1、BRITISH STANDARD BS ISO/IEC 10181-7:1996 Information technology Open Systems Interconnection Security frameworks for open systems: Security audit and alarms framework (ITU-T Rec. X.816 (1995)| ISO/IEC10181-7:1996) ICS 35.100.01BSISO/IEC 10181-7:1996 This British Standard, having been prepared under
2、the direction of the DISC Board, was published under the authority of the Standards Board and comes into effect on 15 November 1996 BSI 11-1998 ISBN 0 580 26525 0 National foreword This British Standard reproduces verbatim ISO/IEC 10181-7:1996, and implements it as the UK national standard. The UK p
3、articipation in its preparation was entrusted to Technical Committee IST/21, Open Systems Interconnection, Data Management and Open Distributed Processing, which has the responsibility to: aid enquirers to understand the text; present to the responsible international/European committee any enquiries
4、 on the interpretation, or proposals for change, and keep the UK interests informed; monitor related international and European developments and promulgate them in the UK. A list of organizations represented on this committee is available on request. Cross-references The British Standards which impl
5、ement international or European publications referred to in this document may be found in the BSI Standards Catalogue under the section entitled “International Standards Correspondence Index”, or using the “Find” facility of the BSI Standards Electronic Catalogue. A British Standard does not purport
6、 to include all the necessary provisions of a contract. Users of British Standards are responsible for their correct application. Compliance with a British Standard does not of itself confer immunity from legal obligations. Summary of pages This document comprises a front cover, an inside front cove
7、r, the ISO/IEC title page, pages ii to iv, pages 1 to 14 an inside back cover andaback cover. This standard has been updated (see copyright date) and may have had amendments incorporated. This will be indicated in the amendment table on theinside front cover. Amendments issued since publication Amd.
8、 No. Date CommentsBSISO/IEC 10181-7:1996 ii BSI 11-1998 Contents Page Foreword iii Introduction 1 1 Scope 1 2 Normative references 2 2.1 Identical Recommendations | International Standards 2 2.2 Paired Recommendations | International Standards equivalent in technical content 2 3 Definitions 2 3.1 Ba
9、sic Reference Model definitions 2 3.2 Security architecture definitions 2 3.3 Management framework definitions 2 3.4 Security framework overview definitions 3 3.5 Additional definitions 3 4 Abbreviations 3 5 Notation 3 6 General discussion of security audit and alarms 4 6.1 Model and functions 4 6.2
10、 Phases of security audit and alarms procedures 6 6.3 Correlation of audit information 7 7 Policy and other aspects of security audit and alarms 7 7.1 Policy 7 7.2 Legal aspects 8 7.3 Protection requirements 8 8 Security audit and alarms information and facilities 8 8.1 Audit and alarms information
11、8 8.2 Security audit and alarms facilities 9 9 Security audit and alarms mechanisms 10 10 Interaction with other security services and mechanisms 10 10.1 Entity authentication 10 10.2 Data origin authentication 10 10.3 Access Control 10 10.4 Confidentiality 10 10.5 Integrity 10 10.6 Non-repudiation
12、10 Annex A General security audit and alarms principles for OSI 11 Annex B Realization of the security audit and alarm model 12 Annex C Security Audit and Alarms Facilities Outline 14 Annex D Time Registration of Audit Events Inside back cover Figure 1 Security audit and alarms model 5 Figure 2 Dist
13、ributed audit trail model 6 Figure B.1 An Example of realization of a alarm and audit service 13BSISO/IEC 10181-7:1996 BSI 11-1998 iii Foreword ISO (the International Organization for Standardization) and IEC (theInternational Electrotechnical Commission) form the specialized system for worldwide st
14、andardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields
15、 of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. Draft International Standards adopted b
16、y the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. International Standard ISO/IEC 10181-7 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information
17、 technology, Subcommittee SC 21, Open systems interconnection, data management and open distributed processing, in collaboration with ITU-T. The identical text is published as ITU-TRecommendation X.816. ISO/IEC 10181 consists of the following parts, under the general title Information technology Ope
18、n Systems Interconnection Security frameworks for open systems: Part 1: Overview; Part 2: Authentication framework; Part 3: Access control framework; Part 4: Non-repudiation framework; Part 5: Confidentiality framework; Part 6: Integrity framework; Part 7: Security audit and alarms framework. Annexe
