Abstract
This paper presents a technique for deriving audit requirements from security
policy, with examples for informal specifications. Augmenting these requirements
with a system model allows an analyst to determine specific functions within
the system that must be audited. We demonstrate the effectiveness of this
technique by deriving audit criteria for the Network File System, and show that
the results would detect numerous well-known attacks upon implementations of
that protocol.