Functionality Requirements for XDAS

Functional Requirements for XDAS

Audit Event Services

Security events are detected outside the XDAS by an operating system or applications. The requirements on a distributed audit service are as follows

To handle event records newly generated at the local API level.
The audit facility shall support the pre-selection of criteria for the detection of an event, thereby reducing the numbers of audit events generated and analysed.
Filter and analyse records for instances or accumulations of pre-determined security events, and trigger timely notification. These filters shall be driven by parameters in a standard format. Three types of event or compound event are identified:
- a single record selected by one or more fields
- sequences of selected records
- timed sequences of records
Generate local alarms.
Generate messages to be passed to the audit system management interface.
Take pre-defined action on the occurrence of specific events.
Receive records passed on from another system in a standard format and re-interpret them in the context of extra information available from the event records arriving from other systems.

These generic requirements are out of scope for the XDAS:

Support a consistent management interface.
Integrate the audit system management interface with other elements in the system management infrastructure, including logs, protocols and databases and the management of authorisations.
Support both Remote and Local Administration
The XDAS must support role-based decentralised administration, such that individuals are only presented with the data that apply to their area of responsibility.
Support both equivalent GUI and command line access so that the functions are available regardless of the mode of interaction.

The following are requirements on the Audit Event Management interface:

Support the configuration of the disposition of audit alarms, such that the audit event source and type can be sent to a particular destination, and to a particular role at that destination to be actioned.
Provide a set of standard calls to modify the parameters which define the filtering performed. These are used to configure the actions taken by the filtering and analysis component on each system. They may be originated by an operator or automatically as a result of event processing.
Support two types of configuration: \f2static configuration\fP and \f2dynamic configuration\fP.
With \f2static configuration\fP, the levels of audit data to be generated are pre-set by operator intervention. With \f2dynamic configuration\fP, the events or series of events detected are used to re-configure the filters on the monitor. Reconfiguration can involve increasing or decreasing the level of monitoring activity, as deemed appropriate by the analysis of the event or series of events.
Determine and effect change to the configuration of security event detection on each of the platforms in a distributed environment. If several systems are monitored and all have a common requirement for maintaining a particular level of event logging, then a single definition should be applied to all.
Record a security event message whenever a change to the configuration of the event discrimination service is made.

Audit Log Management requirements are out of scope of the XDAS. They are as follows:

Log records to a protected audit record repository.
Ensure that the sequence of events recorded is a reflection of what actually transpired. Thus, any mechanism which generates audit data should incorporate a \f2header\fP or common set of data which is co-ordinated with other systems with which it interacts. The header should contain a minimum set of information describing the date, time, location, initiator, target, message, etc., of the activity Platforms, applications and network services should have the ability to add domain specific information to the information set.

The Audit Log Enquiry requirements are:

Provide a common format definition for the audit log.
Support queries on the audit log against a set of selection criteria. The XDAS does not support this requirement.