RE: Addendum to Policy Letter 13: Audit Generation Functionality


It appears to me that the purpose of audit seems missing in this
discussion. Furthermore, I believe all Government requirements require
some interpretation. Look at the CC for example. We need to apply
caution when transliterating Government requirements into hard
implementation mandates. 

Some examples in 8500.2:

5.7. The Heads of the DoD Components shall:
5.7.9.3. Collect and retain audit data to support technical analysis
relating to misuse, penetration reconstruction, or other investigations,
and provide this data to appropriate law enforcement or other
investigating agencies.

>>>>Requiring local hardware so that a local device has local time
correct to that device but no network-wide time so there is no way to
verify the path an attack took seems to violate this requirement, but we
appear not to like NTS.

Enclave and Computing Environment Integrity
ECAT-2 Audit Trail, Monitoring, Analysis and Reporting An automated,
continuous on-line monitoring and audit trail creation capability is
deployed with the capability to immediately alert personnel of any
unusual or inappropriate activity with potential IA implications, and
with a user configurable capability to automatically disable the system
if serious IA violations are detected.

>>>So any user (does not say trusted user or administrator) who
perceives a serious IA violation has been detected MUST be able to
configure the system to automatically shut down if such an incident
occurs. Perhaps a technical translation is required.

Enclave and Computing Environment Integrity
ECND-2 Network Device Controls An effective network device control
program (e.g., routers, switches, firewalls) is implemented and
includes: instructions for restart and recovery procedures; restrictions
on source code access, system utility access, and system documentation;
protection from deletion of system and application files, and a
structured process for implementation of directed solutions (e.g.,
IAVA). Audit or other technical measures are in place to ensure that the
network device controls are not compromised. 

>>>Here we are required only to audit the stuff necessary to ensure
network devices are not compromised - which is subjective.

Enclave and Computing Environment Integrity
ECAT-2 Audit Trail, Monitoring, Analysis and Reporting
An automated, continuous on-line monitoring and audit trail creation
capability is deployed with the capability to immediately alert
personnel of any unusual or inappropriate activity with potential IA
implications, and with a user configurable capability to automatically
disable the system if serious IA violations are detected.

>>>What a paragraph. Immediately is undefined. Alert is undefined, If a
bar code reader detects a laptop is being removed from the building
without authorization, that meets the requirements for this paragraph.
That has IA implications. Personnel might have be immediately alerted
(whatever either word means). What does this have to do with the audit
requirements we are addressing.

>>>I believe Government requirements need to be interpreted and I
believe reasonable interpretation does not make the requirement invalid.
A devise that does not perform audit and does not claim audit in the ST
may be very useful to the Government. Perhaps there is only one user and
that user has access to all objects. The fact the device is assigned to
the user is sufficient. Perhaps the equipment is in the field and
another device audits the interaction with the fielded unit. I see no
reason why it can not be evaluated. The customer is getting exactly what
is claimed in the ST. 


-----Original Message-----
From: cc-cmt@nist.gov [mailto:cc-cmt@nist.gov] On Behalf Of Daniel P.
Faigin
Sent: Friday, March 09, 2007 10:44 AM
To: Multiple recipients of list
Subject: Addendum to Policy Letter 13: Audit Generation Functionality


I'm not going to address all of Jim's point, but I will answer one
question.

On Fri, 9 Mar 2007 08:32:53 -0500 (EST), "Arnold, James L. Jr."
<JAMES.L.ARNOLD.JR@saic.com> said: 

> The addendum boldly asserts that the need to audit is imperative. I'm
> wondering whether anyone has any references to the applicable DoD or
IC
> directives, etc. requiring accountability? 

Sure. Current DoD IA Policy is defined by DoDD 8500.1 and DoDI 8500.2.
8500.1
is high-level policy; it is captured in controls that apply to systems.
These
controls are defined in DoDI 8500.2. You should be able to obtain copies
from
http://iase.disa.mil/, or just do a web search. The appropriate controls
are
selected based on the mission criticality and the information handled.
With
respect to Audit, the following controls are of interest:

ECAR-1 Audit Record Contents (Public-Rel)

Audit records include:

*	User ID.
*	Successful and unsuccessful attempts to access security files.
*	Date and time of the event.
*	Type of event.

ECAR-2 Audit Record Contents (Sensitive) 

Audit records include:
*	User ID.
*	Successful and unsuccessful attempts to access security files.
*	Date and time of the event.
*	Type of event.
*	Success or failure of event.
*	Successful and unsuccessful logons.
*	Denial of access resulting from excessive number of logon
attempts.
*	Blocking or blacklisting a user ID, terminal or access port and
the
	reason for the action. 
*	Activities that might modify, bypass, or negate safeguards
controlled
	by the system. 

ECAR-3 Audit Record Contents (Classified)

Audit records include:
*	User ID.
*	Successful and unsuccessful attempts to access security files
*	Date and time of the event.
*	Type of event.
*	Success or failure of event.
*	Successful and unsuccessful logons.
*	Denial of access resulting from excessive number of logon
attempts.
*	Blocking or blacklisting a user ID, terminal or access port, and
the
	reason for the action. 
*	Activities that might modify, bypass, or negate safeguards
controlled
	by the system. 
*	Data required to audit the possible use of covert channel
mechanisms.
*	Privileged activities and other system-level access.
*	Starting and ending time for access to the system.
*	Security relevant actions associated with periods processing or
the
	changing of security labels or categories of information. 

ECAT-1 Audit Trail Monitoring, Analysis, and Reporting (MAC-III,
Sensitive, Public-Rel)

Audit trail records from all available sources are regularly reviewed
for
indications of inappropriate or unusual activity. Suspected violations
of IA policies are analyzed and reported in accordance with DoD
information system IA procedures. 

ECAT-2 Audit Trail Monitoring, Analysis, and Reporting (MAC-I, MAC-II,
Classified)

An automated, continuous on-line monitoring and audit trail creation
capability is deployed with the capability to immediately alert
personnel of
any unusual or inappropriate activity with potential IA implications,
and with
a user configurable capability to automatically disable the system if
serious
IA violations are detected. 

There are more controls that address audit in other areas, such as how
long
audit is maintained, where records are stored, etc.

For civil (non DoD Government) there are similar requirements captured
in NIST
800-53, which is also control based. Satisfaction of these controls is a
requirement of FISMA, and FISMA compliance is required. 

Personally, I think it is important that products of NSA be suitable to
serve
NSA customers, who are the DoD and US Government, and thus should
support
compliance with applicable controls.
Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov