Development of a Methodology for Customizing Insider Threat Auditing on a Linux Operating System

Author

William T. Bai

Date of Award

3-10-2010

Document Type

Thesis

Degree Name

Master of Science

Department

Department of Electrical and Computer Engineering

First Advisor

Robert F. Mills, PhD

Abstract

Insider threats can pose a great risk to organizations and by their very nature are difficult to protect against. Auditing and system logging are capabilities present in most operating systems and can be used for detecting insider activity. However, current auditing methods are typically applied in a haphazard way, if at all, and are not conducive to contributing to an effective insider threat security policy. This research develops a methodology for designing a customized auditing and logging template for a Linux operating system. An intent-based insider threat risk assessment methodology is presented to create use case scenarios tailored to address an organization’s specific security needs and priorities. These organization specific use cases are verified to be detectable via the Linux auditing and logging subsystems and the results are analyzed to create an effective auditing rule set and logging configuration for the detectable use cases. Results indicate that creating a customized auditing rule set and system logging configuration to detect insider threat activity is possible.

AFIT Designator

AFIT-GCO-ENG-10-01

DTIC Accession Number

ADA518467

Recommended Citation

Bai, William T., "Development of a Methodology for Customizing Insider Threat Auditing on a Linux Operating System" (2010). Theses and Dissertations. 1980.
https://scholar.afit.edu/etd/1980