Commit 5d30f152 authored by Valerie Aurora (Bow Shock)'s avatar Valerie Aurora (Bow Shock)
Browse files

Add simplified logging requirement

parent 8c66656e

EN-304-626.md

+35 −2
Original line number Diff line number Diff line
@@ -1760,6 +1760,39 @@ All sources of data processed by the product in its secure-by-default configurat 


> FIXME: When full use case risk factor and tolerances are available, update above table.



5.X.Y **TR-LOGG**: Logging and monitoring



5.X.Y.Z Requirement



The product shall record security-relevant internal events, including but not limited to changes to configuration and access or modification of data and functions. The product shall provide an opt-out mechanism.



5.X.Y.Z **MI-LOGG**:



The product shall record log messages indicating security-relevant internal events in an internal or external log. The log messages shall not include any confidential information such as PII, secrets, or credentials, or any information which might reasonably be expected to include such items.



  * Reference: TR-LOGG

  * Objective: Monitoring and recording security-relevant events

  * Preparation: List all types of security-relevant internal events

  * Activities: For each type of security-relevant internal event, trigger the event

  * Verdict: For each triggered event, the log contains a message indicating the event, log message does not include any information likely to be confidential => PASS, otherwise FAIL

  * Evidence: Method of triggering events, log messages with annotations



Guidance: One type of event whose log message must take care to not accidentally include a secret is failed password authentication attempts. Since people often type their password into the username field, including the username field in the log message may result in including a secret in the log message.



[Any other mitigations available]



| Risk factors                   | Requires mitigations |

|--------------------------------|----------------------|

| SNDS < 1 & SNDS < 1 & SENF < 1 | none                 |

| all others                     | LOGG                 |



| Security Profile | Requires mitigations |

|------------------|----------------------|

| FIXME            | none                 |

| all others       | LOGG                 |



> FIXME: Update when risk factors are updated



### 5.2.X **TR-SCUD**: Secure updates



### 5.2.X.x Requirement
@@ -2094,7 +2127,7 @@ Description: Firewall for enterprise network 
| CRA requirement                                 | Technical security requirements(s) |

|-------------------------------------------------|------------------------------------|

| No known exploitable vulnerabilities            |                                    |

| Secure design, development, production          |                                    |

| Secure design, development, production          | MSAF                               |

| Secure by default configuration                 | SDEF                               |

| Secure updates                                  | SCUD                               |

| Authentication and access control mechanisms    |                                    |
@@ -2105,7 +2138,7 @@ Description: Firewall for enterprise network 
| Minimize impact on other devices or services    |                                    |

| Limit attack surface                            | MISO, MSAF, LMAS                   |

| Exploit mitigation by limiting incident impact  | MISO, MIME MSAF                    |

| Logging and monitoring mechanisms               | LSRE, LLTP, RLTP                   |

| Logging and monitoring mechanisms               | LOGG                               |

| Secure deletion and data transfer               | SCDL, SDTR                         |



# Annex B (informative): Relationship between the present document and any related ETSI standards (if any)