PD-0129: Deletion of the oldest audit events when audit storage space is exhausted |
||||
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
IssueThe BR Anti-Virus PP includes the following SFR: FAU_STG.NIAP-0414-1-NIAP-0429 The TSF shall provide the administrator the capability to select one or more of the following actions [selection: 'ignore auditable events', 'prevent auditable events, except those taken by the authorised user with special rights', 'overwrite the oldest stored audit records'] and [assignment: other actions to be taken in case of audit storage failure] to be taken if the audit trail is full. If a vendor chooses 'overwrite the oldest stored audit records' the specifics of this action are ambiguous. There is a school of thought that it is only acceptable to delete the minimum number of old audit records necessary to insert a single new audit record, but this is extremely inefficient in an environment capable of generating large numbers of audit records within a short period of time. Is it acceptable to delete more than the exact number of audit records required to insert a single new record? ResolutionThe following requirement will be added to the Basic Robustness Anti-Virus Protection Profile:
The following Application Notes will be added to the element in the PP:
SupportThe Protection Profile provides limited options for the amount or timing of record deletion when audit storage is exhausted. The first Application Note provides advanced administrator notification that audit storage limits are being reached. Any actual audit record deletion should be recorded in a different location to provide the administrator with a record of the event. The second Note requires the ST to describe how the TOE will address audit storage shortfalls, and gives guidance on possible deletion strategies. The second Note also requires the developer to provide a rationale in the ST for the deletion policy implemented. In high-volume scenarios it may be impractical from a performance perspective to delete one record for every new record insertion. The developer may choose to delete multiple record "chunks" to achieve adequate performance. The developer should explain the rationale behind their choice of record deletion "chunk" size. In a scenario with high numbers of audit records suddenly overwhelming the audit storage, the most useful audit data may be the initial records. In this case it may be more useful to purge essentially identical new records, or simply the most recent records, in order to preserve evidence of the start of the event. Modification History:
References:
Related NIs:
Related CCIMB-INTERPs:
Source OD: 0253 |