1、INTERNATIONAL TELECOMMUNICATION UNION ITU-T TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS SECURITY X.816 (1 1 /95) INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - SECURITY FRAMEWORKS FOR OPEN SYSTEMS: SECURITY AUDIT AND ALARMS FRAMEWORK ITU-T Re
2、commendation X.816 (Previously “CCITT Recommendation”) COPYRIGHT International Telecommunications Union/ITU TelecommunicationsLicensed by Information Handling ServicesFOREWORD ITU (International Telecommunication Union) is the United Nations Specialized Agency in the field of telecommunications. The
3、 ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of the ITU. Some 179 member countries, 84 telecom operating entities, 145 scientific and industrial organizations and 38 international organizations participate in ITU-T which is the body which sets world telecommunications s
4、tandards (Recommendations). The approval of Recommendations by the Members of IT-T is covered by the procedure laid down in WTSC Resolution No. 1 (Helsinki, 1993). In addition, the World Telecommunication Standardization Conference (WTSC), which meets every four years, approves Recommendations submi
5、tted to it and establishes the study programme for the following period. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with IS0 and IEC. The text of IT-T Recommendation X.816 was approved on 21st of November 19
6、95. The identical text is also published as ISOAEC International Standard 10181-7. NOTE e In this Recommendation, the expression “Administration” is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. O ITU 1996 All rights reserved. No part of
7、this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from the IT. COPYRIGHT International Telecommunications Union/ITU TelecommunicationsLicensed by Information Handling ServicesITU-T
8、 RECMN*X.BLh 95 m 4862591 Ob33403 587 m Subject area PUBLIC DATA NETWORKS Services and Facilities Interfaces Transmission, Signalling and Switching Network Asuects ITU-T X-SERIES RECOMMENDATIONS Recommendation Series X.1-X. 19 X.20-X.49 X.50-X.89 x.90-x. 149 DATA NETWORKS AND OPEN SYSTEM COMMUNICATI
9、ONS Maintenance Administrative Arrangements OPEN SYSTEMS INTERCONNECTION Model and Notation Service Definitions Connection-mode Protocol Specifications Connectionless-mode Protocol Specifications PICS Proformas Protocol Identification Security Protocols Layer Managed Objects (February 1994) X. 150-X
10、. 179 X. 180-X. 199 X.200-X.209 X.210-X.2 19 X.220-X.229 X.230-X.239 X.240-X.259 X.260-X.269 X.270-X.279 X.280-X.289 ORGANIZATION OF X-SERIES RECOMMENDATIONS Conformance Testing INTERWORKING BETWEEN NETWORKS X.290-X.299 General Mobile Data Transmission Systems Management MESSAGE “JILING SYSTEMS x.30
11、0-x.349 X.350-X.369 X.370-X.399 r x.4nc)-x 499 Networking Naming, Addressing and Registration Abstract Syntax Notation One (ASN.l) OS1 MANAGEMENT SECURITY OS1 APPLICATIONS Commitment, Concurrency and Recovery Transaction Processing Remote Operations _. X.500-X.599 DIRECTORY OS1 NETWORKING AND SYSTEM
12、 ASPECTS X.600-X.649 X.650-X.679 X.680-X.699 X.700-X.799 X.800-X.849 X.850-X.859 X.860-X.879 X.880-X.899 I OPEN DISTRIBUTED PROCESSING I X.900-X.999 I COPYRIGHT International Telecommunications Union/ITU TelecommunicationsLicensed by Information Handling Services . ITU-T RECMN*X.BLb 95 m 4862573 Ob3
13、3402 433 H 1 2 3 4 5 6 7 8 9 10 CONTENTS Scope Normative references . 2.1 Identical Recommendations I International Standards 2.2 Paired Recommendations I International Standards equivalent in technical content Definitions 3.1 Basic Reference Model definitions . 3.2 Security architecture definitions
14、 . 3.3 Management framework definitions . 3.4 Security framework overview definitions . 3.5 Additional definitions . Abbreviations . Notation General discussion of security audit and alarms 6.1 Model and functions . 6.2 Phases of security audit and alarms procedures 6.3 Correlation of audit informat
15、ion . Policy and other aspects of security audit and alarms 7.1 Policy 7.2 Legal aspects . 7.3 Protection requirements Security audit and alarms information and facilities 8.1 Audit and alarms information . 8.2 Security audit and alarms facilities . Security audit and alarms mechanisms Interaction w
16、ith other security services and mechanisms 10.1 Entity authentication . 10.3 Access Control 10.4 Confidentiality 10.6 Non-repudiation 10.2 Data origin authentication . 10.5 Integrity . Annex A . General security audit and alarms principles for OS1 Annex B - Realization of the security audit and alar
17、m model . Annex C - Security Audit and Alarms Facilities Outline . Page 1 1 2 2 2 2 2 3 3 3 4 4 4 4 6 8 8 8 8 8 9 9 10 11 12 t2 12 12 12 12 12 13 15 17 Annex D . Time Registration of Audit Events 18 ITU-T Rec . X.816 (1995 E) 1 COPYRIGHT International Telecommunications Union/ITU TelecommunicationsL
