[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
logging content
Next question. Logging content. I've talked to/emailed some people
at the BOF and afterwards. It looks like the question of "what to
log" is large enough that entire groups are (ICSA firewall consortium)
and may be (possible IETF work, not yet chartered) looking at it.
This is another case (syslog and netconf being two other prime examples)
where this document just wants other work to be done so that it can
be cited as "this is what we want."
Given that that work is not yet started, much less citable, and the
fact that content of logging is an important operational security
issue, what do you think of the current requirement (below) ?
In it's current form, it is not a testable, yes/no,
hand-it-to-the-coder kind of requirement (that's what I'm hoping comes
out of the yet-to-be-started IETF work), but more of general guidance.
Would changing this to a SHOULD help ?
---George
-------------------------------cut here-----------------------------
2.11.1 Ability to Log All Events That Affect System Integrity
Requirement. The logging facility MUST be capable of logging any
event that affects system integrity.
Justification. Having the device log all events that might impact
system integrity promotes accountability and enables
audit-ability.
Examples.
The list of items that must be logged includes, but is not limited
to, the following events:
* Filter matches, described in Section 2.10.1
* Authentication failures (e.g., bad login attempts)
* Authentication successes (e.g., user logins)
* Authorization changes (e.g., User privilege level changes)
* Configuration changes (e.g., command accounting)
* Device status changes (interface up/down, etc.)
Warnings. None.