re: audit trail standards

Steve Smaha (Smaha@DOCKMASTER.NCSC.MIL)
Thu, 15 Sep 94 17:55 EDT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: *Hobbit*: "Son of Tripwire??"
Previous message: tlunt@ARPA.MIL: "Re: Hallo everybody"

Concerning audit trail standardization:

1.  Yes, there are proposed standards.  We developed a Unix audit
data interchange format which was proposed to POSIX 1003.6 and 
X/OPEN as a co-sponsored activity of Bellcore and Haystack Labs.  
There was some talk of IBM sponsoring it to go to COSE, but COSE has 
not gotten much involved with system management issues yet.  (They're 
too busy with the 1170 functions in their current API, and fighting
off the new version of Motif!)

The standard, which we call "svr4++" for reasons explained in the
specification, is about 400 lines long; if y'all want the standard 
posted, I'll be happy to do so.  A reference implementation
(that converts SunOS BSM to svr4++) is also available in ANSI C.

We wanted to provide some standardization across Unix platforms
to facilitate our development of third-party audit analysis tools.
We use it in our commercially-supported audit analysis and intrusion
detection tools on Sun and IBM platforms, and we designed it to
work with all the SecureWare-based audit trails, as well.

I've presented talks on this topic at two of the SRI-sponsored
Intrusion Detection Workshops over the past three years.

2.  Our idea was to have a standard interchange format among those
Unix audit trails.  Maybe after we've done a good job with Unix, we
could try to generalize to other operating system audit trails.
After 7 years of working with audit trails, from mainframes to
routers, I am quite certain that one cannot develop a meaningful 
intermediate form that covers everything reported from everything 
made of silicon.  If you have ever looked at IBM MVS SMF records,
or the stuff on a Unisys mainframe, you know that the underlying
semantics of audit events vary substantially.

3.  There is also some ISO work in this area, but I believe their 
level of abstraction is so high as to be almost worthless for an actual
usable implementation.  It is mainly oriented towards network
alarms and alerts.  Audit trails should not be confused with network
management alarms.

Steve Smaha

Haystack Labs, Inc., 10713 RR620 North, Suite 521 Austin, TX 78726
512-918-3555 (voice), 512-918-1265 (fax), smaha@dockmaster.ncsc.mil

Next message: *Hobbit*: "Son of Tripwire??"
Previous message: tlunt@ARPA.MIL: "Re: Hallo everybody"