Concerning audit trail standardization: 1. Yes, there are proposed standards. We developed a Unix audit data interchange format which was proposed to POSIX 1003.6 and X/OPEN as a co-sponsored activity of Bellcore and Haystack Labs. There was some talk of IBM sponsoring it to go to COSE, but COSE has not gotten much involved with system management issues yet. (They're too busy with the 1170 functions in their current API, and fighting off the new version of Motif!) The standard, which we call "svr4++" for reasons explained in the specification, is about 400 lines long; if y'all want the standard posted, I'll be happy to do so. A reference implementation (that converts SunOS BSM to svr4++) is also available in ANSI C. We wanted to provide some standardization across Unix platforms to facilitate our development of third-party audit analysis tools. We use it in our commercially-supported audit analysis and intrusion detection tools on Sun and IBM platforms, and we designed it to work with all the SecureWare-based audit trails, as well. I've presented talks on this topic at two of the SRI-sponsored Intrusion Detection Workshops over the past three years. 2. Our idea was to have a standard interchange format among those Unix audit trails. Maybe after we've done a good job with Unix, we could try to generalize to other operating system audit trails. After 7 years of working with audit trails, from mainframes to routers, I am quite certain that one cannot develop a meaningful intermediate form that covers everything reported from everything made of silicon. If you have ever looked at IBM MVS SMF records, or the stuff on a Unisys mainframe, you know that the underlying semantics of audit events vary substantially. 3. There is also some ISO work in this area, but I believe their level of abstraction is so high as to be almost worthless for an actual usable implementation. It is mainly oriented towards network alarms and alerts. Audit trails should not be confused with network management alarms. Steve Smaha Haystack Labs, Inc., 10713 RR620 North, Suite 521 Austin, TX 78726 512-918-3555 (voice), 512-918-1265 (fax), smaha@dockmaster.ncsc.mil