RFC 3871           Operational Security Requirements      September 2004

2.11.7.  Default Timezone Should Be UTC

   Requirement.

      The default timezone for display and logging SHOULD be UTC.  The

      device MAY support a mechanism to allow the operator to specify

      the display and logging of times in a timezone other than UTC.

   Justification.

      Knowing the timezone or UTC offset makes correlation of data and

      coordination with data in other timezones possible.

   Examples.

      Bob in Newfoundland (UTC  3:30) and Alice in Indiana (UTC  5 or

      UTC  6 depending on the time of year and exact county in Indiana)

      are working an incident together using their logs.  Both left the

      default settings, which was UTC, so there was no translation of

      time necessary to correlate the logs.

   Warnings.

      None.

2.11.8.  Logs Must Be Timestamped

   Requirement.

      By default, the device MUST timestamp all log messages.  The

      timestamp MUST be accurate to within a second or less.  The

      timestamp MUST include a timezone.  There MAY be a mechanism to

      disable the generation of timestamps.

   Justification.

      Accurate timestamps are necessary for correlating events,

      particularly across multiple devices or with other organizations.

      This applies when it is necessary to analyze logs.

   Examples.

      This requirement MAY be satisfied by writing timestamps into

      syslog messages.

Jones                        Informational                     [Page 52]