Chapter 10. Managing the Audit Trails

Raspberry. There’s only one man who would dare give me the raspberry: Lone Star!

—Dark Helmet Spaceballs

The word audit usually makes people a little nervous; even when they have nothing to hide. An audit, in the world of accountants, is to examine an individual or organization’s financial records formally. The goal of an audit is either to validate that people or organizations have followed the letter of the law, or uncover their horrible misdeeds. The success of an audit must be based upon records of transactions. Without these records, performing an audit requires far more detective work or is rendered impossible.

In the computing world, audits can be formal or informal interrupt-driven processes performed by system administrators to answer questions. A question like “Why haven’t we received the mail our client sent?” sends administrators scurrying through mail logs. A more difficult question to answer might be, “Why didn’t that dynamic web page load right?” because web server access logs, error logs, and database query logs may need to be consulted to build a complete picture of what transpired. In a security context, an incident response team conducts an audit to try to uncover any transgressions and perform root cause analysis. All these questions and mysteries can be solved . . . as long as you have a record of the transactions, or logs.

A part of our job as system administrators is to keep an eye on the systems we have built and that ...

Get Mastering FreeBSD and OpenBSD Security now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.