18、icensed by Information Handling ServicesITU-T RECMNtX.8Lb 95 Lib259L Ob33403 35T Summary This Recommendation I International Standard describes a basic model for handling security alarms and for conducting a security audit for open systems. A security audit is an independent review and examination o
19、f system records and activities. The security audit service provides an audit authority with the ability to specify, select and manage the events which need to be recorded within a security audit trail. Introduction This Recommendation I International Standard refines the concept of security audit d
20、escribed in IT-T Rec. X.810 I ISOAEC 10181-1. This includes event detection and actions resulting from these events. The framework, therefore, addresses both security audit and security alarms. A security audit is an independent review and examination of system records and activities. The purposes o
21、f a security audit include: - - - - - - assisting in the identification and analysis of unauthorized actions or attacks; helping ensure that actions can be attributed to the entities responsible for those actions; contributing to the development of improved damage control procedures; confirming comp
22、liance with established security policy; reporting information that may indicate inadequacies in system controls; and identifying possible required changes in controls, policy and procedures. In this framework, a security audit consists of the detection, collection and recording of various security-
23、related events in a security audit trail and analysis of those events. Both audit and accountability require that information be recorded. A security audit ensures that sufficient information is recorded about both routine and exceptional events so that later investigations can determine if security
24、 violations have occurred and, if so, what information or other resources have been compromised. Accountability ensures that relevant information is recorded about actions performed by users, or processes acting on their behalf, so that the consequences of those actions can later be linked to the us
25、er) in question, and the user(s) can be held accountable for his or her actions. Provision of a security audit service can contribute to the provision of accountability. A security alarm is a warning issued to an individual or process to indicate that a situation has arisen that may require timely a
26、ction. The purposes of a security alarm service include: - - - to report real or apparent attempts to violate security; to report various security-related events, including “normal” events; and to report events triggered by threshold limits being reached. ii ITU-T Rec. X.816 (1995 E) COPYRIGHT Inter
27、national Telecommunications Union/ITU TelecommunicationsLicensed by Information Handling Services- - ITU-T RECMN*X*BLb 95 4862593 Ob13404 29b ISO/IEC 10181-7 : 1996 (E) INTERNATIONAL STANDARD ITU-T RECOMMENDATION INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - SECURITY FRAMEWORKS FOR OPEN SY
28、STEMS: SECURITY AUDIT AND ALARMS FRAMEWORK 1 Scope This Recommendation I International Standard addresses the application of security services in an Open Systems environment, where the term “Open Systems” is taken to include areas such as Database, Distributed Applications, Open Distributed Processi
29、ng and OSI. The Security Frameworks are concerned with defining the means of providing protection for systems and objects within systems, and with the interactions between systems. The Security Frameworks are not concerned with the methodology for constructing systems or mechanisms. The Security Fra
30、meworks address both data elements and sequences of operations (but not protocol elements) which are used to obtain specific security services. These security services may apply to the communicating entities of systems as well as to data exchanged between systems, and to data managed by systems. The
31、 purpose of security audit and alarms as described in this Recommendation I International Standard is to ensure that open system-security-related events are handled in accordance with the security policy of the applicable security authority. In particular, this framework: a) b) c) defines the basic
32、concepts of security audit and alarms; provides a general model for security audit and alarms; and identifies the relationship of the Security Audit and Alarms service with other security services. As with other security services, a security audit can only be provided within the context of a defined
33、 security policy. The Security Audit and Alarms model provided in clause 6 supports a variety of goals not all of which may be necessary or desired in a particular environment. The security audit service provides an audit authority with the ability to specify the events which need to be recorded wit
34、hin a security audit trail. A number of different types of standard can use this framework including: 1) 2) 3) 4) 5) standards that incorporate the concept of audit and alarms: standards that specify abstract services that include audit and alarms; standards that specify uses of audit and alms; stan
