Distributed security auditing subsystem for an operating system

US 5,032,979 A
Filed: 06/22/1990
Issued: 07/16/1991
Est. Priority Date: 06/22/1990
Status: Expired due to Fees

First Claim

Patent Images

1. A distributed, security auditing subsystem for performing on-line auditing of events in each of a plurality of client processors in a system and performing on-line compression of an audit trail of said events in a server processor in the system, comprising:

a first security audit daemon in a first client processor in said system for monitoring the occurrence of a defined set of events effecting data security of said first client processor and preparing first security audit records in response to the occurrence therein of said events;

a distributed services means in said first client processor, for performing a remote mount of a security audit directory in a server processor in said system containing first temporary bin files associated with said first client processor;

said first audit daemon in said first client processor writing said first audit records to said first temporary bin files in said remotely mounted security audit directory in said server processor;

said first audit daemon in said first client processor further including a data compression means for operating on records in said first temporary bin files in said server processor containing said first audit records, to compress selected records therein and write the compressed records with a first type identifier to a permanent audit trail file in said remotely mounted security audit directory in said server processor;

a second security audit daemon in a second client processor in said system for monitoring the occurrence of a defined set of events effecting data security of said second client processor and preparing second security audit records in response to the occurrence therein of said events;

a distributed services means in said second client processor, for performing a remote mount of said security audit directory in said server processor containing second temporary bin files associated with said second client processor;

said second audit daemon in said second client processor writing said second audit records to said second temporary bin files in said remotely mounted security audit directory in said server processor; and

said second audit daemon in said second client processor further including a data compression means for operating on records in said second temporary bin files in said server processor containing said second audit records, to compress selected records therein and write the compressed records with a second type identifier to said permanent audit trail file in said remotely mounted security audit directory in said server processor.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The distributed auditing subsystem invention runs in a UNIX-like operating system environment with a hierarchical file system. The invention provides an audit trail of accesses to the objects it protects and maintains and protects that audit trail from modification or unauthorized access or destruction. The audit data generated by the invention is protected so that read access to it is limited to those who are authorized for audit data. The invention enables the recording of events which are relevant to the maintenance of the security of the system, such as the use of identification and authentication mechanisms, the introduction of objects into a user'"'"'s address space, the deletion of such objects, actions taken by computer operators and system administrators and/or system security officers, and other security relevant events. The invention generates an audit record for each recorded event which includes the date and time of the event, the user, the type of event, and the success or failure of the event. The invention performs an on-line compression of the audit trail log file using a UNIX-type daemon process. The audi daemon process has a restartable feature that enables it to recover after node failures.

553 Citations

10 Claims

1. A distributed, security auditing subsystem for performing on-line auditing of events in each of a plurality of client processors in a system and performing on-line compression of an audit trail of said events in a server processor in the system, comprising:
- a first security audit daemon in a first client processor in said system for monitoring the occurrence of a defined set of events effecting data security of said first client processor and preparing first security audit records in response to the occurrence therein of said events;
  
  a distributed services means in said first client processor, for performing a remote mount of a security audit directory in a server processor in said system containing first temporary bin files associated with said first client processor;
  
  said first audit daemon in said first client processor writing said first audit records to said first temporary bin files in said remotely mounted security audit directory in said server processor;
  
  said first audit daemon in said first client processor further including a data compression means for operating on records in said first temporary bin files in said server processor containing said first audit records, to compress selected records therein and write the compressed records with a first type identifier to a permanent audit trail file in said remotely mounted security audit directory in said server processor;
  
  a second security audit daemon in a second client processor in said system for monitoring the occurrence of a defined set of events effecting data security of said second client processor and preparing second security audit records in response to the occurrence therein of said events;
  
  a distributed services means in said second client processor, for performing a remote mount of said security audit directory in said server processor containing second temporary bin files associated with said second client processor;
  
  said second audit daemon in said second client processor writing said second audit records to said second temporary bin files in said remotely mounted security audit directory in said server processor; and
  
  said second audit daemon in said second client processor further including a data compression means for operating on records in said second temporary bin files in said server processor containing said second audit records, to compress selected records therein and write the compressed records with a second type identifier to said permanent audit trail file in said remotely mounted security audit directory in said server processor.

