Distributed security auditing subsystem for an operating system
First Claim
1. A distributed, security auditing subsystem for performing on-line auditing of events in each of a plurality of client processors in a system and performing on-line compression of an audit trail of said events in a server processor in the system, comprising:
- a first security audit daemon in a first client processor in said system for monitoring the occurrence of a defined set of events effecting data security of said first client processor and preparing first security audit records in response to the occurrence therein of said events;
a distributed services means in said first client processor, for performing a remote mount of a security audit directory in a server processor in said system containing first temporary bin files associated with said first client processor;
said first audit daemon in said first client processor writing said first audit records to said first temporary bin files in said remotely mounted security audit directory in said server processor;
said first audit daemon in said first client processor further including a data compression means for operating on records in said first temporary bin files in said server processor containing said first audit records, to compress selected records therein and write the compressed records with a first type identifier to a permanent audit trail file in said remotely mounted security audit directory in said server processor;
a second security audit daemon in a second client processor in said system for monitoring the occurrence of a defined set of events effecting data security of said second client processor and preparing second security audit records in response to the occurrence therein of said events;
a distributed services means in said second client processor, for performing a remote mount of said security audit directory in said server processor containing second temporary bin files associated with said second client processor;
said second audit daemon in said second client processor writing said second audit records to said second temporary bin files in said remotely mounted security audit directory in said server processor; and
said second audit daemon in said second client processor further including a data compression means for operating on records in said second temporary bin files in said server processor containing said second audit records, to compress selected records therein and write the compressed records with a second type identifier to said permanent audit trail file in said remotely mounted security audit directory in said server processor.
0 Assignments
0 Petitions
Accused Products
Abstract
The distributed auditing subsystem invention runs in a UNIX-like operating system environment with a hierarchical file system. The invention provides an audit trail of accesses to the objects it protects and maintains and protects that audit trail from modification or unauthorized access or destruction. The audit data generated by the invention is protected so that read access to it is limited to those who are authorized for audit data. The invention enables the recording of events which are relevant to the maintenance of the security of the system, such as the use of identification and authentication mechanisms, the introduction of objects into a user'"'"'s address space, the deletion of such objects, actions taken by computer operators and system administrators and/or system security officers, and other security relevant events. The invention generates an audit record for each recorded event which includes the date and time of the event, the user, the type of event, and the success or failure of the event. The invention performs an on-line compression of the audit trail log file using a UNIX-type daemon process. The audi daemon process has a restartable feature that enables it to recover after node failures.
-
Citations
10 Claims
-
1. A distributed, security auditing subsystem for performing on-line auditing of events in each of a plurality of client processors in a system and performing on-line compression of an audit trail of said events in a server processor in the system, comprising:
-
a first security audit daemon in a first client processor in said system for monitoring the occurrence of a defined set of events effecting data security of said first client processor and preparing first security audit records in response to the occurrence therein of said events; a distributed services means in said first client processor, for performing a remote mount of a security audit directory in a server processor in said system containing first temporary bin files associated with said first client processor; said first audit daemon in said first client processor writing said first audit records to said first temporary bin files in said remotely mounted security audit directory in said server processor; said first audit daemon in said first client processor further including a data compression means for operating on records in said first temporary bin files in said server processor containing said first audit records, to compress selected records therein and write the compressed records with a first type identifier to a permanent audit trail file in said remotely mounted security audit directory in said server processor; a second security audit daemon in a second client processor in said system for monitoring the occurrence of a defined set of events effecting data security of said second client processor and preparing second security audit records in response to the occurrence therein of said events; a distributed services means in said second client processor, for performing a remote mount of said security audit directory in said server processor containing second temporary bin files associated with said second client processor; said second audit daemon in said second client processor writing said second audit records to said second temporary bin files in said remotely mounted security audit directory in said server processor; and said second audit daemon in said second client processor further including a data compression means for operating on records in said second temporary bin files in said server processor containing said second audit records, to compress selected records therein and write the compressed records with a second type identifier to said permanent audit trail file in said remotely mounted security audit directory in said server processor.
-
-
2. The distributed auditing subsystem of claim 13, wherein said permanent audit trail file further comprises:
-
a plurality of data frames organized with a header portion, a compressed bin portion, and a trailing portion; said header portion including the number of bytes in the compressed bin associated therewith and the identity of a client node which was the source of the audit information in said bin; said trailing portion including the number of bytes in said associated compressed bin and the identity of said client node; and said byte count in said header portion and said byte count in said trailing portion enabling said permanent audit trail file to be searched in either the forward or reverse direction.
-
-
3. A method for distributed, security auditing of events occurring in each of a plurality of client processors in a system and the compression of auditing information generated thereby in a server processor in the system, comprising the steps of:
-
monitoring the occurrence of a defined set of events effecting data security of a first client processor in said system, with a first security audit daemon running in said first client processor; performing a remote mounting with said first client processor, of a security audit directory in a server processor in said system, containing first temporary bin files associated with said first client processor; writing first audit records with said first audit daemon in response to said events occurring in said first client processor, to said first temporary bin files in said remotely mounted security audit directory in said server processor; selectively compressing with said first audit daemon in said first client processor records in said first temporary bin files and writing resulting first compressed bins with a first type identifier to a permanent audit trail file in said remotely mounted security audit directory in said server processor; monitoring the occurrence of a defined set of events effecting data security of a second client processor in said system, with a second security audit daemon running in said second client processor; performing a remote mounting with said second client processor, of said security audit directory in said server processor in said system, containing second temporary bin files associated with said second client processor; writing second audit records with said second audit daemon in response to said events occurring in said second client processor, to said second temporary bin files in said remotely mounted security audit directory in said server processor; and selectively compressing with said second audit daemon in said second client processor records in said second temporary bin files and writing resulting second compressed bins with a second type identifier to said permanent audit trail file in said remotely mounted security audit directory in said server processor. - View Dependent Claims (4, 5, 6, 7, 8, 9, 10)
-
Specification