Access menu:
Skip to content, access key c
Local navigation, access key l
Schools menu, access key s
Becta menu, access key b
Becta
About Becta
Schools
Local authorities
Government & partners
Industry & developers
FE & skills

FITS OM

Schools menu:
Leadership
& management
Curriculum
Learning
& teaching
Professional
development
Extending
opportunities
Resources
 Home > Schools sector > FITS

FITS OM: Software/data events

An audit log records an entry whenever users perform certain specified actions. For example, modifying a file or attempting to access a user account can trigger an audit entry. The audit entry shows the action performed, the associated user account, and the date and time of the action. One can audit both successful and failed attempts at actions.

Regular analysis of log files enables the security administrator to track and maintain an adequate level of security on each computer as part of a risk management programme. Analysis involves highly specified information about all security-related aspects of the system. It enables the security administrator to tune the security levels and, most importantly, to detect any security flaws in the system.

For good security audit settings, you could record the following:

  • Logon and logoff activity, including network and remote connections
  • File and object access, including access to files and directories, and print jobs sent
  • File and object creation or deletion
  • Access to user privileges, except those related to logon and logoff activities
  • User and group management, including creation, deletion, renaming and other changes to user accounts and passwords
  • System administrator functions such as system restarts, shutdowns and security functions of the system.

It is important to audit both the success and failure of the items listed above. Often, failure logs are much more informative than success logs, since failure is more likely to indicate an error. For example, a user successfully logging on to the system would be considered normal. However, a user unsuccessfully trying to log on to the system several times may indicate that someone is trying to break into the system using another person's user ID.

Planning is an important step in the auditing process. You should be selective about the objects you audit. Auditing creates system overhead, and auditing too many objects makes security logs large and difficult to manage. Be selective, record your selections, create a plan and test it.

You should also establish an auditing policy that defines the types of event to be audited for a specific user or group of users. Here again you have to consider the security/performance balance. Depending on the speed of your server and other network components, auditing all the events in the list above can have a significant impact on performance of the school network. It may also create a lot of 'noise' in the event logs (hiding other problems with mundane file activity). You may find it worth buying a third-party utility for searching through an event log, as the tools supplied with the operating system are usually fairly basic.
Footer menu:
Return to top
© Becta 2008
About this site
Freedom of information
Privacy policy
Feedback