[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: auditing
Hmm. Let's look at the text which started this thread..
> If no valid Security Association exists for this session (e.g., the
> receiver has no key), the receiver MUST discard the packet and the
> failure MUST be recorded in an audit log.
This is pretty unambiguous, and goes pretty far. I read it as saying:
a) you must have auditing.
b) you must not be able to turn auditing off.
("the failure MUST be recorded in an audit log")
Most of the responses I've seen so far in this thread appear to assume
that (b) is not the case.
I'd like to make a modest suggestion:
change the text to:
... discard the packet. This failure MUST be auditable.
and add some common text defining what "auditable" means.
This document defines several events as being "auditable".
At a minimum, "auditable" means that an implementation MUST
provide a mechanism which securely records the fact that the
event occurred one or more times in the recent past. Other
relevant information about the event (time, source address,
destination address, SPI, etc.,) SHOULD also be recorded.
Auditing MUST be enabled by default, but it MUST be possible
for an administrator to disable auditing.
[This can easily be tweaked if the consensus is that the default
should be to disable auditing unless explicitly requested.]
---
One cautionary note on circular dependancies:
We ran into some serious problems with circular dependancies when
auditing was added to DCE security and was secured by DCE security; in
particular, certain facilities within DCE security which were used by
the audit system could also generate audit records.
A number of people have suggested using various forms of networked
auditing (RADIUS, syslog, etc.) to record events noticed by ipsec.
If you're in a position where the communication with the audit server
may be secured using ipsec, you need to be careful, lest you wind up
in a recursive spiral of death when the SA with your audit server goes
bad..
- Bill
Follow-Ups: