Re: [logs] Auditing vs. logging

From: Bennett Todd (betat_private)
Date: Wed Jul 30 2003 - 14:34:40 PDT

  • Next message: Sweth Chandramouli: "Re: [logs] Auditing vs. logging"

    2003-07-30T16:48:57 Tina Bird:
    > Anyone want to take a stab at definitions of auditing and logging, and
    > most in particular, how they differ?
    
    Err --- they're only loosely related. Logging is one component of
    the sort of control systems that audits cover.
    
    Auditing is analysis of process controls --- the sort of controls
    that are designed to prevent people from doing naughty things.
    
    Auditing consists of two parts: first, there's the analysis to
    determine that the control systems specified by policy are a
    reasonable match for the organization's needs. In the case of
    mature, stable fields, like e.g. financial analysis and accounting,
    this might be a rubber-stamp, where the real gamesmanship happens in
    the lobbying organizations trying to manipulate standards
    organizations. In immature, rapidly-changing fields like computer
    security, where a phrase like "best practice" is only used by lying
    vermin, this preliminary phase of anlysis, does policy meet needs,
    is often the most important.
    
    The second phase of auditing analysis consists of confirming that
    the implementation of controls matches the intent stated by policy.
    When one of the controls is a logging system, then part of the audit
    may include validating the operation of that logging and confirming
    that the logs are being appropriately archived and/or reported on.
    
    Logging (etymology tracing back to the ship's logbook, the record of
    routine, in turn named after the log, a wedge of wood on the end of
    a knotted twine, used to measure ship speed through the water)
    consists of creation and maintenance of regular records of
    activities. It has importance in control systems (as in, the meat of
    audits) and computer security (a specific domain of control systems)
    because guaranteeing that violations of policy are impossible is
    often impractically expensive; logging can help arrange for a weaker
    guarantee, that violations cannot be committed indetectably, and
    that weaker guarantee is sometimes a better value for expense.
    
    > References also greatly appreciated [...]
    
    That I can't help with, sorry.
    
    -Bennett
    
    
    

    _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis



    This archive was generated by hypermail 2b30 : Wed Jul 30 2003 - 15:15:02 PDT