CAN CSA-ISO IEC 10181-7-2000 Information technology - Open Systems Interconnection - Security frameworks for open systems Security audit and alarms framework.pdf

1、CSA I NT E RN AT ION A1 I - National Standard of Canada CAN/CSA-ISO/1EC 101 81-7-00 (I SO/I EC 1 0 1 81 -7: 1 996) International Standard ISO/IEC 10181-7: 1996 (first edition 1996-08-01) has been adopted without modification as CSA Standard CAN/CSA-ISO/IEC 10181-7-00, which has been approved as a Na

2、tional Standard of Canada by the Standards Council of Canada. ISBN I -55324-088-X March 2000 Information technology - Open Systems Interconnection - Security frameworks for open systems: Security audit and alarms framework Technologies de t in formation - lnterconnexiun de s ystPmes ouverts (OS! - C

3、adres pour la s this remains the continuing responsibility of the accredited standards-development organization. Those who have a need to apply standards are encouraged to use National Standards of Canada whenever practicable. These standards are subject to periodic review; therefore, users are caut

4、ioned to obtain the latest edition from the organization preparing the standard. The responsibility for approving National Standards of Canada rests with the Standards Council of Canada 45 OConnor Street, Suite 1200 Ottawa, Ontario, K1 P 6N7 Canada A National Standard of Canada is a standard which C

5、SA INTERNATIONAL c . Les normes nationales du Canada sont publi6es en versions frangaise et anglaise. Although the intended primary application of this Standard is stated in its Scope, it is important to note that it remains the responsibility of the users to judge its suitability for their particul

6、ar purpose. lnformation technology - Open Systems Interconnection - Security frameworks for open systems: Security audit and alarms framework CAN/CSA-/SO/fC 7 0 7 8 7 -7-00 CAN/CSA-ISO/IEC 101 81 -7-00 Infomalion technology - Open Systems Interconnection - Security jkarneworks for open systems: Secu

7、rity audit and alums pamework CSA Preface Standards development within the Information Technology sector is harmonized with international standards development. Through the CSA Technical Committee on Information Technology (TCIT), Canadians serve as the Canadian Advisory Committee (CAC) on ISO/IEC j

8、oint Technical Committee 1 on Information Technology (ISO/IEC JTCl ) for the Standards Council of Canada (SCC), the IS0 member body for Canada and sponsor of the Canadian National Committee of the IEC. Also, as a member of the International Telecommunication Union (ITU), Canada participates in the I

9、nternational Telegraph and Telephone Con su Ita tive Committee (ITU -T). This International Standard was reviewed by the CSA TClT under the jurisdiction of the Strategic Steering Committee on Information Technology and deemed acceptable for use in Canada. (A committee membership list is available on

10、 request from the CSA Project Manager.) From time to time, ISO/tEC may publish addenda, corrigenda, etc. The CSA TClT will review these documents for approval and publication. For a listing, refer to the CSA Information Products catalogue or CSA /do Update or contact a CSA Sales representative. This

11、 Standard has been formally approved, without modification, by these Committees and has been approved as a National Standard of Canada by the Standards Council of Canada. March 2000 0 CSA lnternational- 2000 All rights reserved. No part of this publication may be reproduced in any form whatsoever wi

12、thout the prior permission of the publisher. ISO/lfC material is reprinted with permission. Inquiries regarding this National Standard of Canada should be addressed to CSA International, 7 78 Rexdale Boulevard, Toronto, Ontario, M9 W 7 R3. March 2000 CSA/7 I NTE R N AT1 0 NAL STANDARD BO/ IEC 10181-

13、7 First edition 1 99608-0 1 Information technology - Open Systems Interconnection - Security frameworks for open systems: Security audit and alarms framework Technologies de I information - Interconnexion de syst - helping ensure that actions can be attributed to the entities responsible for those a

14、ctions; contributing to the deveIopment of improved damage control procedures; confirming compliance with established security policy: reporting infomation that may indicate inadequacies in system controls; and identifying possible required changes in controls, policy and procedures. In this framewo

15、rk, a security audit consists of the detection, collection and recording of various security-related events in a security audit trail and analysis of those events. Both audit and accountability require that information be recorded. A security audit ensures that sufficient infomation is recorded abou

16、t both routine and exceptional events so that later investigations can determine if security violations have occurred and, if so, what information or other resources have been compromised. Accountability ensures that relevant information is recorded about actions performed by users, or processes act

