![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0064: Auditing "Subject Identity" for Actions Not Taken by TSP Subjects
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2002-08-13 |
| Last Modified | 2006-08-02 |
Issue
In some PPs, the subjects of the TSP are not processes running on the TOE (for example, a firewall, where the subjects are the hosts requesting connections). In such cases, what should be recorded for "subject identity" when auditing administrative actions?
Resolution
For the cases described in the issue, the "subject identity" refers to the identity of the actor (e.g., the administrator or operator) that performed the administrative action.
Support
The glossary definition of subject in Part 1, Clause 2, is "An entity within the TSC that causes operations to be performed". The subject identity as called out in FAU_GEN.1.2a is using the term subject in that sense; i.e., what should be recorded is the identity of actor (e.g., subject, process) that caused the audit event to be generated.
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- TFFWPPv1.a
- ALFWPPv1.a
Related NIs:
- None
Related CCIMB-INTERPs:
- None
Source OD: 0022