A computer security audit is a manual or systematic measurable technical assessment of a system or application. Manual assessments include interviewing staff, performing security vulnerability scans, reviewing application and operating system access controls, and analyzing physical access to the systems. Automated assessments, or CAAT's, include system generated audit reports or using software to monitor and report changes to files and settings on a system. Systems can include personal computers, servers, mainframes, network routers, switches.
During the last few decades systematic audit record generation (also called audit event reporting) can only be described as ad hoc. Ironically, in the early days of mainframe and mini-computing with large scale, single-vendor, custom software systems from companies such as IBM and Hewlett Packard, auditing was considered a mission-critical function. Over the last thirty years, commercial off-the-shelf (COTS) software applications and components, and micro computers have gradually replaced custom software and hardware as more cost-effective business management solutions.…
During this transition, the critical nature of audit event reporting gradually transformed into low priority customer requirements. Software consumers, having little else to fall back on, have simply accepted the lesser standards as normal. The consumer licenses of existing COTS software disclaim all liability for security, performance and data integrity issues.
Using traditional logging methods, applications and components submit free-form text messages to system logging facilities such as the Unix Syslog process, or the Microsoft Windows System, Security or Application event logs. Java applications often fall back to the standard Java logging facility, log4j. These text messages usually contain information only assumed to be security-relevant by the application developer, who is often not a computer- or network-security expert.