35、dards that specify the means of providing audit and alarms within an open system architecture; and standards that specify audit and alarms mechanisms. Such standards can use this framework as follows: - - - standard types I), 2), 3), 4) and 5) can use the terminology of this framework; standard type
36、s 2), 3), 4) and 5) can use the facilities defined in clause 8; and standard types 5) can be based upon the characteristics of mechanisms defined in clause 9. 2 Normative references The following Recommendations and International Standards contain provisions, which through reference in this text, co
37、nstitute provisions of this Recommendation I International Standard. At the time of publication, the editions indicated were valid. All Recommendations and Standards are subject to revision, and parties to agreements based on this ITU-T Rec. X.816 (1995 E) 1 COPYRIGHT International Telecommunication
38、s Union/ITU TelecommunicationsLicensed by Information Handling ServicesITU-T RECMN*X-BLb 95 9 4Bb25%L 0613405 122 9 ISO/IEC 10181-7 : 1996 (E) Recommendation I International Standard are encouraged to investigate the possibility of applying the most recent edition of the Recommendations and Standard
39、s indicated below. Members of IEC and IS0 maintain registers of currently valid International Standards. The Telecommunication Standardization Bureau of the ITU maintains a list of currently valid ITU-T Recommendations. 2.1 Identical Recommendations I International Standards - -T Recommendation X.20
40、0 (1994) I ISO/IEC 7498-1:1994, Information technology - Open Systems Interconnection - Basic Reference Model: The Basic Model. CCIT Recommendation X.734 (1992) I ISO/IEC 10164-5:1993, Information technology - Open Systems Interconnection - Systems management: Event report management function. CCITT
41、 Recommendation X.735 (1992) I ISO/IEC 10164-6: 1993, Information technology - Open System Interconnection - System management: Log control function. CCIT Recommendation X.736 (1992) I ISO/IEC 10164-7:1992, Infomtion technology - Open Systems Interconnection - Systems management: Security alarm repo
42、rting function. CC Recommendation X.740 (1992) I ISO/IEC 10164-8: 1993, Informtion technology - Open Systems Interconnection - Systems management: Security audit trail function. ITU-T Recommendation X.810 (1995) I ISO/IEC 10181-1:1996, Information technology - Open Systems Interconnection - Security
43、 frameworks for open systems: Overview. - - - - - 2.2 Paired Recommendations I International Standards equivalent in technical content - CCIT Recommendation X.700 (1 992), Managementframework for Open Systems Interconnection (OSI) for CCIlT applications. ISO/IEC 7498-4: 1989, Informution processing
44、systems - Open Systems Interconnection - Basic Reference Model - Part 4: Management framework. CCIT Recommendation X.800 (1991), Security Architecture for Open Systems Interconnection for CCIT applications. IS0 7498-2: 1989, Information processing systems - Open Systems Interconnection - Basic Refer
45、ence Model - Par? 2: Security Architecture. - 3 Definitions For the purposes of this Recommendation I International Standard, the following definitions apply. 3.1 Basic Reference Model definitions . This Recommendation I International Standard makes use of the following terms defined in ITU-T Rec. X
46、.200 I ISO/IEC 7498-1. a) entity; b) facility; c) function; d) service. 3.2 Security architecture definitions This Recommendation I International Standard makes use of the following terms defined in CCTT Rec. X.800 I ISO/IEC 7498-2. a) Accountability; b) Availability; c) Security Audit; d) Security
47、Audit Trail; e) Security Policy. 2 ITU-T Rec. X.816 (1995 E) COPYRIGHT International Telecommunications Union/ITU TelecommunicationsLicensed by Information Handling Services ITU-T RECMN*X.BLb 75 4862593 ObL34Ob Ob7 = ISO/IEC 10181-7 : 1996 (E) 3.3 Management framework definitions This Recommendation
48、 I International Standard makes use of the following terms defined in CCITT Rec. X.700 I ISOAEC 7498-4: - Managed Object. 3.4 Security framework overview definitions This Recommendation I International Standard makes use of the following terms defined in ITU-T Rec. X.810 I ISOAEC 10181-1. - Security
49、 Domain. 3.5 Additional definitions For the purposes of this Recommendation I International Standard, the following definitions apply. 3.5.1 generates a security audit message. alarm processor: A function which generates an appropriate action in response to a security alarm and 3.5.2 conducting a security audit. audit authority: The manager responsible for defining those aspects of a security policy applicable to 3.5.3 and security audit messages. audit analyser: A function that checks a security audit trail in order to produce, if appropriate, security ala