Policy, Standards, Regulations & Compliance
Re: Compliance Product Recomendation Jul 27 2007 05:46PM
doug simpson bz (1 replies)
RE: Compliance Product Recommendation Jul 28 2007 02:10PM
Mark Curphey (mark curphey com) (1 replies)
RE: Compliance Product Recommendation Jul 28 2007 02:31PM
ljknews (ljknews mac com) (1 replies)
RE: Compliance Product Recommendation Jul 28 2007 02:42PM
Mark Curphey (mark curphey com) (1 replies)
How can a tool check to see that logs files are reviewed and acted on
appropriately? They can only check to see if an admin looked at the logs.
Surely there is a big difference? I don't want someone just looking at them,
I want them reviewing them and acting appropriately. Maybe that's the
difference between compliance and good information security!

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On
Behalf Of ljknews
Sent: Saturday, July 28, 2007 4:32 PM
To: psrc (at) securityfocus (dot) com [email concealed]
Subject: RE: Compliance Product Recommendation

At 4:10 PM +0200 7/28/07, Mark Curphey wrote:

> Take # 1 FW's as an example. Best practice (over hyped term) would suggest
> someone reviews the logs and approves rule changes for a limited period of
> time. The solutions I have seen don't touch on this.

The "reviews logs" part is easily susceptible to automation, putting an
Audit Access Control Entry into the Access Control List for the log. One
certainly must interview humans to see what actions they are taking based
on log reviews, but the automated tool gives the assurance that a human
(for NIST SP 800-53 AU-6) or an automaton (for NIST SP 800-53 AU-6 (1))
really is reading those logs every hour/day/week/fortnight.

There seem to be tons of "log management" tools in the field. Are you
saying that none of them even check on review of logs themselves ?
--
Larry Kilgallen

[ reply ]
RE: Compliance Product Recommendation Jul 28 2007 05:04PM
ljknews (ljknews mac com)


 

Privacy Statement
Copyright 2010, SecurityFocus