PD-0116: IDSSPP v1.4: Compliance with the Selective Audit Requirement

This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.

Issue

In the IDSS PP, is it acceptable to meet the Selective audit requirement with post-selection audit review?

Resolution

The PP author was consulted to determine the intent behind the requirement, and has said that the requirement for audit pre-selection must be met with pre-selection.

Support

As with all issues that arise concerning the meaning or intent of a PP, the author was consulted. The author is seen as the final arbiter of any questions concerning the PP. The author indicated that the requirement was included in the PP because denial of service would be considered a security problem for an IDS system. This can occur if there can be a relatively high volume of activities that generate audit records. Use of pre-selection will keep these events out of the audit trail entirely thereby avoiding the exhaustion of audit storage.

Modification History:

2005-02-04

PD created. January 2005 ODRB Agenda Item 3.a.i

References:

• Intrusion Detection System System Protection Profile (IDSSPP), Versions 1.4 February 4, 2002
• CC v2.1 Part 2, FAU_SEL.1
• Cisco Intrusion Detection System Sensor Appliance IDS-4200 series Version 4.1(3) Security Target (ST_VID6002-ST)

Related NIs:

• None

Related CCIMB-INTERPs:

• None

Source OD: 0240