Re: MUST vs. SHOULD audit

[Marc Horowitz <marc@cygnus.com>]

ho@earth.hpc.org (Hilarie Orman) writes:

>> I'd thought the group would have interest in whether or not receipt of
>> an invalid SA identifier (or any similar event) is significant enough
>> to require logging.  I'd thought the reason in favor would be that
>> anything that seemed to indicate an attempt to explore the valid
>> security states of the host would probably indicate an attack attempt,
>> and it would be critically important to notify the administrator, if
>> at all possible.  And I'd thought the argument against would be that
>> the built-in safeguards are strong enough to render such attempts
>> feeble and useless.

I think this issue explains why people are against making auditing a
must.  Some sites will want to know about every conceivable event.
Some sites will run high-profile services which will get probed so
often that logging such probes would be a waste of cheap disk space.

Having the protocol spec flag certain events as candidates for
auditing seems like a fine idea.  However, stating what should or must
be logged it seems like it would be more appropriate in a Best Current
Practices (BCP) document, rather than a protocol RFC.  You could even
have more than one, from the billion-dollar paranoid financial
industry logging BCP to the toaster oven logging BCP.

		Marc

---

Follow-Ups:

• Re: MUST vs. SHOULD audit
• From: ho@earth.hpc.org (Hilarie Orman)

References:

• Re: MUST vs. SHOULD audit
• From: ho@earth.hpc.org (Hilarie Orman)

---

• Prev by Date: Re: MUST vs. SHOULD audit
• Next by Date: Re: MUST vs. SHOULD audit
• Prev by thread: Re: MUST vs. SHOULD audit
• Next by thread: Re: MUST vs. SHOULD audit
• Index(es):
  • Main
  • Thread