[Public Interpretations Database]

PD-0067: For the Controlled Access Protection Profile (CAPP), must all events be pre-selectable? Post-selectable?

This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.

Effective Date: 2002-08-13
Last Modified 2006-08-02


Can an ST writer claim that their TOE conforms to the CAPP if the TSF can include or exclude only a subset of the auditable events defined in FAU_GEN.1 for FAU_SEL or FAU_SAR?


In the context of evaluations against the CAPP, all auditable events listed under FAU_GEN.1 must be covered by either FAU_SEL or FAU_SAR (because the intent of the CAPP is to provide C2 equivalence, and C2 required that events be selectable, either pre- or post-). Such STs must include an explanation of the equivalence of FAU_SEL and FAU_SAR with respect to the PP's stated security objectives in order to justify the claim of conformance to the CAPP.

In other contexts the phrase "set of audited events" should be interpreted as referring to all events defined by FAU_GEN.1.


In the CAPP, the Objectives of O.AUDITING and O.MANAGE make it clear that the PP authors intended for the system to generate audit records for all of the events defined inthe FAU_GEN.1 requirement. It is also apparent that they were allowing for the system administrator to manage audit data through either Post-Selection (FAU_SAR.3) or Pre-Selection (FAU_SEL.1). What is not apparent is which of the auditable events defined in FAU_GEN.1 the authors felt should or should not be addressed by Pre-Selection.

The CAPP provides no refinements to indicate whether the ambiguous wording of the FAU_SEL.1 requirement was to be interpreted as requiring per-selectable inclusion/exclusion for all events, or for merely a subset. However, the objective statement of O.AUDIT points to both FAU_SEL and FAU_SAR, which indicates that selectability is to be performed either before or after the event, provided that selectability is provided on all events.

Therefore, even though such a TOE would not meet the letter of the FAU_SEL.1 requirements, it would meet the CAPP. Unfortunately, the CC lacks the concept of equivalence of components. Therefore, an explanation of the equivalence of FAU_SEL and FAU_SAR with respect to the PP's stated security objectives would have to be included in the ST in order to justify the claim of conformance to the CAPP.

The objectives O.AUDITING and O.MANAGE, as stated in version 1.d of the CAPP, are as follows:

  • O.AUDITING. The TSF must record the security relevant actions of users of the TOE. The TSF must present this information to authorized administrators.

  • O.MANAGE. The TSF must provide all the functions and facilities necessary to support the authorized administrators that are responsible for the management of TOE security.

Modification History:

Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)


  • CAPPv1.d
  • CEM v1.0 Part 2 ASE_TSS.1-5

Related NIs:

  • None


  • None

Source OD: 0142