This section is from the book "Computer Security Threat Monitoring And Surveillance", by James P. Anderson.
The principal SMF records of use in performing the kind of auditing discussed in the preceding sections are record types 4, 5, 6, 10, 14, 15, 17, 18, 20, 25, 26, 34, 35, 40, 62, 63, 64, 67, 68, 69, 80 and 81. Ordinarily, these record types would be the records making up the details of a particular job or use of a computer. In producing the audit flow, selection parameters such as user names can be used to extract all audit trail data with that user name associated with it to provide input to the audit record sort step which collects together in one place all record types associated with a particular job or use of a computer. The output of sorted job records is used as input to a job summary or session summary record builder. It is the summary record builder program that would provide the essential information from which the audit history records would be created and maintained.
When dealing with SMF, one is overwhelmed with data, a good deal of-it„not necessarily useful for security audit purposes. A basic audit history record is shown in Figure 10. This record is the one used in the model program. The individual data items are self-explanatory for the most part. The items indicated in square brackets are additional information available from SMF records that was not available in the accounting data in the model system.
Where the record shows sessions, one could substitute the notion of jobs; aside from that, the history records characterize a particular use of the computer system in which the model was being developed.
Data Item | Comments |
USERXD [JOBID] File/data set list | List of data sets referred to in this job (session)• |
[Number of read/writes to each data set] | |
Total number of runs (sessions) to date | |
Frequency count of logons (job run times) to date | Counted by quarter of day; other distributions are possible. |
Date of last update | Used to determine when to purge audit history record. |
Total number of updates | |
Total to date of; . CPU time I/O operations Connect time (job turn- > around time) Characters transmitted to terminal J | Used to compute mean values: « < parameter>/total sessions |
MaLximum/minJLmum to date of: - . CPU time I/O operations > Connect time Characters transmitted | Establishes observed range of values. |
Data Item | Comments |
Sum of the squares of each: • CPU time I/O operations > Connect time . Characters transmitted | Used to (re)compute standard deviation. |
Standard deviation of each: n . CPU time I/O operations } Connect time Characters transmitted J | Computed from: v SSE "F»- <*> /Mean<x>\2 \ Total sessions ( 1 |
Mean +2.58 (standard deviation)/ of each: . CPU time I/O operations \ Connect time J . Characters transmitted J | Upper bound of distribution. |
Mean - 2.58 (standard deviation)-) of each: . CPU time I/O operations > Connect time Characters transmitted | Lower bound of distribution. |
Figure 10. Basic Audit History Record.
Inclusion of the actual standard deviation values and the mean plus or minus 2.58 times the standard deviation of each of the major parameters was to simplify the computation and to make the program run a little faster* It is certainly feasible to compute this data each time it is required; however, with the large number of records, the computation time becomes excessive, and the value of storing it in the record itself becomes a little more apparent.
The accounting data available in the model system does not show the number of read and write operations to each data set that is referred to in the file data set list. If this data were available, the totals, the standard deviations, and the sum of squares information could be augmented by this data to provide a finer grain of detail in the audit history record. It would then be possible to make an exception report for and of those items that exceeded the bounds around the mean for each file rather than treating them in aggregate as shown in this particular format.
 
Continue to: