[Public Interpretations Database]

I-0004: Enforcement Of Audit Settings Consistent With Protection Goals

 
NUMBER:               I-0004
STATUS:               Approved by CCEVS Management and Mailed to Public Mailing
                      List

TITLE:                Enforcement Of Audit Settings Consistent With Protection
                      Goals
APPROVAL POSTING:     [announce 0327]

EFFECTIVE:            1993-10-20

REQUIREMENT:          Audit
CRITERIA CLASSES:     C2, B1, B2, B3, A1
DOCUMENT(S):          Trusted Facility Manual
RELATED TO:
     I-0001           Delayed Enforcement Of Authorization Change
     I-0002           Delayed Revocation Of DAC Access
     I-0003           Access Validation After Object Label Change
     I-0239           Subject Access Revocation After Change In User Clearance

STATEMENT:

The following interprets the requirement that ``The ADP system administrator shall be able to selectively audit ...''

If the TCB supports the selection of events to be audited, it shall provide a method for immediate enforcement of a change in audit settings (e.g., to audit a specified user, to audit objects at a particular sensitivity level); however, the immediate method (e.g., shutting the system down) need not be the usual method for enforcement. The TFM shall describe both the usual enforcement of audit settings and, if the immediate enforcement method is different from the usual one, how an administrator can cause immediate enforcement.

The TFM shall describe the consequences of changing an audit state dynamically if such changes could result in incomplete or misleading audit data.

PROJECTED IMPACT:

Negligible impact anticipated.

SUPPORT:

It is preferable to have the TCB audit mechanism ensure that enforcement occurs in a timely manner, consistent with the system's design and protection goals. However, ``timely'' is a subjective term and the TCSEC does not include such a requirement, although the control objectives say that audit data should be collectable within a reasonable time and without undue difficulty. Therefore, it is sufficient that the vendor clearly document how audit setting changes are enforced, and consumers must choose the product that best fits their needs.

Sometimes, if the quantity or detail of auditing is increased, it may not be possible for the system to generate informative audit records about existing subjects. For instance, if a system identifies users in audit records on the basis of a numeric process ID and a mapping from user name to process ID is normally created at user login, if audit for a user is turned on after login, that user's audit records will not be meaningful. The TFM guidance for this situation would need to describe the consequence of not collecting audit records from the time of login (and would likely need to recommend that login audit records always be collected, regardless of what other events are audited).