What are the purposes for leaving an audit trail?

David Geer
David Geer used Ask the Experts™
on
I understand that penetration testers should leave audit trails. I am confused as to the purpose. I have heard that it is so the organization can see what changed in their applications and websites to make them exploitable? Is this correct? Could you please explain with a little bit of detail?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dave BaldwinFixer of Problems
Most Valuable Expert 2014

Commented:
An "audit trail" in the general sense lets you see what has happened.  Required for banking and financial transactions as well.  If you don't have a record of what happened, you really don't have any information.  This is basic to any kind of quality control.  If you didn't 'write it down', it didn't really happen in the sense that you have no information that you can use to fix anything.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I agree with the above and the term is common in business (ledger) as well as banking and financial.

In a firewall setup at the edge of your business, the log is an audit trail and should be enabled (all the logs on the device).

You can turn auditing ON at your server to see who logged in and did what. Default for this and firewall logs is OFF so make sure you have them turned on and your server has enough disk space to log a month of entries.
Distinguished Expert 2017

Commented:
Penetration tester maintain a record to provide information for the developers, engineers to fix this issue.
A audit as was pointed out depending on the industry is a required record tracking of activity on and in the system, environment.

An audit deals with detecting a modification by a user who shoukd not have been able to make that change.
Distinguished Expert 2018
Commented:
Well, there are two reasons in the context that you're explaining to have an audit trail:
1) If for some reason the penetration test modified anything (intentional or not), then you're going to want to have visibility into that.
2) There should also be audit records to be sure that any actions that take place were authorized. Also helps you with investigations for unauthorized events.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
I thought there were other good answers besides only the last answer given.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial