Functional Requirements for XDAS
Security events are detected
outside the XDAS by an operating system or applications. The
requirements on a distributed audit service are as follows
- To handle event records newly
generated at the local API level.
- The audit facility shall
support the pre-selection of criteria for the detection
of an event, thereby reducing the numbers of audit events
generated and analysed.
- Filter and analyse records
for instances or accumulations of pre-determined security
events, and trigger timely notification. These filters
shall be driven by parameters in a standard format. Three
types of event or compound event are identified:
- a single record
selected by one or more fields
- sequences of selected
- timed sequences of
- Generate local alarms.
- Generate messages to be
passed to the audit system management interface.
- Take pre-defined action on
the occurrence of specific events.
- Receive records passed on
from another system in a standard format and re-interpret
them in the context of extra information available from
the event records arriving from other systems.
Audit Service Management
These generic requirements are out
of scope for the XDAS:
- Support a consistent
- Integrate the audit system
management interface with other elements in the system
management infrastructure, including logs, protocols and
databases and the management of authorisations.
- Support both Remote and Local
The XDAS must support role-based decentralised
administration, such that individuals are only presented
with the data that apply to their area of responsibility.
- Support both equivalent GUI
and command line access so that the functions are
available regardless of the mode of interaction.
Audit Event Management
The following are requirements on
the Audit Event Management interface:
- Support the configuration of
the disposition of audit alarms, such that the audit
event source and type can be sent to a particular
destination, and to a particular role at that destination
to be actioned.
- Provide a set of standard
calls to modify the parameters which define the filtering
performed. These are used to configure the actions taken
by the filtering and analysis component on each system.
They may be originated by an operator or automatically as
a result of event processing.
- Support two types of
configuration: \f2static configuration\fP and \f2dynamic
\f2static configuration\fP, the levels of audit data to
be generated are pre-set by operator intervention. With
\f2dynamic configuration\fP, the events or series of
events detected are used to re-configure the filters on
the monitor. Reconfiguration can involve increasing or
decreasing the level of monitoring activity, as deemed
appropriate by the analysis of the event or series of
- Determine and effect change
to the configuration of security event detection on each
of the platforms in a distributed environment. If several
systems are monitored and all have a common requirement
for maintaining a particular level of event logging, then
a single definition should be applied to all.
- Record a security event
message whenever a change to the configuration of the
event discrimination service is made.
Audit Log Management
Audit Log Management requirements
are out of scope of the XDAS. They are as follows:
- Log records to a protected
audit record repository.
- Ensure that the sequence of
events recorded is a reflection of what actually
transpired. Thus, any mechanism which generates audit
data should incorporate a \f2header\fP or common set of
data which is co-ordinated with other systems with which
it interacts. The header should contain a minimum set of
information describing the date, time, location,
initiator, target, message, etc., of the activity
Platforms, applications and network services should have
the ability to add domain specific information to the
Audit Log Retrieval
The Audit Log Enquiry requirements
- Provide a common format
definition for the audit log.
- Support queries on the audit
log against a set of selection criteria. The XDAS does
not support this requirement.
to Security index page
© 1995-2010 Sales