PD-0125: Audit Pre-Selection in the CIMC PP |
||||
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
IssueThe CIMC PP contains the following requirements:
Can an ST correctly claim compliance to this PP if the TOE's audit selection occurs only after the audit records have been collected? The product does not generate large volumes of audit data, and it does not appear there is any function that might be useable to flood the audit trail. PD 0116 addressed this question in the context of the IDS PP, noting:
In the CIMC PP, the FAU_SEL requirements are included in the set of requirements that address the objective O.Individual accountability and audit records; this objective states "Provide individual accountability for audited events. Record in audit records: date and time of action and the entity responsible for the action." There appears to be no additional specificity as to the rationale for FAU_SEL. So, in the context of the CIMC PP, can an appropriate rationale justify the mitigation of the requirement to pre select records before storage in the audit trail? ResolutionThe FAU_SEL.1 requirement must be met as stated: the ability to pre-select audit data is required. The proposed resolution whereby a rationale could suffice to justify conformance to the PP regardless of the lack of pre-selection of audit records is not acceptable. SupportThe PP points of contact were consulted to verify the intent. While the PP requires the audit pre-selection capability in order to avoid denial-of-service attacks, it is also required for tuning the system (there are going to be millions of queries to each of these responders) and to ensure that critical events are mapped to the environment in which the responder is deployed. There is no way of determining whether or not automated pings can be launched against a security critical component with "access logs", given the TOE's inability to pre-select audit criteria. Although administrative audits are addressed by the TOE, that is not enough for a medium-assurance product in a Certificate Management infrastructure. Although this PD is similar to PD 0116, the situation is different. This PD addresses the issue of whether it is acceptable to do pre-selection in the IT environment when the PP is ambiguous on IT Environment vs. TSF. PD 0116 addressed whether pre-section was required when the PP was ambiguous about pre- vs. post. Both end up with similar results. It is also important to note that the two PDs refer to different PPs; the points of contact for these PPs had different intents in including the audit requirement in their respective PPs. This underscores the importance for PP authors to clearly articulate their intents. Modification History:
References:
Related NIs:
Related CCIMB-INTERPs:
Source OD: 0246 |