Auditing different Operating Systems

There are a number of settings that require configuration to enable the correct level of logging and auditing.  This, of course varies by the operating system that is doing the logging.  Linux uses syslog which is stored in a basic text file format.  This allows for the easier reading without any need for special interfaces.  The configuration of the syslog server also is done through a text file which is the syslog.conf file.  The syslog.conf file is most commonly located in the /etc directory.  Through the syslog.conf file, an administrator can set numerous flags and command the syslog to write the output to different files.  This type of action may be valuable to a system administrator wanting to forward all messages of a certain type to a central location without having to pull along a lot of extra data.  Given that a majority of computer users operate on the Windows operating system, we will move on and discuss more of the specifics of how to effectively log on a Windows client machine.

Windows, unlike Linux, has a different format for the logs created during system operation.  Microsoft uses what are known as .evtx files.  These files are essentially an xml format.  The Windows event logging can be configured a couple of different ways.  The most common for an enterprise environment is that the C:\Windows\System32\GroupPolicy\Machine\microsoft\windows nt\Audit\Audit.csv file contains the definition for the organization’s audit policy.  This file specifies what types of events, user actions, and so on are triggers to write an event into an evtx file.  To view an evtx file, the Event Viewer is used.  Within the Event Viewer, there are multiple event logs that can be accessed.  If the system administrator wishes to check security-related events, they can select the Security folder on the left.  They can then filter on specific types of events based on EventID.  For instance, if the desire was to look at logon related events the EventID would be 4624.  It is important to remember what you are looking for as well.  Depending on the auditing configuration, reviewing a successful task execution could be of equal importance as a failed task execution. Using the example of EventID 4624, an auditor may find that the individual logged in successfully as a user, but later failed to attempt to gain elevated privileges.  If such activity were observed repeatedly for the same user, this may indicate a potential security violation by that individual.

Both Linux and Windows offer a robust solution for auditing the activities that occur on the computer system.  Each are highly configurable and provide a means for system auditors to quickly parse out the data that they are looking for.  To read more about specific settings and other configuration items please click here to review the advanced blog.

Leave Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.