19、s A to D of this part of ISO/IEC 10181 are for information only.iv blankBSISO/IEC 10181-7:1996 BSI 11-1998 1 Introduction This Recommendation|International Standard refines the concept of security audit described in ITU-T Rec. X.810|ISO/IEC 10181-1. This includes event detection and actions resultin
20、g from these events. The framework, therefore, addresses both security audit and security alarms. A security audit is an independent review and examination of system records and activities. The purposes of a security audit include: assisting in the identification and analysis of unauthorized actions
21、 or attacks; helping ensure that actions can be attributed to the entities responsible for those actions; contributing to the development of improved damage control procedures; confirming compliance with established security policy; reporting information that may indicate inadequacies in system cont
22、rols; and identifying possible required changes in controls, policy and procedures. In this framework, a security audit consists of the detection, collection and recording of various security-related events in a security audit trail and analysis of those events. Both audit and accountability require
23、 that information be recorded. A security audit ensures that sufficient information is recorded about both routine and exceptional events so that later investigations can determine if security violations have occurred and, if so, what information or other resources have been compromised. Accountabil
24、ity ensures that relevant information is recorded about actions performed by users, or processes acting on their behalf, so that the consequences of those actions can later be linked to the user(s) in question, and the user(s) can be held accountable for his or her actions. Provision of a security a
25、udit service can contribute to the provision of accountability. A security alarm is a warning issued to an individual or process to indicate that a situation has arisen that may require timely action. The purposes of a security alarm service include: to report real or apparent attempts to violate se
26、curity; to report various security-related events, including “normal” events; and to report events triggered by threshold limits being reached. 1 Scope This Recommendation|International Standard addresses the application of security services in an Open Systems environment, where the term “Open Syste
27、ms” is taken to include areas such as Database, Distributed Applications, Open Distributed Processing and OSI. The Security Frameworks are concerned with defining the means of providing protection for systems and objects within systems, and with the interactions between systems. The Security Framewo
28、rks are not concerned with the methodology for constructing systems or mechanisms. The Security Frameworks address both data elements and sequences of operations (but not protocol elements) which are used to obtain specific security services. These security services may apply to the communicating en
29、tities of systems as well as to data exchanged between systems, and to data managed by systems. The purpose of security audit and alarms as described in this Recommendation|International Standard is to ensure that open system-security-relatedevents are handled in accordance with the security policy
30、of the applicable security authority. In particular, this framework: a) defines the basic concepts of security audit and alarms; b) provides a general model for security audit and alarms; and c) identifies the relationship of the Security Audit and Alarms service with other security services. As wit
31、h other security services, a security audit can only be provided within the context of a defined security policy. The Security Audit and Alarms model provided inclause 6 supports a variety of goals not all of which may be necessary or desired in a particular environment. The security audit service p
32、rovides an audit authority with the ability to specify the events which need to be recorded within a security audit trail. A number of different types of standard can use this framework including: 1) standards that incorporate the concept of audit and alarms; 2) standards that specify abstract servi
33、ces that include audit and alarms; 3) standards that specify uses of audit and alarms; 4) standards that specify the means of providing audit and alarms within an open system architecture; andBSISO/IEC 10181-7:1996 2 BSI 11-1998 5) standards that specify audit and alarms mechanisms. Such standards c
