Hi, I just read the SNIA Logging white paper, and found some things that are no longer recommended (the BEEP raw and cooked profiles), and some changes to Syslog terminology in order to better address the security issues. You mentioned the white paper is being updated as we speak. Would you like reviewers that have a good knowledge of the IETF Syslog RFCs? David Harrington [email protected] [email protected] [email protected]
_____ From: Eric Hibbard [mailto:[email protected]] Sent: Thursday, July 23, 2009 9:59 AM To: David Harrington; [email protected] Cc: [email protected]; [email protected]; 'Chris Lonvick'; [email protected] Subject: RE: [snia-security] Audit Logging SIG/TWG David, Thank you for the feedback. A couple of us within SNIA and the INCITS/CS1 organizations have been monitoring the progress. We are definitely pleased to have the new standards-track RFCs for syslog. -Eric From: David Harrington [mailto:[email protected]] Sent: Thursday, July 23, 2009 6:04 AM To: Eric Hibbard; [email protected] Cc: [email protected]; [email protected]; 'Chris Lonvick'; [email protected] Subject: RE: [snia-security] Audit Logging SIG/TWG Hi, The IETF Syslog WG has been chartered to address security issues. The WG has almost completed its current work plan. Some of the features that have been included in the IETF syslog standards will probably be useful for audit logging purposes, such as increased message sizes, secure transport, structured data elements, and digitally signed messages, http://www.ietf.org/dyn/wg/charter/syslog-charter.html The WG is considering re-chartering to do additional work. Much of the proposed work relates to standardizing how syslog is used, and for standardizing some types of logging content. The Syslog WG will be meeting at the upcoming IETF meeting (http://www.ietf.org/meeting/75/). Attached is a Powerpoint presentation that shows what topics are expected to be discussed. Proposals for additional work are welcome. In the IETF, official work is done using mailing lists rather than face-to-face meetings. If anybody wishes to monitor or contribute to the discussion, here is where the official discussions occur: General Discussion: [email protected] To Subscribe: [email protected] In Body: subscribe Archive: http://www.ietf.org/mail-archive/web/syslog Your input is welcome. David Harrington co-chair, Syslog WG Standards Manager, HuaweiSymantec Technologies [email protected] [email protected] <mailto:[email protected]> [email protected] _____ From: Eric Hibbard [mailto:[email protected]] Sent: Friday, July 17, 2009 12:24 PM To: [email protected] Cc: [email protected]; [email protected] Subject: [snia-security] Audit Logging SIG/TWG Michael, I understand that you have expressed some interest in the area of audit logging and have floated the idea of forming a SIG or TWG for such an activity. I have a mixed reaction to this.on the one hand, the Security TWG has been advocating that storage ecosystems must participate in audit logging (as opposed to just health and fault logging).on the flip side, we don't see SNIA being a serious leader in this space (we're about 3 years too late for that).more like a consumer. However, the Security TWG considers this an important area and we're more than happy to participate and/or support whatever surfaces. In the spirit of sharing, you might want to take a look at the following resources: . SNIA docs - Storage Security best practices (http://www.snia.org/forums/ssif/programs/SNIATechnicalProposal-Securi ty-BCPs.20080904.pdf) and the SNIA Logging Whitepaper (http://www.snia.org/forums/ssif/knowledge_center/white_papers/forums/ ssif/knowledge_center/white_papers/SNIA-Logging-WP.050921.pdf); the whitepaper is being rewritten as week speak . IETF Syslog WG (http://tools.ietf.org/wg/syslog/) - The IETF has finally published multiple standards-track RFC related to Syslog, which is the primary protocol for all external/centralized logging. These RFC cover architecture, protocol, and security. . Mitre - Mitre has done some work with its Common Even Expression Taxonomy (CEET), which the Security TWG has been investigating as a possible way of "standardizing" message events so that the event log vendors could parse and react to them. Check out http://cee.mitre.org/ceelanguage.html With the possible exception of PCI DSS, most of the drivers for this technology are indirect (i.e., monitor and respond, or establish and maintain accountability and traceability). This means that a certain amount of interpretation is required, and of course this leads to vendor hype and organizational indecision. Best regards, -Eric Eric A. Hibbard, CISSP, CISA, ISSAP, ISSMP, ISSEP CTO Security and Privacy International Representative, INCITS TC CS1 Cyber Security Vice Chair, American Bar Association - SciTech Law - eDiscovery & Digital Evidence Committee Vice Chair, IEEE Information Assurance Standards Committee (IASC) Member, SNIA Technical Council Chair, SNIA Security Technical Work Group Vice Chair, IEEE Security in Storage Work Group (P1619) HITACHI DATA SYSTEMS 750 Central Expressway Santa Clara, CA 95050-2627 P 408.970.7979/ C 408.314.0515 [email protected] <blocked::mailto:[email protected]>
_______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
