UNIT 4: Auditing Features of Operating Systems, Applications, and Logs

Rajasthan Polytechnic (BTER) March 13, 2025

 

UNIT 4: Auditing Features of Operating Systems, Applications, and Logs

4.1. Understanding Audit Features of OS and Applications

Audit features in an operating system (OS) and applications help monitor and track activities and changes within the system. These features are crucial for security, compliance, and troubleshooting purposes. They allow system administrators to detect suspicious behavior, unauthorized access, or malicious activities by recording relevant events.

Key audit features include:

  • User authentication: Tracks when users log in or out of the system.
  • File access: Monitors access to files, including read, write, or delete operations.
  • System changes: Logs any changes made to system settings, configurations, or permissions.
  • Application usage: Records when applications are installed, launched, or modified.
  • Security events: Tracks potential security threats like failed login attempts, privilege escalations, or unauthorized access.

These audit logs are essential for:

  • Investigating security incidents.
  • Ensuring compliance with security standards.
  • Troubleshooting and identifying system issues.

4.2. Enabling and Examining Server Logs

Server logs contain records of events and activities occurring on a server. These logs are essential for system administrators to monitor the health and performance of the server, detect issues, and ensure security.

Key types of server logs:

  • Access logs: Record information about incoming requests to the server (e.g., web requests, FTP requests).
  • Error logs: Capture errors that occur on the server, including crashes, failed services, and misconfigurations.
  • Security logs: Track potential security events like failed login attempts, unauthorized access, and system vulnerabilities.
  • Performance logs: Provide insights into server performance, including resource utilization, CPU load, memory usage, and network traffic.

How to enable server logs:

  • On many systems, server logs are automatically enabled, but administrators may need to configure specific logging settings.
  • Common tools to examine server logs include:
    • Linux/Unix: /var/log/
    • Windows: Event Viewer
    • Web servers: Apache or Nginx logs

Why server logs are important:

  • Troubleshooting: Helps identify server issues and resolve performance problems.
  • Security auditing: Detects any unauthorized access attempts or attacks on the server.
  • System monitoring: Provides insights into server resource utilization and workload distribution.

4.3. User Activity Logs

User activity logs record every action taken by a user on a system or application. These logs can be used to track user behavior, monitor suspicious activity, or investigate incidents.

Types of user activities logged:

  • Login/logout times: When a user logs into or out of the system.
  • Command execution: Which commands or programs a user executes, especially in command-line systems.
  • File access and modifications: Monitoring files accessed, modified, or deleted by the user.
  • Privilege escalation: Tracks any attempts to gain higher system privileges.
  • Failed login attempts: Logs when a user tries to log in with incorrect credentials.

Why user activity logs are important:

  • Security monitoring: Detects unusual or unauthorized behavior by users, such as login attempts from unknown locations.
  • Incident investigation: Provides a timeline of actions for identifying the root cause of security incidents.
  • Compliance: Ensures that organizations comply with security policies and regulations.

4.4. Browser History Analysis

Browser history analysis involves examining the data stored by web browsers, including websites visited, search queries, and other browsing activities. This analysis can be useful in investigating a user's internet usage patterns, identifying suspicious activities, or recovering lost data.

What is stored in browser history:

  • URLs: Websites visited by the user.
  • Timestamps: Dates and times when the websites were visited.
  • Cookies and cache: Data stored by websites to improve user experience, including session information.
  • Search queries: Terms or phrases entered into search engines.
  • Downloads: Files downloaded from websites.

Why browser history analysis is important:

  • Forensics: Can provide evidence in investigations of illegal activities or inappropriate browsing.
  • User behavior: Analyzing browsing history helps understand user behavior and interactions with online content.
  • Security incidents: Identifying if the user visited phishing sites, downloaded malware, or interacted with suspicious web pages.

4.5. Proxy Server Logs

A proxy server acts as an intermediary between a client and a destination server, allowing for logging and monitoring of requests. Proxy server logs capture details about client requests, including websites accessed and other related activities.

Key details in proxy server logs:

  • IP addresses: The IP address of the client making the request.
  • Requested URLs: The specific URLs or websites accessed.
  • Request methods: Whether the request was a GET, POST, or other HTTP methods.
  • Response status codes: Indicates whether the request was successful or failed (e.g., HTTP 404 for not found).
  • Timestamp: The exact date and time of the request.

Why proxy server logs are important:

  • Security: Helps detect and block malicious or unauthorized web traffic.
  • Monitoring: Allows network administrators to track internet usage and ensure compliance with organizational policies.
  • Performance optimization: Can be used to analyze traffic patterns and improve network efficiency.

4.6. Antivirus Logs

Antivirus logs record the activities and actions taken by antivirus software, including scans, detections, and any threats encountered. These logs are important for identifying malware or other security issues in a system.

What is captured in antivirus logs:

  • Malware detections: Logs showing any detected viruses, Trojans, or other malicious software.
  • Scan results: Information about scheduled or on-demand antivirus scans, including any threats found and actions taken.
  • Quarantined files: Details about files that were isolated by the antivirus for further inspection.
  • Updates: Logs showing when antivirus definitions were updated.

Why antivirus logs are important:

  • Malware detection: Identifies potential security threats on the system.
  • Incident response: Provides information for further analysis and remediation of detected threats.
  • System health: Ensures that antivirus software is actively protecting the system and remains up-to-date.

4.7. Email Logs

Email logs capture information about the sending, receiving, and processing of emails on an email server. These logs can be used to investigate email-related issues, detect phishing or spam, or trace the source of suspicious email traffic.

What is recorded in email logs:

  • Sender and recipient addresses: The email addresses of the sender and recipient.
  • Timestamp: The exact time the email was sent or received.
  • Subject line: The subject of the email (often truncated for privacy).
  • Delivery status: Indicates whether the email was successfully delivered, delayed, or failed.
  • IP addresses: The IP addresses of the senders, which can help track the origin of the email.

Why email logs are important:

  • Phishing detection: Helps identify phishing or malicious emails sent from compromised accounts or IPs.
  • Spam filtering: Provides insights into email traffic patterns, which can help with spam detection and filtering.
  • Investigations: Useful for forensic investigations, particularly when tracing the source of cyberattacks or data breaches that involve email communication.
Rajasthan Polytechnic (BTER)

Posted by Rajasthan Polytechnic (BTER)

Hi! I’m Garima Kanwar, founder of Rajasthan Polytechnic (BTER). This platform provides notes, PDFs, and video lectures for all Polytechnic branches (ME, CS, EE) and semesters to make learning easy .I ensure exam-focused, updated, and simple-to-understand content, along with academic updates and career guidance.

Post a Comment

0 Comments