17、ing on their behalf, so that the consequences of those actions can later be linked to the user(s) in question, and the user(s) can be held accountable for his or her actions. Provision of a security audit service can contribute to the provision of accountability. A security alarm is a warning issued

18、 to an individual or process to indicate that a situation has arisen that may require timely action. The purposes of a security alarm service include: - to report real or apparent attempts to violate security; to report various security-related events, including “normal” events; and to report events

19、 triggered by threshold limits being reached. 1v ISO/IEC 10181-7 : 1996 (E) INTERNATIONAL STANDARD ITU-T RECOMMENDATION 1 INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - SECURITY FRAMEWORKS FOR OPEN SYSTEMS: SECURITY AUDIT AND ALARMS FRAMEWORK Scope This Recommendation I International Standa

20、rd addresses the application of security services in an Open Systems environment, where the term “Open Systems” is taken to include areas such as Database, Distributed Applications, Open Distributed Processing and OSI. The Security Frameworks are concerned with defining the means of providing protec

21、tion for systems and objects within systems, and with the interactions between systems. The Security Frameworks are not concerned with the methodology for constructing systems or mechanisms. The Security Frameworks address both data elements and sequences of operations (but not protocol elements) wh

22、ich are used to obtain specific security services. These security services may apply to the communicating entities of systems as well as to data exchanged between systems, and to data managed by systems. The purpose of security audit and alms as described in this Recommendation I International Stand

23、ard is to ensure that open system-security-related events are handled in accordance with the security poky of the applicable security authority . In particular, this framework: a) b) defines the basic concepts of security audit and alarms; provides a general model for security audit and alarms; and

24、c) identifies the relationship of the Security Audit and Alms service with other security services. As with other security services, a security audit can only be provided within the context of a defined security policy. The Security Audit and Alarms model provided in clause 6 supports a variety of g

25、oals not dl of which may be necessary or desired in a particular environment. The security audit service provides an audrt authority with the ability to specify the events which need to be recorded within a security audit trail. A number of different types of standard can use this framework includin

26、g: 1) standards that incorporate the concept of audit and alarms; 2) 3) standards that specify abstract services that include audit and darms; standards that specify uses of audit and alarms; 4) 5) standards that specify the means of providing audit and alarms within an open system architecture; and

27、 standards that specify audit and alms mechanisms. Such standards can use this framework as follows: - - standard types I), 2), 3), 4) and 5) can use the terminology of this framework; standard types 2), 3). 4) and 5) can use the facilities defined in clause 8; and - standard types 5) can be based u

28、pon the characteristics of mechanisms defined in clause 9. 2 Normative references The following Recommendations and International Standards contain provisions, which through reference in this text, constitute provisions of this Recommendation I International Standard. At the time of publication, the

29、 editions indicated were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this ITU-T Rs. X.816 (1995 E) 1 ISO/IEC 10181-7 : 1996 (E) Recommendation 1 International Standard are encouraged to investigate the possibility of applying the most recent e

30、dition of the Recommendations and Standards indicated below. Members of IEC and IS0 maintain registers of currently valid International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid ITU-T Recommendations. 2.1 2.2 Identical Recommendations I In

31、ternational Standards ITU-T Recommendation X.200 (1994) I ISO/IEC 7498-1: 1994, Infonnation technology - Open System Interconnection - Basic Reference Model: The Basic Model. CCITT Recommendation X.734 (1992) I ISO/IEC 10164-5: 1993, Infomation technology - Open System Interconnection - Systems mana

32、gement: Event report management function. CCIlT Recommendation X.735 (1992) I ISOAEC 10 164-6: 1993, Infomation technology - Open Systems Interconnection - Systems management: Log control function. CCm Recommendation X.736 (1992) I ISO/IEC 10164-7: 1992, Infomrion technology - Open Systems Interconn

33、ection - System management: Security alum reporting function. CCITT Recommendation X.740 (1992) 1 ISO/IEC 10164-8:1993, Informution technology - Open System Interconnection - Systems management: Security audit trail function. ITU-T Recommendation X.810 (1995) 1 ISO/IEC 10181-1:1996, Infannation tech

