RFC 3871           Operational Security Requirements      September 2004

      *  Network topologies may change.  Even in the absence of dynamic

         address assignment, network topologies and address block

         assignments do change.  Logs of an attack one month ago may not

         give an accurate indication of which host, network or

         organization owned the system(s) in question at the time.

2.11.10.  Logs Contain Records Of Security Events

   Requirement.

      The device MUST be able to send a record of at least the following

      events:

      *  authentication successes,

      *  authentication failures,

      *  session Termination,

      *  authorization changes,

      *  configuration changes,

      *  device status changes.

      The device SHOULD be able to send a record of all other security

      related events.

   Justification.

      This is important because it supports individual accountability.

      See section 4.5.4.4 of [RFC2196].

   Examples.

      Examples of events for which there must be a record include: user

      logins, bad login attempts, logouts, user privilege level changes,

      individual configuration commands issued by users and system

      startup/shutdown events.

   Warnings.

      This list is far from complete.

      Note that there may be privacy or legal considerations when

      logging/monitoring user activity.

Jones                        Informational                     [Page 54]