PD-0067: For the Controlled Access Protection Profile (CAPP), must all events be pre-selectable? Post-selectable? |
||||
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
IssueCan an ST writer claim that their TOE conforms to the CAPP if the TSF can include or exclude only a subset of the auditable events defined in FAU_GEN.1 for FAU_SEL or FAU_SAR? ResolutionIn the context of evaluations against the CAPP, all auditable events listed under FAU_GEN.1 must be covered by either FAU_SEL or FAU_SAR (because the intent of the CAPP is to provide C2 equivalence, and C2 required that events be selectable, either pre- or post-). Such STs must include an explanation of the equivalence of FAU_SEL and FAU_SAR with respect to the PP's stated security objectives in order to justify the claim of conformance to the CAPP. In other contexts the phrase "set of audited events" should be interpreted as referring to all events defined by FAU_GEN.1. SupportIn the CAPP, the Objectives of O.AUDITING and O.MANAGE make it clear that the PP authors intended for the system to generate audit records for all of the events defined inthe FAU_GEN.1 requirement. It is also apparent that they were allowing for the system administrator to manage audit data through either Post-Selection (FAU_SAR.3) or Pre-Selection (FAU_SEL.1). What is not apparent is which of the auditable events defined in FAU_GEN.1 the authors felt should or should not be addressed by Pre-Selection. The CAPP provides no refinements to indicate whether the ambiguous wording of the FAU_SEL.1 requirement was to be interpreted as requiring per-selectable inclusion/exclusion for all events, or for merely a subset. However, the objective statement of O.AUDIT points to both FAU_SEL and FAU_SAR, which indicates that selectability is to be performed either before or after the event, provided that selectability is provided on all events. Therefore, even though such a TOE would not meet the letter of the FAU_SEL.1 requirements, it would meet the CAPP. Unfortunately, the CC lacks the concept of equivalence of components. Therefore, an explanation of the equivalence of FAU_SEL and FAU_SAR with respect to the PP's stated security objectives would have to be included in the ST in order to justify the claim of conformance to the CAPP. The objectives O.AUDITING and O.MANAGE, as stated in version 1.d of the CAPP, are as follows:
Modification History:
References:
Related NIs:
Related CCIMB-INTERPs:
Source OD: 0142 |