2. The distributed auditing subsystem of claim 13, wherein said permanent audit trail file further comprises:
- a plurality of data frames organized with a header portion, a compressed bin portion, and a trailing portion;
  
  said header portion including the number of bytes in the compressed bin associated therewith and the identity of a client node which was the source of the audit information in said bin;
  
  said trailing portion including the number of bytes in said associated compressed bin and the identity of said client node; and
  
  said byte count in said header portion and said byte count in said trailing portion enabling said permanent audit trail file to be searched in either the forward or reverse direction.

3. A method for distributed, security auditing of events occurring in each of a plurality of client processors in a system and the compression of auditing information generated thereby in a server processor in the system, comprising the steps of:
- monitoring the occurrence of a defined set of events effecting data security of a first client processor in said system, with a first security audit daemon running in said first client processor;
  
  performing a remote mounting with said first client processor, of a security audit directory in a server processor in said system, containing first temporary bin files associated with said first client processor;
  
  writing first audit records with said first audit daemon in response to said events occurring in said first client processor, to said first temporary bin files in said remotely mounted security audit directory in said server processor;
  
  selectively compressing with said first audit daemon in said first client processor records in said first temporary bin files and writing resulting first compressed bins with a first type identifier to a permanent audit trail file in said remotely mounted security audit directory in said server processor;
  
  monitoring the occurrence of a defined set of events effecting data security of a second client processor in said system, with a second security audit daemon running in said second client processor;
  
  performing a remote mounting with said second client processor, of said security audit directory in said server processor in said system, containing second temporary bin files associated with said second client processor;
  
  writing second audit records with said second audit daemon in response to said events occurring in said second client processor, to said second temporary bin files in said remotely mounted security audit directory in said server processor; and
  
  selectively compressing with said second audit daemon in said second client processor records in said second temporary bin files and writing resulting second compressed bins with a second type identifier to said permanent audit trail file in said remotely mounted security audit directory in said server processor.
- View Dependent Claims (4, 5, 6, 7, 8, 9, 10)
- - 4. The method for distributed auditing of claim 3, wherein said first audit daemon in said first client processor is a UNIX-type process operating under a UNIX-type operating system, said first audit daemon performing the steps of:
    - issuing a fork system call to fork a child process for normal operation;
      
      determining the oldest uncompressed bin in said first temporary bin files;
      
      compressing all bins in said first temporary bin file, starting with said oldest uncompressed bin; and
      
      writing said compressed bins to said permanent audit trail file.
  - 5. The method of claim 4 wherein said audit daemon is a user-lever process in said client processor.
  - 6. The method of claim 4 wherein said audit daemon is a kernel level process in said client processor.
  - 7. The method of claim 4 wherein said permanent audit trail file is recorded on a write-once-read-many recording medium.
  - 8. The method of claim 4 wherein said first compressed bins are stored in said permanent audit trail file with a header portion and a trailer portion, said header portion including a byte count of the number of bytes in said associated compressed bin and the identity of said first client processor and said trailer portion including a byte count of the number of bytes in said associated compressed bin and the identity of said first client processor, thereby enabling said permanent audit trail file to be searched in either direction.
  - 9. The method of claim 8 which further comprises the steps of:
    - restarting said first audit daemon upon recovery after a failure of said server processor or said first client processor.
  - 10. The method of claim 3, wherein said defined set of events further comprises the steps of:
    - defining a set of elementary events;
      
      defining an optional list of administrative events, where each administrative event in the list is a set of elementary events or previously defined administrative events or both;
      
      defining a first set of events to be audited for a first set of users; and
      
      defining a second set of events to be audited for a second set of users.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Johri, Abhai, Wei, Tsung T., Steves, Douglas H., Hecht, Matthew S.
Primary Examiner(s)
MacDonald, Allen R.
Assistant Examiner(s)
Ray, Gopal C.

Application Number

US07/542,688
Time in Patent Office

389 Days
Field of Search

364/200 MS File, 364/900 MS File, 380/4, 380/25, 371/11.1
US Class Current

726/25
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/6209   to a single file or object,...

G06F 21/6218   to a system of files or obj...

G06F 21/64   Protecting data integrity, ...

G06F 2211/009   Trust

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2143   Clearing memory, e.g. to pr...

G06F 2221/2145   Inheriting rights or proper...

G06F 2221/2147   Locking files

G06F 2221/2151   Time stamp

Distributed security auditing subsystem for an operating system

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

553 Citations

10 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed security auditing subsystem for an operating system

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

553 Citations

10 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links