Detail of GA/T 911-2019

Introduction of GA/T 911-2019

Codeofchina.com is in charge of this English translation. In case of any doubt about the English translation, the Chinese original shall be considered authoritative. This standard is developed in accordance with the rules given in GB/T 1.1-2009. This standard replaces GA/T 911-2010 Information security technology—Security technology requirements for log analysis products and has the following main changes with respect to GA/T 911-2010: ——Requirements of "grading" are modified to basic level and enhanced level (see Chapter 8; 7.2, 7.3 and 7.4 of Edition 2010); ——"Standard protocol reception" is deleted (see 4.1.2.1 of Edition 2010); ——"Collection of agent mode" is deleted (see 4.1.2.2 of Edition 2010); ——Requirements for "Log file import” are deleted (see 4.1.2.3 of Edition 2010); ——Requirements for "Data collection" are added (see 5.1.2.1); ——Requirements for "Audit record backup" are modified (see 5.1.6; 4.2.3 of Edition 2010); ——Requirements for "self-protection ability of software agent" are deleted (see 5.1.1.1 of Edition 2010); ——Requirements for "Data transmission control" are deleted (see 5.1.1.3 of Edition 2010); ——Requirements for "Data resumption" are deleted (see 5.1.1.4 of Edition 2010); ——Requirements for "Multi-level deployment" are added (see 6.1.1); ——Requirements for "Multiple authentications" are added (see 6.2.1.3). ——Requirements for "Locking after timeout" are added (see 6.2.1.4); ——Requirements for "Audit record storage" are deleted (see 5.3.2 of Edition 2010); ——Requirements for "Audit management" are deleted (see 5.3.3 of Edition 2010); ——Requirements for "Data storage security" are added (see 6.3.3); This standard was proposed by the Network Security Bureau, Ministry of Public Security. This standard is under the jurisdiction of the Information Security Standardization Technical Committee of the Ministry of Public Security. The previous edition of this standard is as follows: ——GA/T 911-2010. Information security technology— Security technical requirements for log analysis products 1 Scope This standard specifies the security function requirements, self-security function requirements and security assurance requirements of log analysis products as well as grading requirements. This standard is applicable to the design, development and testing of log analysis products. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced documents (including any amendment) applies. GB/T 18336.3-2015 Information technology—Security techniques—Evaluation criteria for IT security—Part 3: Security assurance components GB/T 25069-2010 Information security technology—Glossary 3 Terms and definitions For the purposes of this document, the terms and definitions given in GB/T 18336.3-2015 and GB/T 25069-2010 and the following apply. 3.1 log analysis product security product that collects log data in information system by means of log agent, standard protocol and file import, and stores and analyzes it centrally 3.2 log data source original source from which the log data is generated 3.3 log administration center functional module for centralized processing, storage and analysis of collected log data 3.4 audit log log analysis generated due to audit of the log analysis product 3.5 log record log data which is generated based on specific rules and stored in the log administration center after preprocessing the collected original log data 3.6 authorized administrator users who have administration authority for log analysis products in terms of the system configuration, security policies and log data 4 General information 4.1 Classification of security technical requirements This standard covers three security technical requirements of log analysis products, i.e. security function, self-security function and security assurance. The security function requirements are specific requirements for the security functions of log analysis products, including log collection and storage, log record processing, log presentation and alarm, and development interface, etc.; self-security functions are specific requirements for self-security functions of log analysis products, including component security, security management, self-audit function and system alarm, etc.; security assurance specifies specific requirements for the life cycle process of log analysis products, such as development, guidance documents, life cycle support, test and vulnerability assessment. 4.2 Security grading The log analysis products are classified into two security grades, i.e. basic level and enhanced level according to the rigorous level of its security function, self-security function and security assurance requirements. The security assurance requirement refers to GB/T 18336.3-2015. 5 Security function requirements 5.1 Log collection and storage 5.1.1 Log data source Log analysis products shall be able to add, modify and delete log data sources. The log data sources shall include at least the following types: a) Network equipment, e.g. switches, routers, firewall; b) Operating system; c) Database system; d) Other application systems. 5.1.2 Log data collection 5.1.2.1 Data collection Log analysis products shall be able to collect log data from log data sources by at least one of the following methods: a) Log agent; b) Standard protocols; c) File import; d) Others. 5.1.2.2 Timeliness of log collection Log analysis products shall be able to collect log data from log data sources in time. 5.1.3 Preprocessing of log data 5.1.3.1 Data screening Log analysis products shall be able to screen the collected log data based on established policies and selectively generate log records. 5.1.3.2 Data conversion Log analysis products shall be able to convert the original log data in different formats into a unified data format while protecting key data items from loss and damage. 5.1.4 Log record generation The log analysis product shall generate log records after preprocessing and event analysis of the collected log data. The log records shall be understandable to the administrator and contain the following information: a) Event date and time; b) Subject of the event; c) Object of the event; d) Description of the event; e) Type of the event; f) Event level; g) IP address, MAC, or name of the log data source. 5.1.5 Log record storage 5.1.5.1 Security protection Log analysis products shall be provided with security mechanisms to protect log records from unauthorized reading, deletion, or modification. 5.1.5.2 Protection against loss of log records Log analysis products shall be provided with the following measures to prevent log records from being lost: a) Log records shall be stored in non-volatile storage media in case of power off; b) Alarm will be given when capacity of the log records reaches the threshold; c) The earlier log records will be converted to other devices automatically before they run out of storage space. 5.1.6 Log record backup Log analysis products shall be provided with the following log record backup functions: a) Supporting customizable automated backup functions and strategies; b) Converting log records in an automatic way to realize remote backup.

Contents of GA/T 911-2019

Foreword i 1 Scope 2 Normative references 3 Terms and definitions 4 General information 4.1 Classification of security technical requirements 4.2 Security grading 5 Security function requirements 5.1 Log collection and storage 5.2 Log analysis and processing 5.3 Log presentation and alarm 5.4 Development interface 6 Self-security function requirements 6.1 Component security 6.2 Security management 6.3 Self-audit function 6.4 System alarm 7 Security assurance requirements 7.1 Development 7.2 Guidance documents 7.3 Life cycle support 7.4 Tests 7.5 Vulnerability assessment 8 Requirements of security at different levels 8.1 Security function requirements 8.2 Self-security function requirements 8.3 Security assurance requirements