[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: auditing

To: Ran Atkinson <rja@inet.org>
Subject: Re: auditing
From: Bill Sommerfeld <sommerfeld@apollo.hp.com>
Date: Wed, 02 Apr 1997 18:44:38 -0500
Cc: Stephen Kent <kent@bbn.com>, ipsec@tis.com
In-Reply-To: rja's message of Wed, 02 Apr 1997 21:47:43 -0500. <Chameleon.860017169.rja@c8-a.snvl1.sfba.home.com>
Sender: owner-ipsec@ex.tis.com

> > 	At a minimum, "auditable" means that an implementation MUST
> > 	provide a mechanism which securely records the fact that the
>                                          ^^^^^^^
> 	Dan Harkins suggests replacing "records" with "reports", 
> 	which would permit network-based reporting to be substituted
> 	for local storage if appropriate in some implementation.

I don't have a problem with this change to my amendment..

Note that as worded, a single counter per event (or perhaps a
(counter,timestamp) pair) could conceivably be considered a minimal,
but compliant, implementation of "auditing".  I don't think this is an
extreme burden, but it may be too minimalistic for some..

>   I have also heard a private suggestion that maybe some of the
> auditing material might be moved into the "Security Considerations"
> section.  That wouldn't bother me, though I will observe that verbage
> anywhere in the RFC is equally binding on implementations.

Hmm.  I think that a statement that a given exceptional condition is
an "auditable event" should be right next to the defintion of the
exceptional condition.  There could be a (redundant) complete list of
auditable events in an appendix or in the security considerations
section..

					- Bill

References:

Re: auditing

From: Ran Atkinson <rja@inet.org>

Prev by Date: Apology
Next by Date: Re: auditing
Prev by thread: Re: auditing
Next by thread: Re: auditing
Index(es):
- Main
- Thread