Introduction

The purpose of security audit services is to provide support for:

• the principle of accountability, that is holding users of a system accountable for their actions within the system, and

• detection of security policy violations, that is the detection of attempts by unauthorized individuals to access the system and of attempts by authorized users to misuse their access to the system.

Many components of distributed systems now include some form of security auditing or event logging capability whereby the component records events deemed to have security relevance within the domain of that component. These services are provided via component specific interfaces and use component specific audit record formats.

However, within distributed systems security relevant activity is not isolated within individual components but spans many components. For example, an intrusion attempt may be made via multiple entry points to the distributed system. Such attempts are not necessarily focused through single points of entry. Also the purpose of a distributed system is to enable the end-users of the system to utilize the resources of components throughout the system and not just those of their local workstation.

Within a distributed system it is therefore necessary to monitor activity across and between components. This is made difficult by the current component specific approaches. It is not easy to compare activity across system components when the events monitored and the record formats may be different. It is especially difficult to do this in a timely manner to detect and respond to intrusion attempts.

The objective of the XDAS specification is to define:

• a set of generic events of relevance at a global distributed system level. For example, end-user system sign-on and the initiation and termination of communication sessions.

• a common portable audit record format to facilitate the merging and analysis of audit information from multiple components at the distributed system level.

• an API for use by applications to submit events to XDAS.

• an API to import audit data from existing component specific audit services to XDAS.

• an API to configure event preselection criteria for event submission to XDAS.

• an API to read records from a XDAS audit trail

This service is intended to be a complement to existing system component specific audit services, not to replace them. Such local audit services are also likely to handle events, and a level of detail, that may be irrelevant at the global level of XDAS.

Interfaces are supported for use by four different types of applications:

• an API to submit events to the audit service, for use by applications that generate audit records and use XDAS to log such events.

• an API and a common audit event record format for use by existing component specific audit services to import audit records into the XDAS audit stream for distributed system level analysis.

• an API to support the configuration of event preselection criteria and event disposition actions, for use by XDAS audit event management applications.

• an API together with a common audit event record format, for use by Audit Log Analysis applications.

The XDAS-API provides the following benefits:

• Application developers have a common API, a generic set of audit events, and a common audit format regardless of the platform on which the XDAS service is running. This is of benefit to the developers of both applications that detect and wish to record security relevant events and of applications that analyze audit events.

• Platform and application infrastructure vendors are able to support the needs of users at the distributed system level within a heterogeneous environment without the necessity to re-engineer their current operating system or application specific audit service implementations, perhaps with resulting performance implications.

• End-user organizations benefit through increased effectiveness in enforcing individual accountability within a distributed environment.

Business Requirements

Audit Event Services

• Handle event records newly generated at the local API level.

• Support the preselection of criteria for the submission of an event, thereby reducing the numbers of audit events generated and analyzed.

• Filter and analyze records for instances or accumulations of pre-determined security events, and trigger timely notification. These filters shall be driven by parameters in a standard format. Three types of event or compound event are identified:

  • a single record selected by one or more fields

  • sequences of selected records

  • timed sequences of records

• Generate local alarms.

• Generate messages to be passed to the audit service management interface.

• Take pre-defined action on the occurrence of specific events.

• Receive records passed on from another system in a standard format and re-interpret them in the context of extra information available from event records arriving from other systems.

Of these requirements, the scope of this XDAS specification provides support for:

• The submission of audit events via an API.

• The return, via the API, to calling applications of the result of applying preselection criteria.

• The capability for the definition of basic forms of event disposition (e.g., log, alarm, action) which can be acted upon by an audit analysis application to meet the other requirements defined above.

Audit Service Management

• Support a consistent management interface.

• Integrate the audit system management interface with other elements in the system management infrastructure, including logs, protocols and databases and the management of authorizations.

• Support both Remote and Local Administration
  The XDAS must support role-based decentralized administration, such that individuals are only presented with the data that apply to their area of responsibility.

• Support both equivalent GUI and command line access so that the functions are available regardless of the mode of interaction.

None of these requirements are within the scope of this XDAS specification. However, it does define an API for audit event filter management and defines an authorization model that can be used to support role-based access control. This facilitates the development of management applications to meet the above requirements.

Audit Event Management

• Support the configuration of the disposition of audit alarms, such that audit events of a specific source and type can be sent to a particular destination, and to a particular role at that destination to be actioned.

• Provide a set of standard calls to modify the parameters which define the filtering performed. These are used to configure the actions taken by the filtering and analysis component on each system. They may be originated by an operator or automatically as a result of event processing.

• Support two types of configuration: static configuration and dynamic configuration.

  With static configuration, the levels of audit data to be generated are pre-set by operator intervention. With dynamic configuration, the events or series of events detected are used to re-configure the filters on the monitor. Reconfiguration can involve increasing or decreasing the level of monitoring activity, as deemed appropriate by the analysis of the event or series of events.

