RFC 3871           Operational Security Requirements      September 2004

   Warnings.

      It is difficult to correlate logs from different time zones.

      Security events on the Internet often involve machines and logs

      from a variety of physical locations.  For that reason, UTC is

      preferred, all other things being equal.

2.11.9.  Logs Contain Untranslated IP Addresses

   Requirement.

      Log messages MUST NOT list translated addresses (DNS names)

      associated with the address without listing the untranslated IP

      address where the IP address is available to the device generating

      the log message.

   Justification.

      Including IP address of access list violations authentication

      attempts, address lease assignments and similar events in logs

      enables a level of individual and organizational accountability

      and is necessary to enable analysis of network events, incidents,

      policy violations, etc.

      DNS entries tend to change more quickly than IP block assignments.

      This makes the address more reliable for data forensics.

      DNS lookups can be slow and consume resources.

   Examples.

      A failed network login should generate a record with the source

      address of the login attempt.

   Warnings.

      *  Source addresses may be spoofed.  Network based attacks often

         use spoofed source addresses.  Source addresses should not be

         completely trusted unless verified by other means.

      *  Addresses may be reassigned to different individual, for

         example, in a desktop environment using DHCP.  In such cases

         the individual accountability afforded by this requirement is

         weak.  Having accurate time in the logs increases the chances

         that the use of an address can be correlated to an individual.

Jones                        Informational                     [Page 53]