Like this CertiGuide? Get it in PDF format!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Need more practice? 300 additional Security+ questions!
Get It Here!

Custom Search

Table Of Contents  CertiGuide to Security+
 9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)
      9  1.7  Auditing

Previous Topic/Section
1.7  Auditing
Previous Page
Pages in Current Topic/Section
Next Page
System/Network Scanning
Next Topic/Section

Configuration and Log Analysis

Configuration analysis involves the verification of machine and device configurations, including customization settings, installed options, etc. In configuration analysis, you examine the current state of the system, looking for ways to make it more secure. In effect, a configuration auditor follows a highly detailed checklist, comparing each element on the list with the object being audited, and noting where discrepancies exist.

Logging is the process of recording interesting system and network events. It can be used strictly for informational purposes, or for accounting charge backs or system/network performance and load analysis. For example, you can log accesses to web documents on any web server, user login attempts, accesses to certain files in Windows 2000, system startup/shutdown, security policy changes, user account administration or uses of the UNIX “su” command.

Where are these logs? On UNIX systems, many programs write logging information into the system’s syslog (which may be present on that system, or may be on another system on the network).

On Windows systems, many programs write logging information into the Event Log (more properly, into the System, Security or Application event logs). Other programs, such as web servers, typically maintain their own logs created with special formats that can be read by tools specifically designed to easily “mine” the logs for information.

Classic Auditing

One type of auditing involves creating logs where you:

· Establish a baseline of “normal” activity.

· Monitor against the baseline for abnormal results.

What and where should you monitor? You cannot monitor everything in a typical environment (such as the completion of every print job) because you become flooded in data. The chairman of IBM has in his office the motto: “Think”. As a general recommendation: Monitor the obvious. Anything less than obvious to monitor is outside any firewall. Create a baseline of “normal” activity outside and monitor so you have an idea of what an attack looks like before someone gets in. For example, you may not want to log successful accesses of a certain data file, but you might want to know about unsuccessful accesses, because those are likely to indicate someone trying to read data they’re not authorized to see.

A key point about logging as an audit tool is made very well in Real World Linux Security115 by Bob Toxen. If you can avoid it, never store a log where an attacker can get to it – and especially never store it where an attacker can modify it and erase his tracks, invalidating the usefulness of the log. In the UNIX/Linux world, it’s useful to direct log entries to a syslog on another machine.

[spacer]Geekily Speaking Reading

If you can tolerate the sub-optimal font sometimes used in the book, Auditing and Security
116 by Musaji provides a lot of raw data on configuration items to check in Windows NT and UNIX, as well as the AS/400. It claims to be the first book on IT security written specifically for auditors and has a companion web site at If you’re creating the nitty-gritty details of an audit policy for one of these platforms, it really looks like $85 well spent, to get this book – and Windows 2000 auditors will find information of interest in the NT section as well, even though it was not written with Windows 2000 in mind. A more generalized book on auditing is Network Auditing117 by Smith, also with checklists.

An interesting treatment of auditing a Windows 2000 system/network, complete with information on how to set up “Auditor” accounts (nicely demonstrating the security concept of “separation of duties”) and a list of useful Microsoft tools that assist in auditing, can be found in the Windows 2000 Security Handbook
118 by Philip Cox.

Pros and cons of different types of auditing procedures are described in The Process of Network Security
119 by Thomas Wadlow.


115. Toxen, Bob, Real World Linux Security, Prentice-Hall, November, 2000,

116. Musaji, Yusufali Fl, Auditing and Security, John Wiley, February, 2001,

117. Smith, Gordon E., Network Auditing, John Wiley, April, 1999,

118. Cox, Philip, Tom Sheldon, Windows 2000 Security Handbook, Osborne, November, 2000,

119. Wadlow, Thomas, The Process of Network Security, Addison-Wesley, February, 2000,

Previous Topic/Section
1.7  Auditing
Previous Page
Pages in Current Topic/Section
Next Page
System/Network Scanning
Next Topic/Section

If you find useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $

Home - Table Of Contents - Contact Us

CertiGuide for Security+ ( on
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al. Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.