Me thinks thou dost protest too much…

I’ll just take your comments point by point, if you don’t mind:

1. Novell is using XDAS. What makes ArcSight’s use of CEF more significant?

2. You’ve clearly not read many standards – have you seen the IETF RFC for the HTTP protocol? – It’s a fairly simple protocol, but it’s well over 100 pages. Pick any other standards (SMNP, SMTP, FTP, SSH, etc) and check how many pages they have. Don’t limit the number of pages to the material you can read before you fall asleep. Standards are like legal documents to technicians – they should communicate intent clearly, and that takes words in a row.

3. By implement, do you mean the audit system itself, or application instrumentation? You don’t implement any system worth having without some effort. A couple of weeks? More like a couple of months before the first release – as it should be. We’re not writing in PHP or Javascript here. This is security code, and it has to be secure, which requires careful thought and significant effort.

4. The XDAS standard defines three very critical aspects of auditing: API, Record Format, and Taxonomy. API is defined because too many people have reinstrumented for different audit systems too many times. Most of them can relate to this design choice. Record format allows everyone to work together on analysis systems. Taxonomy exists to allow everyone to work in the same context. Transport is specifically NOT defined. It’s indicated on the block diagram as necessary, but purposely specified as implementation defined.

5. The XDAS service exists to coordinate logging from multiple processes into a single sink. This shouldn’t be that hard to understand. A single process should always (for security and architectural reasons) coordinate the funnelling of data from multiple sources into a single sink.

6. XDAS is not an event interchange standard – it’s a distributed security event management standard. It’s designed to ensure that the proper data gets from multiple sources to the proper place without tampering. This requires some degree of access control. Filtering is discussed simply for the sake of performance, and I don’t see anything about RBAC in the spec.

7. Yes, audit is all about security events, and it should be strictly limited to security events. XDAS very purposely does NOT define a generic event bus. We have WAY too many of those today, and none of them do what they need for proper auditing. The last thing we want is for people to dump their debug events into the audit log. Most audit logs today contain 99 percent useless garbage (from an auditing perspective), which means that analysis tools spend most of their processing time just filtering and correlating. The point is that engineers should think of auditing as a separate and distinct process from logging.

8, 9, 10, 14. On these points, I agree – the record format could use some updating. The XDAS preliminary specification was written in 1998, before the days of XML and before name/value pairs were as popular as they are today. Even so, some of the fields reflect the growing desire to move in this direction. The Open Group has recently re-established the XDAS working group to update this specification to meet today’s needs. The OpenXDAS project on sourceforge.net is a work in progress. There is one person working full-time on this project, and I can only do so much in a day. But I and those who help me occasionally are working to make things better with each release. Note that the current release is 0.5 – that’s pre-1.0, meaning it’s not what we would consider complete yet. And finally, some of the fields are being reconsidered. After all, we’re starting with a preliminary specification, not an existing standard.

11. I’ve no idea what the original author intended by these concepts (access and principal id’s). Does it matter? We’ll probably remove this prose from the spec, if someone in the working group can’t provide a good explanation for them.

12. Why mention actions and alarms? Actions and alarms have nothing to do with log management – they relate to event channel contents. One of the key benefits of a true audit system is the ability to take immediate action based on various types of events being published. A common action is to simply notify a system administrator of possible attack or system failure. While it’s true that most analysis is done on logs, there is a very important place in auditing for real-time alarms and actions built into the event channel itself. XDAS specifies their optional existence, and indicates that the actual nature of these auxilliary services are implementation defined.

13. Log entry pointers are more for archival interest than for actual analysis. We don’t expect analysis tools to go trapsing back to the original source for details on an XDAS record, although nothing in the specification precludes an implementation from doing so.

14. Again, I agree with you, the record format is not perfect. But it’s not bad either. We’re working on updating it.

15. While the world of today may revolve around syslog, we’re hoping that syslog is not considered the ultimate auditing solution for everyone. We’re actually hoping to improve on today’s tools – if we didn’t think there was room for improvement, then we’d be writing to syslog ourselves. We’re not the only people that feel this way – Red Hat is working on an entire auditing infrastructure for RH Linux that has nothing to do with syslog, unfortinately, it’s very specific to Linux. We will integrate OpenXDAS with this Linux-only system (LAF – linux audit framework) on Linux platforms.

16. The concepts of Originator, Target and Initiator are all well-defined in the spec. Originator is the identity of the service or host that is logging the event. (If you’d read past the first 10 pages, you’d have known that.

17. The Taxonomy is being improved by the Open Group working group as I write this. We’re adding events for work flow, among others of security relevance.

18. Outcome encoding, as well as event encoding is being looked as for update by the working group.

The fact is, Novell didn’t want to invent something new (again). We wanted to use an existing standard. When we went looking for such a standard over a year ago, we found XDAS – and that’s about all. Had we known about CEF, we might have gone in that direction, but CEF wasn’t being advertised actively on the Internet back then. We did find a few other efforts such as CMU’s auditing system (eddy – end-to-end diagnostics discovery), but nothing was really as close to implmenetation read as XDAS was.

Our first version of OpenXDAS was to provide a pure reference implementation of the standard – implementing the existing specification as closely as possible. The second version (2.x?) will follow the working group updates. This takes time of course, and we wanted something our customers and internal development groups can use today.

John Calcote
System Architect
Novell, Inc.