[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: auditing
> > At a minimum, "auditable" means that an implementation MUST
> > provide a mechanism which securely records the fact that the
> ^^^^^^^
> Dan Harkins suggests replacing "records" with "reports",
> which would permit network-based reporting to be substituted
> for local storage if appropriate in some implementation.
I don't have a problem with this change to my amendment..
Note that as worded, a single counter per event (or perhaps a
(counter,timestamp) pair) could conceivably be considered a minimal,
but compliant, implementation of "auditing". I don't think this is an
extreme burden, but it may be too minimalistic for some..
> I have also heard a private suggestion that maybe some of the
> auditing material might be moved into the "Security Considerations"
> section. That wouldn't bother me, though I will observe that verbage
> anywhere in the RFC is equally binding on implementations.
Hmm. I think that a statement that a given exceptional condition is
an "auditable event" should be right next to the defintion of the
exceptional condition. There could be a (redundant) complete list of
auditable events in an appendix or in the security considerations
section..
- Bill
References: