|
US$419.00 · In stock
Delivery: <= 4 days. True-PDF full-copy in English will be manually translated and delivered via email.
GA/T 911-2019: Information security technology - Security technical requirements for log analysis products
Status: Valid GA/T 911: Evolution and historical versions
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GA/T 911-2019 | English | 419 |
Add to Cart
|
4 days [Need to translate]
|
Information security technology - Security technical requirements for log analysis products
| Valid |
GA/T 911-2019
|
| GA/T 911-2010 | English | 639 |
Add to Cart
|
4 days [Need to translate]
|
Information security technology--Security technology requirements for log analysis products
| Obsolete |
GA/T 911-2010
|
PDF similar to GA/T 911-2019
Basic data | Standard ID | GA/T 911-2019 (GA/T911-2019) | | Description (Translated English) | Information security technology - Security technical requirements for log analysis products | | Sector / Industry | Public Security (Police) Industry Standard (Recommended) | | Classification of Chinese Standard | A90 | | Classification of International Standard | 35.240 | | Word Count Estimation | 18,186 | | Date of Issue | 2019 | | Date of Implementation | 2019-03-19 | | Issuing agency(ies) | Ministry of Public Security | GA/T 911-2019: Information security technology - Security technical requirements for log analysis products
---This is a DRAFT version for illustration, not a final translation. Full copy of true-PDF in English version (including equations, symbols, images, flow-chart, tables, and figures etc.) will be manually/carefully translated upon your order.
Information security technology-Security technical requirements for log analysis products
ICS 35.240
A.90
GA
People's Republic of China Public Safety Industry Standard
Replaces GA/T 911-2010
Information security technology log analysis product security technical requirements
Information security technology Security technical requirements for log analysis
products
Published by the Ministry of Public Security of the People's Republic of China
Contents
Foreword ... II
1 Scope ... 1
2 Normative references ... 1
3 Terms and definitions ... 1
4 General description ... 2
4.1 Classification of safety technical requirements ... 2
4.2 Classification of Security Levels. 2
5 Safety function requirements ... 2
5.1 Log Collection and Storage ... 2
5.2 Log Analysis and Processing ... 4
5.3 Log presentation and alarm ... 5
5.4 Development Interface ... 6
6 Self-safe function requirements ... 6
6.1 Component safety ... 6
6.2 Security management ... 6
6.3 Self audit function ... 7
6.4 System alarm ... 8
7 Security requirements ... 8
7.1 Development ... 8
7.2 Guidance documents ... 9
7.3 Life cycle support ... 10
7.4 Testing ... 11
7.5 Vulnerability assessment ... 11
8 Classification requirements ... 12
8.1 Overview ... 12
8.2 Safety function requirements classification ... 12
8.3 Classification of self-safety function requirements ... 13
8.4 Classification of security requirements ... 13
Foreword
This standard was drafted in accordance with the rules given in GB/T 1.1-2009.
This standard replaces GA/T 911-2010 "Information security technology log analysis product security technical requirements", compared with GA/T 911-2010
The main changes are as follows.
-Revised the requirements of "level division" to divide the level into two levels. basic level and enhanced level (see Chapter 8,.2010 version 7.2,
7.3 and 7.4);
-Removed the requirement for "standard protocol reception" (see 4.1.2.1 of the.2010 version);
-Removed the requirement of "agent collection" (see 4.1.2.2 of the.2010 version);
-Removed the requirement for "log file import" (see 4.1.2.3 of the.2010 version);
-Added requirements for "data collection" (see 5.1.2.1);
-Revised the requirements for “backup of audit records” (see 5.1.6, 4.2.3 of the.2010 edition);
-Removed the "self-protection ability of software agents" requirement (see 5.1.1.1 of the.2010 version);
-Removed the "data transmission control" requirement (see 5.1.1.3 of the.2010 version);
-Removed the requirement for “data resumption” (see 5.1.1.4 in.2010);
-Added requirements for "multi-level deployment" (see 6.1.1);
-Added the requirement of "multiple authentication" (see 6.2.1.3);
-Added the requirement of "timeout lock" (see 6.2.1.4);
-Removed the requirement for "storage of audit records" (see 5.3.2 of the.2010 edition);
-Removed the "audit management" requirement (see 5.3.3 of the.2010 edition);
-Added the requirement of "data storage security" (see 6.3.3).
This standard was proposed by the Cyber Security Bureau of the Ministry of Public Security.
This standard is under the jurisdiction of the Information System Security Standardization Technical Committee of the Ministry of Public Security.
This standard was drafted. Computer Information System Security Product Quality Supervision and Inspection Center of the Ministry of Public Security, Hangzhou Anheng Information Technology Co., Ltd.,
Huawei Technologies Co., Ltd.
The main drafters of this standard. Chen Zhuo, Zhang Xiaoxiao, Lu Zhen, Tang Di, Yu You, Shen Liang, Wu Qicong.
The release of previous versions of this standard is.
--GA/T 911-2010.
Information security technology log analysis product security technical requirements
1 Scope
This standard specifies the safety function requirements, self-safety function requirements, safety guarantee requirements, and classification requirements for log analysis products.
This standard applies to the design, development, and testing of log analysis products.
2 Normative references
The following documents are essential for the application of this document. For dated references, only the dated version applies to this document.
For undated references, the latest version (including all amendments) applies to this document.
GB/T 18336.3-2015 Information technology security technology Information technology security assessment guidelines Part 3. Security assurance components
GB/T 25069-2010 Information Security Technology Terminology
3 terms and definitions
GB/T 18336.3-2015 and GB/T 25069-2010 and the following terms and definitions apply to this document.
3.1
Log analysis product
Collect log data in the information system through log agents, standard protocols, file import, etc., and perform centralized storage and analysis.
Security products.
3.2
Log data source
The original source that produced the log data.
3.3
Log administration center
A functional module for centralized processing, storage, and analysis of collected log data.
3.4
Audit log
Log analysis log data generated by the product's own audit.
3.5
Log record
After preprocessing the collected raw log data, log data is generated and stored in the log management center according to certain rules.
3.6
Authorized administrator
A user with log analysis product management authority is responsible for managing the system configuration, security policy, and log data of the log analysis product
Management.
4 General description
4.1 Classification of safety technical requirements
This standard divides the log analysis product security technical requirements into three categories. security functions, own security functions, and security assurance requirements. among them,
Security function requirements are specific requirements for the security functions that log analysis products should have, including log collection and storage, log record processing,
Log presentation, alarm and development interface, etc .; the self-security function is to put forward specific requirements for the self-security function that the log analysis product should have
Including component security, security management, self-auditing functions, and system alarms; security guarantees are required for log analysis products
The process puts forward specific requirements, such as development, guidance documents, life cycle support, testing, and vulnerability assessment.
4.2 Classification of security levels
The security level of the log analysis product is divided into bases based on the strength of its security function requirements, its own security function requirements, and security assurance requirements.
This level and enhanced level, in which the security requirements refer to GB/T 18336.3-2015.
5 Safety function requirements
5.1 Log Collection and Storage
5.1.1 Log data source
Log analysis products should be able to add, modify, and delete management operations on the log data source, and the type of log data source should be at least
Contains the following ranges.
a) network equipment, such as switches, routers, firewalls;
b) operating system;
c) database system;
d) other application systems.
5.1.2 Log data collection
5.1.2.1 Data collection
Log analysis products should be able to collect log data from log data sources in a certain way, including at least one of the following collection methods.
a) log agent;
b) standard agreements;
c) file import;
d) other.
5.1.2.2 Timeliness of Log Collection
Log analysis products should be able to collect log data from log data sources in a timely manner.
5.1.3 Preprocessing of log data
5.1.3.1 Data screening
The log analysis product should be able to filter the collected log data based on the established strategy and selectively generate log records.
5.1.3.2 Data Conversion
Log analysis products should be able to convert the raw log data in a variety of formats into a unified data format, and the conversion must not be critical.
Data items are missing and damaged.
5.1.4 Log Record Generation
The log analysis product should generate the corresponding log records after preprocessing and event analysis of the collected log data.
The content should be understandable by the administrator and include the following information.
a) the date and time of the event;
b) the subject of the event;
c) event object;
d) event description;
e) event type;
f) event level;
g) The IP address, MAC or name of the log data source.
5.1.5 Log Record Storage
5.1.5.1 Security protection
Log analysis products should adopt security mechanisms to protect log records from unauthorized reading, deletion, or modification.
5.1.5.2 Preventing Loss of Log Records
Log analysis products should provide the following measures to prevent loss of log records.
a) Log records should be stored in a non-volatile storage medium at power failure;
b) When the storage capacity of the log records reaches the threshold, an alarm message is issued;
c) Automatically transfer older log records to other devices before the storage space of log records is exhausted.
5.1.6 Log record backup
Log analysis products should provide the following log record backup functions.
a) Support customizable automated backup functions and strategies;
b) Automatically transfer log records to realize remote backup.
5.2 Log analysis and processing
5.2.1 Log record processing
5.2.1.1 Data integration
Log analysis products should be able to check whether log records are duplicated or invalid, and integrate data.
5.2.1.2 Data split
If a single field of a log record contains multiple types of information with delimiters between the multiple types of information, the log analysis product should be able to
Segments are split into several field stores for easy analysis.
5.2.2 Log record analysis
5.2.2.1 Event identification
Log analysis products should be able to dynamically maintain an event database, classify various events in the network according to certain characteristics, and
Can analyze the collected log data to determine the type of event to which the log data belongs.
5.2.2.2 Event Rating
Log analysis products should set their levels for different types of events to indicate the nature of the event or reveal the occurrence of such events to the information system.
The degree of danger brought by the system.
5.2.2.3 Event statistics
The log analysis product should be able to make statistics based on the following attributes of the event.
a) the subject of the event;
b) event object;
c) event type;
d) event level;
e) the date and time of the event;
f) the IP address or name of the log data source;
g) other attributes or combinations of attributes of the event.
5.2.2.4 Analysis of potential hazards
The log analysis product should be able to set a threshold for the cumulative number or frequency of occurrences of a single type of event. When statistical analysis shows that such events exceed the threshold
Values indicate potential harm to the information system.
5.2.2.5 Analysis of abnormal behavior
Log analysis products should maintain a set of normal behaviors of legitimate users related to the information system to distinguish the behavior of intruders from the
Legal user's abnormal behavior.
5.2.2.6 Correlation event analysis
The log analysis product should provide the following correlation analysis functions.
a) Comprehensive analysis based on indicators such as the level of the event and the cumulative number of occurrences of the event, so as to
The risk level of each resource;
b) Correlation event analysis on multiple log data sources should be able to analyze multi-step access behavior, and be able to use known event sequences
The complete access path is simulated in a graphical way.
5.2.2.7 Logging Data Mining
Log analysis products should be able to extract implicit, previously unknown, potentially valuable useful information and knowledge from a large amount of log data
The specific requirements are as follows.
a) extract the common properties of the same type of events, such as the time period when the events occur frequently;
b) extract knowledge of dependencies or associations between a single event and other events, such as the causal relationship between events;
c) extracting features that reflect the common nature of similar events and differences between different events, and revealing the occurrence of hidden events;
d) discover other types of knowledge and reveal abnormalities that deviate from the norm;
e) According to the time series of data, inferring future data from historical and current data, such as analyzing the use of a target system
User access logs, looking for the pattern of general user access.
5.3 Log Presentation and Alarm
5.3.1 Log query
Log analysis products should be able to perform logging queries based on the following attributes of the event.
a) the subject of the event;
b) event object;
c) event type;
d) event level;
e) the date and time of the event;
f) the IP address or name of the log data source;
g) other attributes or combinations of attributes of the event.
5.3.2 Statistical Report
The log analysis product should be able to generate statistical reports based on the results of event statistics and output in a common format.
5.3.3 Analysis Report
The log analysis product should be able to generate an analysis report based on the log analysis results and be able to output in a common format.
The following.
a) Log records the analysis results;
b) provide assessment results for the risk level of the information system or individual resources in the information system;
c) provide remedial suggestions for the results of log analysis;
d) Provide predictive information based on the knowledge collected from log data mining.
5.3.4 Alarm mechanism
Log analysis products should be able to alert on the following events.
a) User-specified events, such as high-risk events;
b) the results of the potential hazard analysis indicate potential hazards in the information system;
c) The results of abnormal behavior analysis indicate that the information system has the behavior of intruders or abnormal behavior of legitimate users;
d) The results of the log analysis indicate that there is a risk in the information system or a resource in the information system.
5.4 Development Interface
Log analysis products should provide at least one standard, open interface, which can be written for other information security products in accordance with the specifications of the interface
Corresponding program modules to share information or standardize linkages.
