While the Rainbow series does have a lot "what to" information on audits and logging, the more appropriate standard for today is Common Criteria or CC. I don't mean this to be another argument on what is best. Just follow me for a minute or two. The US Federal Government is starting to get conscious about computer security of which logging / auditing is a big part. The US Government uses NIST and NSA to provide guidance for what to do in this area. NIST and NSA have created/selected the CC standard to define methods and evaluations to determine if a product is good or not. In fact the Common Criteria standards have replaced the Rainbow series of standards. CC uses protection profiles to scope out a set of a like systems to provide standardized evaluations. One of these protection profiles is called CSPP-OS or commercial-off-the-shelf operating system protection profile. A draft is at http://csrc.nist.gov/cc/pp/cspp-os04.pdf. This draft specifies certain auditing requirements that need to take place for an approved OS. The requirements are very abstract, but I think that the logging/ auditing requirements in Tina's document should also be rather abstract. I believe that this protection profile's requirements should be the basis for any logging requirements document. I also believe that any requirements that aren't in the current draft but are important should be heavily lobbied into the NIST document. The reason is simple. If the US Government mandates the use of certified systems, then OS manufactures who want to sell to the US Government will be required to meet the CSPP-OS. This means Microsoft, Sun, HP, IBM, etc. will most likely implement this logging/ auditing. So what we have to do is help define it, then require it (get the requirements in to the protection profiles), then help implement it by defining RFCs that the vendors will use. Also, this approach will initially avoid those "other" discussions. My .02Euro Ron Ogle Rennes, France Tina Bird wrote: > I'm starting the draft of the logging requirements document based on the > wonderful discussion we've been having -- carefully avoiding discussions > of message formats, transport mechanisms, or timestamps, at least for the > first draft ;-) > > Here's a pointer to the references people have suggested: > > The Rainbow Series is online in PostScript and PDF at > http://www.radium.ncsc.mil/tpep/library/rainbow/ > Look for "A Guide to Understanding Audit in Trusted Systems" especially if > you're suffering from insomnia. Gak. The things I read in my spare > time... _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Sun Sep 01 2002 - 10:06:09 PDT