[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: auditing
Bill Sommerfeld [sommerfeld@apollo.hp.com] writes:
> > At a minimum, "auditable" means that an implementation
MUST
> > provide a mechanism which securely records the fact that
the
> ^^^^^^^
> Dan Harkins suggests replacing "records" with "reports",
> which would permit network-based reporting to be
substituted
* for local storage if appropriate in some implementation.
I would second this suggestion. I am concerned with the word "securely"
in the above, however. For example, neither of the popular suggestions
I've heard for auditing (syslog, RADIUS) qualify as being particularly
secure in my mind. I would be much more comfortable if we eithe a)
removed or b) more closely defined the word "securely". Must the audit
messages (if sent on the net) be tamper-proof? Encrypted?
I don't have a problem with this change to my amendment..
Note that as worded, a single counter per event (or perhaps a
(counter,timestamp) pair) could conceivably be considered a
minimal,
but compliant, implementation of "auditing". I don't think this
is an
extreme burden, but it may be too minimalistic for some..
> I have also heard a private suggestion that maybe some of
the
> auditing material might be moved into the "Security
Considerations"
> section. That wouldn't bother me, though I will observe that
verbage
> anywhere in the RFC is equally binding on implementations.
Hmm. I think that a statement that a given exceptional
condition is
an "auditable event" should be right next to the defintion of
the
exceptional condition. There could be a (redundant) complete
list of
auditable events in an appendix or in the security
considerations
section..
- Bill