This service performs two functions. The first is the detection of the occurrence of a threat. (However, the detection does not occur in real time unless some type of realtime monitoring capability is utilized.) Depending on the extensiveness of the logging, the detected event should be traceable throughout the system.

For example, when an intruder breaks into the system, the log should indicate who was logged on to the system at the time, all sensitive files that had failed accesses, all programs that had attempted executions, etc. It should also indicate sensitive files and programs that were successfully accessed in this time period.

It may be appropriate that some areas of the LAN (workstations, fileservers, etc.) have some type of logging service. The second function of this service is to provide system and network managers with statistics that indicate that systems and the network as a whole are functioning properly.

This can be done by an audit mechanism that uses the log file as input and processes the file into meaningful information regarding system usage and security. A monitoring capability can also be used to detect LAN availability problems as they develop.

The types of security mechanisms that could be used to provide the logging and monitoring service are:

• Logging of I&A information (including source machine, modem, etc.)
• Logging of changes to access control information
• Logging of use of sensitive files
• Logging of modifications made to critical software
• Utilizing LAN traffic management tools
• Use of auditing tools.