![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0125: Audit Pre-Selection in the CIMC PP
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2005-11-28 |
| Last Modified | 2006-04-11 |
Issue
The CIMC PP contains the following requirements:
- FAU_SEL.1.1 (iteration 1)
The IT environment shall be able to include or exclude auditable events from the set of audited events based on the following attributes:
a) [ST selection: object identity, user identity, subject identity, host identity, event type]
b) [ST assignment: list of additional attributes that audit selectivity is based upon].
Application Note: For FAU_SEL.1.1a, the ST author should select whether the security attributes upon which audit selectivity is based, is related to object identity, user identity, subject identity, host identity, or event type. For FAU_SEL.1.1b, the ST author should specify any additional attributes upon which audit selectivity is based.
- FAU_SEL.1.1 (iteration 2)
The TSF shall be able to include or exclude auditable events from the set of audited events based on the following attributes:
a) [ST selection: object identity, user identity, subject identity, host identity, event type]
b) [ST assignment: list of additional attributes that audit selectivity is based upon].
Application Note: For FAU_SEL.1.1a, the ST author should select whether the security attributes upon which audit selectivity is based, is related to object identity, user identity, subject identity, host identity, or event type. For FAU_SEL.1.1b, the ST author should specify any additional attributes upon which audit selectivity is based.
Can an ST correctly claim compliance to this PP if the TOE's audit selection occurs only after the audit records have been collected? The product does not generate large volumes of audit data, and it does not appear there is any function that might be useable to flood the audit trail.
PD 0116 addressed this question in the context of the IDS PP, noting:
The [IDS] PP author was consulted to determine the intent behind the requirement, and has said that the requirement for audit pre-selection must be met with pre-selection.
In the CIMC PP, the FAU_SEL requirements are included in the set of requirements that address the objective O.Individual accountability and audit records; this objective states "Provide individual accountability for audited events. Record in audit records: date and time of action and the entity responsible for the action." There appears to be no additional specificity as to the rationale for FAU_SEL.
So, in the context of the CIMC PP, can an appropriate rationale justify the mitigation of the requirement to pre select records before storage in the audit trail?
Resolution
The FAU_SEL.1 requirement must be met as stated: the ability to pre-select audit data is required. The proposed resolution whereby a rationale could suffice to justify conformance to the PP regardless of the lack of pre-selection of audit records is not acceptable.
Support
The PP points of contact were consulted to verify the intent. While the PP requires the audit pre-selection capability in order to avoid denial-of-service attacks, it is also required for tuning the system (there are going to be millions of queries to each of these responders) and to ensure that critical events are mapped to the environment in which the responder is deployed.
There is no way of determining whether or not automated pings can be launched against a security critical component with "access logs", given the TOE's inability to pre-select audit criteria. Although administrative audits are addressed by the TOE, that is not enough for a medium-assurance product in a Certificate Management infrastructure.
Although this PD is similar to PD 0116, the situation is different. This PD addresses the issue of whether it is acceptable to do pre-selection in the IT environment when the PP is ambiguous on IT Environment vs. TSF. PD 0116 addressed whether pre-section was required when the PP was ambiguous about pre- vs. post. Both end up with similar results. It is also important to note that the two PDs refer to different PPs; the points of contact for these PPs had different intents in including the audit requirement in their respective PPs. This underscores the importance for PP authors to clearly articulate their intents.
Modification History:
- 2005-11-28
- PD created. [ODRB November 2005 Agenda Item 3.a.i]
- 2006-03-22
- PD support (last paragraph) clarified in response to comments from Nir Naaman. (ODRB March 2006 Agenda Item 4.a.i)
References:
- CIMC PP SL1
- PD-0116
Related NIs:
- None
Related CCIMB-INTERPs:
- None
Source OD: 0246