34、nology - Open Systems Interconnection - Security frameworks for open systems: Overview. Paired Recommendations I International Standards equivalent in technical content - CCIIT Recommendation X.700 ( 1992), Managementframework for Open Sysrem Interconnection (OSI) for CCm applications. ISO/l.EC 7498

35、-4: 1989, Informution processing system - Open Systems Interconnection - Basic Reference Model - Part 4: Management framework. - CCI“ Recommendation X.800 (1991), Security Architecture fur Open System Interconnection for CCm applications. IS0 7498-2: 1989, Infonnation processing system - Open System

36、s Interconnection - Basic Reference Model - Part 2: Security Architecture. 3 Definitions For the purposes of this Recommendation I International Standard, the following definitions apply. 3.1 Basic Reference Model definitions This Recommendation I International Standard makes use of the following te

37、rms defined in ITU-T Rec. X.200 I ISO/LEC 7498- 1. a) entity; b) facility; c) function; d) service. 3.2 Security architecture definitions This Recommendation I International Standard makes use of the following terns defined in CCITI Rec. X.800 I ISO/IEC 749 8-2. a) Accountability; b) Availability; c

38、) Security Audit; d) Security Audit Trail; e) Security Policy. 2 ITIJ-T Rc. X.816 (1995 E) ISO/LEC 10181-7 : 1996 (E 3.3 Management framework definitions This Recommendation I International Standard makes use of the following terms defined in CCIlT RE. X.700 I ISO/IEC 7498-4: - Managed Object. 3.4 S

39、ecurity framework overview definitions This Recommendation I International Standard makes use of the following terms defined in ITU-T Rec. X.810 I ISO/IEC 10181-1. - SecurityDomain. 3.5 Additional definitions For the purposes of this Recommendation I International Standard, the following definitions

40、 apply. 3.5.1 generates a security audit message. alarm processor: A function which generates an appropriate action in response to a security alarm and 3.5.2 conducting a security audit. audit authority: The manager responsible for defining those aspects of a security policy applicable to 3.5.3 and

41、security audit messages. audit analyser: A function that checks a security audit trail in order to produce, if appropriate, security alarms 3.5.4 audit archiver: A function that archives a part of the security audit ail. 3.5.5 audit trail collector function. audit dispatcher: A function which transf

42、ers parts, or the whole, of a distributed security audit trail to the 3.5.6 audit trail examiner: A function that builds security reports out of one or more security audit mils. 3.5.7 audit recorder: A function that generates security audit records and stores them in a security audit trail. 3-53 aud

43、it provider: A function that provides security audit trail records according to some criteria. 3.5.9 audit trail collector: A function that gathers records from a distributed audit trail into a security audit trail. 3.5.10 generates a security audit and/or an alarm. event discriminator: A function w

44、hich provides initial analysis of a security-related event and, if appropriate, 3.5.11 security alarm: A message generated when a security-related event that is defined by security policy as being an alarm condition has been detected. A security alarm is intended to come to the attention of appropri

45、ate entities in a timely manner. 3.5.12 security alarm administrator: An individual or process that determines the disposition of security alarms. 3.5.13 or to have possible security relevance. Reaching a pre-defined threshold value is an example of a security-related event. security-related event:

46、Any event that has been defined by security policy to be a potential breach of security, 3.5.14 security audit message: A message generated as a result of an auditable security-related event. 3.5.15 security audit record: A single record in a security audit trail. 3.5.16 audit reports. security audi

47、tor: An individual or a process allowed to have access to the security audit trail and to build 3.5.17 determine whether a breach of security has occurred. security report: A report that results from the analysis of the security audit trail and that can be used to ITU-T Rc. X.816 (1995 E) 3 ISO/IEC

48、10181-7 : 1996 (E) 4 Abbreviations OS1 Open Systems Interconnection 5 Notation The terms “service” and “mechanism”, where not otherwise qualified, are used to refer to “security audit service” and “security audit mechanism” respectively. The tern “audit”, where not otherwise qualified, refers to a “

49、security audit”. The term “alarm”, where not otherwise qualified, refers to a “security alarm”. 6 General discussion of security audit and alarms This clause describes a model for handling security alarms and for conducting a security audit for open systems. A security audit allows the adequacy of the security policy to be evaluated, aids in the detection of security violations, facilitates making individuals accountable for their actions (or for actions by entities acting on their behalf), assists in the detection of misuse of resources, and acts as a deterrent to individuals who m