|
|
An auditing facility records information about actions that may affect the security of a computer system. In particular, an auditing facility records any action by any user that may represent a breach of system security. For each action, the auditing facility records enough information about those actions to verify
In most cases, security breaches are detected by patterns of usage, not by single actions. A single failed login on a terminal, for example, may indicate that a user had trouble typing a password correctly. Several failed logins on a terminal may indicate that a malicious user is trying to guess a password. To detect such patterns, you often need to record many events that are a normal part of daily activity on the system.