安全监控和跟踪标准 [英] Security Monitoring and Tracking Standards
问题描述
我正在使用一个处理身份验证/授权的系统,并且需要跟踪个人登录的尝试,对权限/用户的更改,失败的尝试等.我们希望能够解析此信息进入数据库,以便以后进行进一步的分析/检索.
I am working on a system that handles authentication/authorization, and needs to keep track of the attempts of individuals logging in, making changes to the permissions/users, failed attempts, etc. We want to be able to parse this information into a database for further analysis/retrieval at a later time.
在当前的实现中,我们使用的是自制标准,该标准是使用日志记录框架记录的(在这种情况下为Log4j,但这并不重要).日志记录框架是跟踪此信息的正确机制吗?在我看来,事实并非如此.我一直都将日志记录理解为代码的一种尸体解剖形式-更多地讲述了何时出于调试等目的发生了什么.对我来说,这似乎更像是一种报告机制.是否有针对此类问题的标准?人们是否使用标准的解决方案/格式?使用日志记录框架是解决此问题的正确解决方案,还是有更好的方法来处理此类数据?在查看这些信息并将其提供给利益相关者时,我可以参考哪些资源?
In our current implementation, we are using a home-brewed standard that is logged using a logging framework (Log4j in this case, but that is not what is important). Is a Logging framework the right mechanism to keep track of this information? It seems to me like it isn't; I had always understood logging to be a form of autopsy for the code - more to tell what happened when for purposes of debugging etc. This seems more like a reporting mechanism to me. Are there any standards for this type of a problem? Are there standard solutions/formats that people use? Is using a logging framework the right solution for this, or is there a better way to handle this type of data? What sources can I reference when looking at this information and presenting it to the stakeholders?
我应该注意-正在记录的数据已经根据合规性/安全性标准(没有密码等)进行了过滤,所有记录都发生在我们的内部环境中.我正在寻找一种方法来管理身份验证和授权系统的更改信息.
I should note - the data that is being logged is already being filtered based on compliance/security standards (no passwords, etc) and all of the logging occurs in our internal environment. I am more looking for a way that we can manage the change information of the authentication and authorization system.
推荐答案
似乎您正在使用log4J进行审核(可能还用于记录诊断或跟踪信息).要回答您的问题:
It seems like you are using log4J for auditing (and probably for logging diagnostic or tracing information as well). To answer your question:
是正确的Logging框架吗 跟踪此情况的机制 信息吗?
Is a Logging framework the right mechanism to keep track of this information?
最直接的答案是不,日志记录框架不是正确的机制".有某些属性,如果这些属性存在于日志记录框架中,将使其具有用作审核框架的能力.
the straightforward answer is "No, a logging framework is not the right mechanism". There are certain attributes, which if present in a logging framework, would lend it the capability of being used as an audit framework.
下面列出了其中的一些要求,可以使用log4j来满足其中的一些要求.这不是详尽无遗的,我建议您研究一下审核框架(例如LAUS)的实现,以得出更全面的列表.
Some of these requirements are presented below, and log4j can be used to cater to some of these. This is not exhaustive, and I would recommend you to look at the implementation of auditing frameworks (like LAUS) to derive a more comprehensive list.
- 审核框架必须确保事件的失败安全审核.这可能取决于应用程序使用框架的方式,但基本要求是,如果审核失败,则应用程序也应如此.如果无法对事件进行审核,则应用程序不应尝试处理任何请求.日志记录框架通常无法满足此要求.
- 理想情况下,审核框架应提供一次写入和只读存储.换句话说,写入审核日志的事件必须并且不应删除.审计框架通常不会单独实现这种保护,而是依赖于其他因素的组合来确保日志是防篡改的.
- 审核框架应允许将审核日志存储在其他系统上.这样可以确保对一个系统的破坏不会自动导致对审核日志的破坏.
- 该框架还应允许捕获重要信息,并且理想情况下不应将其留给程序员.重要信息将构成来自同步时间源的时间戳,负责请求的用户(或用于标识用户的任何信息),请求的来源,请求的状态(无论成功还是失败),在执行过程中遇到的任何错误.处理请求等.
这篇关于安全监控和跟踪标准的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
