Bandolier: Audit File or Template – What’s in a Name?
One of the fun things about working for Digital Bond is that we get to share some of our back-end conversations and thought processes here on the blog when we feel they will be of benefit. We recently had one of those discussions regarding terminology for the Bandolier project. It started something like this:
Dale: So I noticed you referred to the Bandolier deliverables as templates – so are they audit files or audit templates?
Me: I thought I heard you calling them audit templates, so I just picked it up and ran with it.
And in a quick review of my last Bandolier blog, sure enough, I repeatedly called them audit templates. We decided that we should choose a term for consistency but it wasn’t as cut and dry as you might think.
The Argument for Audit Template
From the beginning of the project, we have discussed the need and opportunity for customization of the Bandolier files. For example, the file will include some checks for password policy. Your local security policy, however, may dictate a more stringent set of requirements. You could easily customize the file to match those requirements. From this standpoint, you could make the argument that the file is really designed for local customization, and therefore is a more of an “audit template”.
Right now we are focused on developing the files for the Nessus policy compliance plugin. (Incidentally, Tenable uses the term “audit policies”) Later in the project, though, we will generalize the files for other scanners and tools using OVAL/XCCDF. Because they will be expanded in this manner may be another argument for the term “audit template”.
The Argument for Audit File
File is a generic term that is hard to get away from. I noticed, in fact, that I used it six times while writing the previous section. Each Bandolier deliverable does exist in a file. For Nessus, it exists in .audit file, and in its OVAL/XCCDF form, it will also exist in a file. “Audit file”, then, certainly seems to cover the bases.
The final argument for “audit file”, and probably the clincher, is that we may want to reserve the term “audit template” for a subsequent extension of the Bandolier project. We may create some checklists based on all the control system application assessments we have completed, for example. Or there could be other project extensions that make better use of the term “audit template”.
In the end, we chose the term “audit file” for the Bandolier deliverables. So please forgive us for some past use of “audit template” and stay tuned for an announcement regarding the first of those audit files that will be available in mid-July.
Author: Jason Holcomb
Posted: June 23rd, 2008 under Bandolier, DoE Research Project.
Comments: 3
Comments
Comment from Dale Peterson
Time: June 23, 2008, 4:26 pm
When Jason is talking about future “audit templates”, we are considering whether it is possible to create a HMI audit template or Historian audit template. Alternately there may be a control system application on Windows Vista template. A third way to consider this is there may a set of security control configurations that are implemented very differently across applications. In this case maybe the audit template is a document with a work path to generate your own audit file.
It is too early, and we lack the data, to determine what is possible and what makes sense. In six months or so we should have an idea of what we mean by audit templates.
Incidentally, another team at Digital Bond was trying to standardize on a term of whether we are doing a source code review, assessment, audit or analysis as part of an application assessment project. We settled on analysis. New team members eventually learns to put up with my obsession over words and the written reports. If you obsess over writing I highly recommend Eats, Shoots and Leaves by Lynne Truss.
Comment from Daniel Alberts
Time: June 24, 2008, 10:09 am
A good usability practice is to name a system component by the function it provides for the end user. From your description, it sounds like Digital Bond developers will use the files as templates, but your customers will use the files as “benchmarks”. So file containing a best practice configuration I would name “benchmark files” and files containing the comparison to the benchmark I would name “audit files”.
Comment from Bruce Rosenthal
Time: July 12, 2008, 11:26 am
Not to add complexity to this word smithing, but other useful and applicable terms for these are:
schemas - XML documents use schemas
profiles - a term used by the Common Criteria as in Protection Profiles
objects - if the Bandolier project, Nessus and/or other scanners evolve to the point of running as embedded services in embedded systems, they would likely be running as objects.
Write a comment