Previous section.

COE Security Software Requirements Specification
Copyright © 2003 The Open Group

Security Audit

3.2.3.1
The COE Platform implementation shall provide the capability to create, maintain, process, and protect from modification or unauthorized access or destruction an audit trail of accesses to the objects it protects.

3.2.3.1.1
The COE Platform implementation shall protect audit data so that access to it is limited to those who are authorized to view audit data.

3.2.3.1.2
The COE Platform implementation shall protect the audit processes and audit data from change or deletion by general users. At a minimum, the COE Platform implementation shall protect the following:

3.2.3.1.2.1
Audit mechanisms (for example, executable files).

3.2.3.1.2.2
Configuration parameters (for example, audit configuration files).

3.2.3.1.2.3
Capability to enable or disable audit processes.

3.2.3.1.3
The COE Platform implementation shall provide a mechanism that generates a notification when the audit data has reached a configurable threshold of n percent of available storage capacity.

3.2.3.1.3.1
The COE Platform implementation shall be configurable by a trusted user to provide a capability for recovery in the event that the threshold n percent of available storage capacity has been exceeded. At a minimum, the following capabilities shall be provided:

3.2.3.1.3.1.2
Overwrite the oldest audit data.

3.2.3.1.3.1.4
Increase storage capacity for audit data.

Minimal compliance is satisfied by the ability to increase capacity manually via the Log File Manager.

3.2.3.1.3.2
The COE Platform implementation shall provide an interface for configuring which trusted user shall receive notifications when the audit data has reached the threshold n percent of available storage capacity.

3.2.3.1.3.3
The COE Platform implementation shall provide the capability for a trusted user to configure the threshold n percent of available storage capacity when a notification will be generated.

3.2.3.1.3.3.1
The default threshold n shall be 85 percent.

3.2.3.1.4
The COE Platform implementation shall provide a mechanism that generates a notification to a trusted user when the audit process(es) has failed.

3.2.3.1.4.2
The COE Platform implementation shall provide an interface for configuring which trusted user shall receive notifications when the audit process(es) has failed.

3.2.3.1.5
The COE Platform implementation shall provide a capability to archive and selectively retrieve audit data.

Minimal compliance is satisfied using commands (that is, tar, dd, and so on) at a command line. Neither a GUI nor automation is required.

3.2.3.1.5.1
The COE Platform implementation shall provide the capability to automatically archive audit data when the audit data reaches a configurable threshold of n percent of available storage capacity.

Minimal compliance is satisfied using commands (that is, tar, dd, and so on) at a command line. Neither a GUI nor automation (via Cron) is required.

3.2.3.1.5.4
The COE Platform implementation shall provide a mechanism that generates a time configurable notification to remind a trusted user (for example, a system administrator) to perform audit archive.

3.2.3.1.5.4.1
The COE Platform implementation shall provide a GUI for a trusted user to configure the time, represented as every n hours.

3.2.3.1.5.4.2
The default threshold n shall be every 168 hours.

3.2.3.2
The COE Platform implementation shall provide the capability to enable and disable auditable events.

3.2.3.3
The COE Platform implementation shall provide the capability to audit the following types of events:

3.2.3.3.1
Use of identification and authentication mechanisms.

3.2.3.3.2
Introduction of designated objects into a user's address space (for example, file open, program initiation).

3.2.3.3.3
Creation, modification, and deletion of designated objects.

3.2.3.3.4
Actions taken by trusted users.

3.2.3.3.7
Change in access control permissions.

3.2.3.3.9
System startup.

3.2.3.3.10
System shutdown.

3.2.3.4
The COE Platform implementation shall provide the capability for a trusted user to define security-relevant events.

3.2.3.5
For each recorded event, the COE Platform implementation shall identify in the audit record at least the following:

3.2.3.5.1
System date and time (to the nearest second) of the event.

3.2.3.5.2
User ID.

3.2.3.5.3
Type of event.

3.2.3.5.4
Success or failure of the event.

3.2.3.6
For identification and authentication events, the audit record shall identify the origin of the request (for example, terminal ID, host IP address).

3.2.3.10
The COE Platform implementation shall provide the capability to receive application-level audit data (for example, the UNIX syslog logging facility, Windows NT event log).

3.2.3.11
The COE Platform implementation shall provide the capability to generate reports of audit data that has been collected.

3.2.3.11.1
The COE Platform implementation shall provide the capability to generate reports based on fields in event records or Boolean combinations of those fields.

3.2.3.11.2
The COE Platform implementation shall provide the capability to generate reports based on ranges of system date and time that audit records were collected.

Contents Next section