"Syslog is for logging, XDAS is for auditing" - John Calcote, Novell

Introduction

New logging format and taxonomy standard related to the on going effort of The Open Group (XDAS version 2). This early XDAS V2 implementation (built as a log4j plugin) provides a pragmatic way to define, test and develop the new XDAS v2 logging standard.

XDAS @ Toronto (23 Jul 09)

The ongoing XDAS initiative has been presented during the 3rd Security Practitioners Conference in Toronto (Canada). The current XDAS draft and its available Java implementation (xdas4j) were presented during the conference:

  • XDAS slides: "XDAS Audit & Logging standard for servicing today's regulatory/compliance requirements".

    This presentation provides an overview of the current XDAS draft in order to understand its impact on compliance requirements (accountability).

  • Xdas4j slides: "Understanding audit trails of heterogeneous applications without cost".

    This presentation provides an overview of the current XDAS draft in order to show its impact on audit trails understanding and management. A demo of its Java implementation (xdas4j library) is also provided.

XDAS Objectives

Today, analysts need to know and understand a wide variety of log formats, to the point where frequent reference to manufacturer's reference materials is necessary just to understand what appended. It is also quite common for companies to be subject to any number of federal, state, or industry regulations. These use cases among many others lead to some basic concepts regarding what constitute visibility into enterprise activity. The purpose of monitoring enterprise computing activity involves:

  • The principle of accountability; holding usrs of a system accountable for their action within the system
  • Detection of security policy violations (either in real-time of by forensic analysis after the fact)
  • Demonstrating compliance to a variety of external regulations

The primary focus of XDAS is to specify the nature and structure of real-time event records generated by software components to report on system activity.Current event generation or "audit" systems use a wide variety of custom and proprietary technologies to generate, format, deliver, and store event records, which makes understanding and processing those event records an extremely difficult problem. XDAS therefore seeks to normalize these event records, allowing them to be collected and analyzed centrally in a manner that allows for a much deeper level of analysis, simpler processing, and intuitive understanding.

xdas4j Scope

XDAS event generation is directly related to one of the two following use cases:

  1. proprietary audit events record are translated from their proprietary format into their XDAS representation;
  2. software components recording their activities as XDAS audit trails.

Use case 1 is related to the handling of proprietary logs (post-processing) while use case 2 is related to XDAS compliant softwares directly able to record their audit trails as XDAS events. The xdas4j library is only related to use case 2, where an existing Java software, using xdas4j is generating XDAS compliant trails instead of proprietary logs.

Using xdas4j developers will soon be able to easily build XDAS audit trails, enabling IT administrators, security officers, etc. to easily understand and track their software activities.