6 Requirements for own safety functions
6.1 Component safety
6.1.1 Log Agent Status Monitoring
The log analysis product should be able to monitor the online status of the log agent.
6.1.2 Multi-level deployment
Log analysis products should support distributed multi-level deployment.
6.1.3 Central Management
Log analysis products should be able to centrally customize log collection strategies and distribute them to the corresponding log agents.
6.1.4 Data transmission security
If the log analysis product components communicate through the network, the log analysis product should protect the data transmitted between the components to ensure that
Prove the integrity and confidentiality of data during transmission.
6.1.5 Time synchronization
The log analysis product should provide a time synchronization function to ensure the consistency of time between the components of the log analysis product.
6.2 Safety management
6.2.1 Identification and authentication
6.2.1.1 Unique identification
The log analysis product should provide the user with a unique identity, while associating the user's identity with all auditable events for that user.
6.2.1.2 Identity
Log analysis products should authenticate users before performing any operations related to security functions.
6.2.1.3 Multiple authentication
The log analysis product should be able to provide management roles with other authentication mechanisms in addition to password authentication mechanisms.
6.2.1.4 Timeout lock
Log analysis products should have login timeout lockout or logout capabilities. In the case of no operation for a set period of time, the meeting will be terminated
Then, you need to perform identity authentication again before you can operate again. The maximum timeout period is set only by an authorized administrator.
6.2.1.5 Authentication data protection
The log analysis product shall ensure that the authentication data is not unauthorized access or modification.
6.2.1.6 Handling of authentication failure
When the number of user authentication failures reaches the set value, the log analysis product should handle the following measures.
a) terminate the session;
b) lock user account or remote login host address;
c) Generate a system alarm message to notify the authorized administrator.
6.2.2 Security Function Management
Log analysis products should provide authorized administrators with the following management functions.
a) View and modify various security attributes;
b) Customize and modify various security policies.
6.2.3 Differentiating Security Role Management
The log analysis product should be able to give authorized administrators different management rights by assigning different roles to authorized administrators.
6.2.4 Remote Management
If the log analysis product provides remote management functions, the following measures should be taken to ensure remote management security.
a) confidential transmission of remote management information;
b) Limit the address of the remote login host.
6.3 Self audit function
6.3.1 Audit log generation
Log analysis products should generate audit logs for the following events.
a) administrator login events, including success and failure;
b) the operation of changing the security policy;
c) The session connection is terminated due to the number of unsuccessful authentication attempts;
d) backup and deletion of log records;
e) change of log agent status;
f) add, delete and modify the security role;
g) Other actions of the administrator.
The date, time, user ID, event description, and outcome of the event shall be recorded in each audit log. If log analysis products
Provide remote management capabilities. Record the address of the remote login host.
6.3.2 Data storage security
Log analysis products should prevent audit data from being deleted or tampered with, and ensure the integrity of stored data.
6.4 System alarm
6.4.1 Alarm Event Type
Log analysis products should be able to alert the following system events.
a) The storage space of the log records reaches the set value;
b) the number of user authentication failures reaches the set value;
c) Other system events customized by authorized administrators.
6.4.2 Alarm messages
The alarm message content of the log analysis product should meet the following requirements.
a) understandable by the administrator;
b) At least include the date, time, subject and description of the event.
6.4.3 Alarm mode
The alarm method of the log analysis product shall include one or more of the following methods.
a) pop-up alarm window;
b) send an alarm email;
c) sending Snmp trap messages;
d) sending acoustic and optical signals;
e) Send SMS short message.
7 Security requirements
7.1 Development
7.1.1 Security Architecture
The developer should provide a description of the security architecture of the product's security functions. The description of the security architecture should meet the following requirements.
a) Consistent with the level of abstract description of security functions in the product design document;
b) describe the security domain of the product security function consistent with the requirements of the security function;
c) describe why the product safety function initialization process is safe;
d) confirm that product safety functions can be prevented from being compromised;
e) Verify that product safety functions prevent safety features from being bypassed.
7.1.2 Functional Specifications
Developers should provide complete functional specifications, which should meet the following requirements.
a) fully describe the safety functions of the product;
b) describe the purpose and use of all safety function interfaces;
c) identify and describe all parameters related to each safety function interface;
d) describe the safety function implementation behavior related to the safety function interface;
e) describe direct error messages caused by the behavioral processing of the safety functions;
f) verification that the safety function requires traceability to the safety function interface;
g) describe all actions related to the safety function interface during the implementation of the safety function;
h) Describe all direct error messages that may be caused by the call of the safety function interface.
7.1.3 Implementation Representation
Developers should provide implementation representations for all security functions. Implementation representations should meet the following requirements.
a) provide a mapping between product design description and implementation representation examples, and prove their consistency;
b) Define product safety functions according to the level of detail, to the extent that they can be generated without further design;
c) Provided in the form used by developers.
7.1.4 Product Design
Developers should provide product design documents, which should meet the following requirements.
a) describe the product structure according to the subsystem;
b) identify and describe all subsystems of product safety functions;
c) describe the interaction between all subsystems of the safety function;
d) the mapping relationship provided can verify that all the behaviors described in the design can be mapped to the security function interface that calls it;
e) describe safety functions according to the module;
f) Provide the mapping relationship between the safety function subsystem and the module;
g) describe all safety function implementation modules, including their purpose and interaction with other modules;
h) Describe the relevant interfaces required by all modules to implement security functions, return values from other interfaces, interactions with other modules, and
Called interface
i) Describe the supporting or related modules of all safety functions, including their purpose and interaction with other modules.
7.2 Guidance documents
7.2.1 Operation User Guide
Developers should provide clear and reasonable operating user guides, which are kept in line with all other documents provided for evaluation
Sincerely, the description of each user role should meet the following requirements.
a) describe the functions and privileges accessible to users controlled in a secure processing environment, including appropriate warning information;
b) describe how to use the available interfaces provided by the product in a secure manner;
c) describe available functions and interfaces, especially all safety parameters controlled by the user, specifying safety values where appropriate;
d) clearly state every security-related event related to the user-accessible function that needs to be performed, including changes to the control of security functions
Security features of the entity;
e) identify all possible states of operation of the product (including failures or operational errors caused by operations), and their relevance to maintaining safety
Causality and connection between operations;
f) Security policies that must be implemented to fully achieve security objectives.
7.2.2 Preparation procedures
The developer shall provide the product and its preparation procedures. The preparation procedure description shall meet the following requirements.
a) describe all steps necessary to securely receive the delivered product in accordance with the developer delivery process;
b) Describe all steps necessary to safely install the product and its operating environment.
7.3 Life cycle support
7.3.1 Configuration Management Capability
Developer configuration management capabilities should meet the following requirements.
a) provide unique identification for different versions of the product;
b) use a configuration management system to maintain all configuration items that make up the product and uniquely identify configuration items;
c) Provide configuration management documents, which describe the method used to uniquely identify configuration items;
d) The configuration management system provides an automatic way to support product generation, by which it is ensured that only the implementation of the product can be expressed
Authorized changes;
e) The configura...
Tips & Frequently Asked Questions:Question 1: How long will the true-PDF of GA/T 911-2019_English be delivered?Answer: Upon your order, we will start to translate GA/T 911-2019_English as soon as possible, and keep you informed of the progress. The lead time is typically 2 ~ 4 working days. The lengthier the document the longer the lead time. Question 2: Can I share the purchased PDF of GA/T 911-2019_English with my colleagues?Answer: Yes. The purchased PDF of GA/T 911-2019_English will be deemed to be sold to your employer/organization who actually pays for it, including your colleagues and your employer's intranet. Question 3: Does the price include tax/VAT?Answer: Yes. Our tax invoice, downloaded/delivered in 9 seconds, includes all tax/VAT and complies with 100+ countries' tax regulations (tax exempted in 100+ countries) -- See Avoidance of Double Taxation Agreements (DTAs): List of DTAs signed between Singapore and 100+ countriesQuestion 4: Do you accept my currency other than USD?Answer: Yes. If you need your currency to be printed on the invoice, please write an email to [email protected]. In 2 working-hours, we will create a special link for you to pay in any currencies. Otherwise, follow the normal steps: Add to Cart -- Checkout -- Select your currency to pay. Question 5: Should I purchase the latest version GA/T 911-2019?Answer: Yes. Unless special scenarios such as technical constraints or academic study, you should always prioritize to purchase the latest version GA/T 911-2019 even if the enforcement date is in future. Complying with the latest version means that, by default, it also complies with all the earlier versions, technically.
|