token.  If there is repeated attempts to elevate privileges unsuccessfully it could demonstrate that there is someone attempting to gain unauthorized privilege escalation.  These are just a few of the audit settings I like to watch.  I have an example of the audit.csv file that can be imported into the group policy at https://github.com/cyberstrikes/audit-settings.git, so feel free to clone and use as a baseline.

Given the typical mixture of architectures and operating systems, centralizing the data for monitoring is a necessity but can be challenging.  Implementing a security event and incident management (SEIM) provides the ablity to bring in the log data from different sources and effectively parse and categorize information.  Not everyone has a huge budget so one service that I have found that is helpful is Graylog at www.graylog.org. They offer an open source alternative to the popular SEIM, Splunk.  Graylog offers several different options for downloading their product as either virtual machine images or packages for specific Linux distributions.  The maintenance may be a little more challenging initially, but could be a valuable option for a small to medium business with a limited budget.

In conclusion, auditing and logging is an important part of securing the infrastructure of your organization.  Ensuring that the correct information is being collected and correlating it to determine security related events or incidents takes time and tuning.  The use of a SEIM provides a centralized means of log collection and correlation to ease the burden and challenge of security event and incident discovery and mitigation.

Spread the word. Share this post!

Leave Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.