[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: auditing

To: Ran Atkinson <rja@inet.org>
Subject: Re: auditing
From: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Date: Wed, 2 Apr 1997 15:55:04 -0500
Address: 1 Amherst St., Cambridge, MA 02139
Cc: Derrell Piper <piper@cisco.com>, ipsec@tis.com
In-Reply-To: Ran Atkinson's message of Wed, 2 Apr 97 17:50:09 GMT DaylightTime, <Chameleon.860000686.rja@c8-a.snvl1.sfba.home.com>
Phone: (617) 253-8091
Sender: owner-ipsec@ex.tis.com

I have to agree with those who think that audit support should be a
SHOULD, not a MUST, for the same reasons they cited; it's not protocol
issue, it should be a host issue, there may be some host environments
where logging isn't possible, etc.

I have two other thoughts.  What happens if the administrators decides
not turn off auditing those types of events, or the other end of the
SNMP trap receiver which the Cisco router has been forwarding the events
is just ignoring all of the packets and sending the logs to /dev/null.
Does the way the administrator configure a product make that product
non-conformant with the RFC?

Also, why is it so critical that we log packets with non-existent
security associations?  Is the security of IPSEC fundamentally
compromised if system administrators don't review the logs daily looking
for these events?  I understand the desireability of influencing vendors
to provide auditing capability for these sorts of events, but we're in
pretty bad shape if the security of a protocol depends on someone poring
over the audit logs!

							- Ted

References:

Re: auditing

From: Ran Atkinson <rja@inet.org>

Prev by Date: Re: MUST vs. SHOULD audit
Next by Date: Re: MUST vs. SHOULD audit
Prev by thread: Re: auditing
Next by thread: Re: auditing
Index(es):
- Main
- Thread