Security Auditing Requirements
A
security auditing requirement is any
security
requirement that specifies a required amount of security
auditing, which is a
quality factor that is defined as follows:
- Security Auditing
- 1)
adj.[quality factor] the degree to which security
personnel are enabled to audit the status and use of
security mechanisms by analyzing security-related
events.
- 2)
n. the means by which security personnel are enabled
to audit the status and use of security mechanisms.
- 3)
v. the process of auditing the status and use of
security mechanisms.
The typical objectives of a security auditing requirement
are to:
- Ensure that the application or component collects,
analyzes, and reports information about:
- All security-related events.
- The status (e.g., enabled vs. disabled, updated
versions) of its security mechanisms.
- The use of its security mechanisms (e.g., access and
modification by security personnel).
- Ensure that the application or component collects
sufficient information regarding potential breaches of
security to establish what events occurred, when they
occurred, and who (or what) caused them.
Rationale: United States Health Care Financing
Administration (HCFA) Core Security Requirements
Security auditing requirements are typically specified in
terms of the following measurements:
- Minimum percentage of authorized users able to control
security auditing.
- Minimum percentage of security auditing commands
correctly performed when requested by authorized users.
- Minimum percentage of security events correctly
logged.
- Minimum percentage of authorized users able to access
security audit logs.
- Minimum percentage of authorized users able to produce
security audit reports.
- Minimum percentage of security audit log records
protected from corruption per unit time.
The following are typical examples of security auditing
requirements:
- Security Audit Control:
- “At least 99.9% of the time, the application
shall automatically start security auditing within 0.1
seconds of:
- “At least 99.99% of the time, the application
shall enable the following explicitly identified and
authenticated individuals, user roles, or user groups to
start and stop security auditing:
- [An application-specific list].”
- “At least 99.99% of the time, the application
shall enable the following explicitly identified and
authenticated individuals, user roles, or user groups to
read and modify the security events to be audited:
- [An application-specific list].”
- Security Audit Log Contents:
- “The application shall record at least 99.99%
of the following security-related events:
- Security audit startup.
- Security audit shutdown.
- Access control events (including successful and
unsuccessful identification, authentication and
authorization events).
- Changes in access control.
- Intrusion detection (including attempts to control
security auditing or to modify the security log).
- [Application-specific entries].”
- “At least 99.99% of the time, the application
shall include the following information within each
security audit record:
- Date and time of the security event.
- Type of security event.
- Parties (e.g., human, external application,
software process) to the security event.
- Outcome (e.g., success, failure) of security
event.
- [Application-specific entires].”
- Security Audit Reporting:
- “At least 99.9% of the time, the application
shall enable the following explicitly identified and
authenticated individuals, user roles, or user groups to
read/search/sort the security audit records:
- [An application-specific list].”
- “At least 99.99% of the time, the application
shall enable the following explicitly identified and
authenticated individuals, user roles, or user groups to
read/generate the security audit reports:
- [An application-specific list].”
- Security Audit Log Protection:
- “At least 99.9% of the time, the application
shall protect the audit log contents from being modified
for at least one day when under attack by a hacker of
medium-sophistication.”
- “At least 99.9% of the time, the application
shall detect any attempts to modify the audit log
contents by a hacker of medium-sophistication during a
one day period.”
- “At least 99.9% of the time, the application
shall protect the audit log contents for at least one day
from unauthorized deletion by a hacker of
medium-sophistication.”
- “At least 99.99% of the time, the application
shall notify the following identified and authenticated
individuals, user roles, or user groups if the security
audit log exceeds [an application-specific size]:
- [An application-specific list].”
- “At least 99.99% of the time, the application
shall retain at least the 500 most recent audit log
records when any of the following exceptional conditions
occur:
- Failure of audit hardware or software
components.
- Exhaustion of audit log storage.”
The following guidelines have been found to be useful when
producing security auditing requirements:
- The scope of a security auditing requirement can be:
- Security auditing requirements can be identified and
specified in term of the following:
| Component of
Requirement |
Possibile Values |
| Security Events |
TBD |
| Security Log Contents |
TBD |
| Security Reports |
TBD |
| Security Log Threats |
TBD |
| State |
Normal Processing
Degraded Mode
Under Attack |
| Measurement |
Minimum percentage of:
- Authorized users able to control security
auditing.
- Security auditing commands correctly performed when
requested by authorized users.
- Security events correctly logged.
- Authorized users able to access security audit
logs.
- Authorized users able to produce security audit
reports.
- Security audit log records protected from
corruption per unit time.
|
- Care should be taken to avoid unnecessary duplication
between security-auditing and intrusion detection
requirements.
- For more information, see
CSPP - Guidance for COTS Security Protection Profiles,
NISTIR 6462, National Institutes of Standards and Technology
(NIST), U.S. Department of Commerce, December 1999, pp.
B-4-7.
- Use
misuse cases to perform security
threat analysis and
security use cases to analyze and specify security
requirements.
- Security auditing requirements should
not be confused with (nor specified in terms
of) the types of security architecture mechanisms that are
typically used to implement them:
- Event Logs.
- Audit Trails.