34、an use this framework as follows: standard types 1), 2), 3), 4) and 5) can use the terminology of this framework; standard types 2), 3), 4) and 5) can use the facilities defined in clause 8; and standard types 5) can be based upon the characteristics of mechanisms defined inclause9. 2 Normative refe
35、rences The following Recommendations and International Standards contain provisions, which through reference in this text, constitute provisions of this Recommendation|International Standard. At the time of publication, the editions indicated were valid. All Recommendations and Standards are subject
36、 to revision, and parties to agreements based on this Recommendation|International Standard are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standards indicated below. Members of IEC and ISO maintain registers of currently valid Internation
37、al Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid ITU-T Recommendations. 2.1 Identical Recommendations|International Standards ITU-T Recommendation X.200 (1994)| ISO/IEC 7498-1:1994, Information technology Open Systems Interconnection Basic Ref
38、erence Model: The Basic Model. CCITT Recommendation X.734 (1992)| ISO/IEC 10164-5:1993, Information technology Open Systems Interconnection Systems management: Event report management function. CCITT Recommendation X.735 (1992)| ISO/IEC 10164-6:1993, Information technology Open Systems Interconnecti
39、on Systems management: Log control function. CCITT Recommendation X.736 (1992)| ISO/IEC 10164-7:1992, Information technology Open Systems Interconnection Systems management: Security alarm reporting function. CCITT Recommendation X.740 (1992)| ISO/IEC 10164-8:1993, Information technology Open System
40、s Interconnection Systems management: Security audit trail function. ITU-T Recommendation X.810 (1995) | ISO/IEC 10181-1:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Overview. 2.2 Paired Recommendations|International Standards equivalent in technica
41、l content CCITT Recommendation X.700 (1992), Management framework for Open Systems Interconnection (OSI) for CCITT applications. ISO/IEC 7498-4:1989, Information processing systems Open Systems Interconnection Basic Reference Model Part 4: Management framework. CCITT Recommendation X.800 (1991), Sec
42、urity Architecture for Open Systems Interconnection for CCITT applications. ISO 7498-2:1989, Information processing systems Open Systems Interconnection Basic Reference Model Part 2: Security Architecture. 3 Definitions For the purposes of this Recommendation|International Standard, the following de
43、finitions apply. 3.1 Basic Reference Model definitions this Recommendation|International Standard makes use of the following terms defined in ITU-TRec.X.200|ISO/IEC 7498-1 a) entity; b) facility; c) function; d) service. 3.2 security architecture definitions this Recommendation|International Standar
44、d makes use of the following terms defined in CCITTRec. X.800|ISO/IEC 7498-2 a) Accountability; b) Availability; c) Security Audit; d) Security Audit Trail; e) Security Policy. 3.3 management framework definitions this Recommendation|International Standard makes use of the following terms defined in
45、CCITTRec. X.700|ISO/IEC 7498-4: Managed Object.BSISO/IEC 10181-7:1996 BSI 11-1998 3 3.4 security framework overview definitions this Recommendation|International Standard makes use of the following terms defined in ITU-TRec.X.810|ISO/IEC 10181-1 Security Domain. 3.5 Additional definitions for the pu
46、rposes of this Recommendation|International Standard, the following definitions apply. 3.5.1 alarm processor a function which generates an appropriate action in response to a security alarm and generates a security audit message 3.5.2 audit authority the manager responsible for defining those aspect
47、s of a security policy applicable to conducting a security audit 3.5.3 audit analyser a function that checks a security audit trail in order to produce, if appropriate, security alarms and security audit messages 3.5.4 audit archiver a function that archives a part of the security audit trail 3.5.5
48、audit dispatcher a function which transfers parts, or the whole, of a distributed security audit trail to the audit trail collector function 3.5.6 audit trail examiner a function that builds security reports out of one or more security audit trails 3.5.7 audit recorder a function that generates secu
49、rity audit records and stores them in a security audit trail 3.5.8 audit provider a function that provides security audit trail records according to some criteria 3.5.9 audit trail collector a function that gathers records from a distributed audit trail into a security audit trail 3.5.10 event discriminator a function which provides initial analysis of a security-related event and, if appropriate, generates a security audit and/or an alarm 3.5.11 security alarm a message