• Determine and effect change to the configuration of security event detection on each of the platforms in a distributed environment. If several systems are monitored and all have a common requirement for maintaining a particular level of event logging, then a single definition should be applied to all.

• Be able to record a security event message whenever a change to the configuration of the event discrimination service is made.

The scope of the XDAS specification does not directly include any of the above functionality. It is expected that much of this functionality may eventually be included within implementations. However, interfaces to event management services are being defined in other specifications, (see XEMS). XDAS Model includes an example of how an XDAS system may be implemented over an event management service.

This XDAS specification defines an API including functions for the definition, enabling and disabling of filtering criteria and the definition of the disposition of events based on those criteria. This API may be used to develop applications that provide the higher level services described above.

Audit Log Management

• Log records to a protected audit record repository.

• Ensure that the sequence of events recorded is a reflection of what actually transpired. Thus, any mechanism which generates audit data should incorporate a header or common set of data which is co-ordinated with other systems with which it interacts. The header should contain a minimum set of information describing the date, time, location, initiator, target, message, etc., of the activity. Platforms, applications and network services shall have the ability to add domain specific information to the information set.

The scope of this XDAS specification includes the definition of the contents of an audit record including the provision for domain specific information for the purposes of analysis and the exchange and merging of audit event records. The internal format of audit logs and interfaces for the management of those logs are not within the scope of this version of XDAS.

Audit Event Enquiry

• Define a common format for audit events for use by analysis applications.

A common format for audit events is defined by this XDAS specification.

Functional Scope of XDAS Specification

Within Scope

• The submission of audit events by an application via an API.

• The import of audit events from an existing audit service via an API.

• The return to calling applications of the result of applying preselection criteria for both the event submission and event import APIs.

• An API for the definition of audit event filters defining preselection criteria and basic forms of event disposition (e.g., log, alarm, action) which can be acted upon by a audit analysis applications.

• An authorization model that can be used to support role-based access control. This facilitates the development of management applications supporting roles and subdivision of duties.

• Defines a common format for audit events for use by analysis applications. This format includes both basic audit information and provision for domain specific information. This will facilitate the development of audit analysis applications including the exchange and merging of audit event records within distributed environments.

Out of Scope

• Event Detection
  The detection of security relevant events is done outside the audit service. The specification assumes that that the applications responsible for even detection will prevent any unauthorized modification of those event detection services.

• Audit Filter Propagation
  XDAS defines interfaces for the creation and management of audit filters. This version of the specification does not define any protocols or data formats for the propagation of those filters between XDAS components.

• Detection of sequences of events or compound events
  XDAS provides the basic functionality for the submission and filtering of individual events together with a common audit event record format for audit event consolidation and analysis. An application capable of detecting complex sequences of events or combinations of events can be implemented over these basic XDAS services.

• Dynamic Modification of Audit Filter Parameters
  XDAS does not include functionality for the analysis of monitored security related events to determine whether modifications are needed to the filter parameters. This functionality falls within the scope of an audit administration application that can be implemented over the XDAS services provided.

• Domain Specific Event
  XDAS is not attempting to map all operating system or domain specific events to XDAS generic events, only those of significance at a distributed system level.

• Graphical User Interface (GUI)
  The specification provides functions that may support the construction of GUI tools but does not address the definition of these tools.

• Audit Log Analysis
  The XDAS provides a set of interfaces for audit log analysis. It does not support queries on the audit log against a set of selection criteria. Nor does it define any of the audit log analysis tools.

  It is assumed that the audit analysis tools will consolidate recorded security related events as part of their analysis of the audit logs.

• Audit Log Management
  The current XDAS specification views the audit log as a stream of time ordered audit event records. No management structure is imposed on this stream and no functions are specified for the management of the system resources, for example files, used for the storage and processing of the stream.

Security Requirements

• Prevent unauthorized recording of audit event records

• Prevent unauthorized modification of the audit service configuration data.

• Prevent unauthorized modification of the event detection records.

• Prevent unauthorized disclosure of the event records.

• Support adequate separation of duties for users.

• Provide appropriate measures in dealing with an unauthorized denial of service, for example, by suspending an offending process, if appropriate.

• Protect audit service configuration data.

• Protect the audit log and its contents from any unauthorized modification or deletions.

• Protect the audit log by making it accessible only to principals acting in specific administrative or security roles.

The security requirements shall be met by using underlying distributed system security services and platform security services, wherever possible.

Non-functional Requirements

• the XDAS shall be application independent

• the XDAS shall not impose a particular placement of access control to distributed audit services within an operating system kernel

• The XDAS shall not constrain future extensibility. Nor shall it constrain the services of other audit systems, including operating system and site specific events types and associated data.