![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0009: Exempting sensitive attribute data items from capture in the audit log
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2002-03-11 |
| Last Modified | 2006-08-02 |
Issue
The CC should allow PP/ST authors to selectively exempt specific sensitive attribute data from being placed into audit records while still being able to claim compliance with one of the three levels of selecting security-relevant audit events (minimum, basic, detailed).
Resolution
PP and ST authors can choose to exempt specific attribute data from inclusion in audit records even though they are specified in the audit requirements section of the family description for a functional component.
Support
The CC generally does not include sensitive attribute data in audit records. For example, in the FCS_CKM family, the audit events specifically exclude secret or private keys from the attributes to be logged; in some other cases, such as FPT_ITI and FIA_SOS, no attributes are to be logged, presumably because they may contain secrets.
However, in the FIA_UID family, the CC specifically calls for the inclusion of the user identity in the audit record, even though it is possible that a user, confused by the I&A protocol, provides a password when the user identity is requested. There may be other instances in the CC where the audit requirement either explicitly or implicitly requires data to be logged that might be sensitive.
The example given in CC Part 2, Annex C, paragraph 558, under FAU_GEN, suggests that the CC's intention was to allow the PP/ST author to exclude sensitive data from the required data to be logged. However, this paragraph is in a non-normative portion of the CC. If the CC's intention is as seems to be implied by that paragraph, that intention should be made explicit under sub clause 2.1.2.5.
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- CAPPv1.a
Related NIs:
- I-0347: Including Sensitive Information In Audit Records
- I-0359: Ordering Of Basic And Minimal Audit For FMT_REV
Related CCIMB-INTERPs:
- None
Source OD: 0042