Chapter 6. Auditing

This chapter includes contributions from Jack Naglieri and Ken Westin

To gain visibility into what’s happening across an environment, it’s important to collect and aggregate audit logs from every system, a process known as auditing. If a user credential is a key that unlocks the door to the house, an audit log is a record of when the door was unlocked, at what time, by whom, and why. Audit logs can also track which rooms the person goes to and what they do in each room. Maybe they are opening the safe and grabbing some money or a passport. Maybe they can’t even get into the next room and are trying to smash down the door! With real-time visibility, we can tell whether the house is empty, or who’s inside. This visibility is necessary for an access control system to uphold the strong confidentiality, integrity, and availability that are essential components of data stewardship and compliance. In the physical world, we do this with security staff and entry journals supplemented with cameras; in the digital world, we do it with audit logging technology.

Audit logs, session recordings, and other tools keep an exhaustive chronological record of activity within a computing environment for security, debugging, or system administration. With audit logging, you can investigate effects on a system by examining a timeline of events such as running out of memory or disk space, opening network connections, installing applications, or creating users. Audit logs exist everywhere, ...