Computer Security Threat Monitoring and Surveillance

S.l Relevant SMF Records
5. Adapting to SMF Data
The principal SMF records of use in performing the kind of auditing
discussed in the preceding sections are record types 4, 5, 6, 10, 14,
15, 17, 18, 20, 25, 26, 34, 35, 40, 62, 63, 64, 67, 68, 69, SO and Sl.
Ordinarily, these record types would be the records making up the
details of a particular job or use of a computer. In producing the
audit flow, selection parameters such as user names can be used to
extract all audit trail data with that user name associated with
it to provide input to the audit record sort step which collects
together in one place all record types associated with a particular
job or use of a computer. The output of sorted job records is
used as input-to a job summary or session summary record builder.
It is the summary record builder program that would provide the
essential information from which the audit history records would
be created and maintained.
When dealing with SMF, one is overwhelmed with data, a good deal
of:.it..not necessarily useful for sec.urity audit purposes. A basic
audit history record is shown in Figure 10. This record is the one
used in the model program. The individual data items are self-explana­
tory for the most part. The items indicated in square brackets
are additional information available from SMF records that was not
available in the accounting data in the model system.
Where the record shows sessions, one could substitute the notion
of jobs; aside from that, the history records characterize a particular
use of the computer system in which the model was being developedo