[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: MUST vs. SHOULD audit
ho@earth.hpc.org (Hilarie Orman) writes:
>> I'd thought the group would have interest in whether or not receipt of
>> an invalid SA identifier (or any similar event) is significant enough
>> to require logging. I'd thought the reason in favor would be that
>> anything that seemed to indicate an attempt to explore the valid
>> security states of the host would probably indicate an attack attempt,
>> and it would be critically important to notify the administrator, if
>> at all possible. And I'd thought the argument against would be that
>> the built-in safeguards are strong enough to render such attempts
>> feeble and useless.
I think this issue explains why people are against making auditing a
must. Some sites will want to know about every conceivable event.
Some sites will run high-profile services which will get probed so
often that logging such probes would be a waste of cheap disk space.
Having the protocol spec flag certain events as candidates for
auditing seems like a fine idea. However, stating what should or must
be logged it seems like it would be more appropriate in a Best Current
Practices (BCP) document, rather than a protocol RFC. You could even
have more than one, from the billion-dollar paranoid financial
industry logging BCP to the toaster oven logging BCP.
Marc
Follow-Ups:
References: