[Public Interpretations Database]

I-0005: Action For Audit Log Overflow

 
NUMBER:               I-0005
STATUS:               Approved by CCEVS Management and Mailed to Public Mailing
                      List

TITLE:                Action For Audit Log Overflow
APPROVAL POSTING:     [announce 0328]

EFFECTIVE:            1993-10-20

REQUIREMENT:          Audit
CRITERIA CLASSES:     C2, B1, B2, B3, A1
DOCUMENT(S):          Trusted Facility Manual
RELATED TO:
     I-0246           Action For Audit Log Overflow (C1-CI-01-89)

STATEMENT:

The following interprets the requirement that ``The TCB shall be able to create, maintain and protect from modification or unauthorized access or destruction an audit trail of accesses to the objects it protects.''

When the TCB becomes unable to collect audit data, it shall give a clear indication of this condition and take a pre-specified action. The system implementation may allow an administrator to choose from a range of actions. One of the actions that may be chosen by the administrator (or, if no choice is possible, the only action) shall be that the system cease performing auditable events when the TCB is unable to collect audit data. Choosing an audit overflow action shall be considered a security-relevant administrative event for the purposes of auditing. The TFM shall fully describe the administrator's options.

PROJECTED IMPACT:

Negligible impact anticipated.

SUPPORT:

This is a restatement of formal interpretation C1-CI-01-89 ([announce 0124], I-0246), modified slightly to eliminate its unsupportable requirement for a ``default'' action. The system may be delivered without the most restrictive action pre-set, as long as the TFM clearly explains the options and how to configure the system not to lose audit data as a result of audit log overflow.

In order to maintain an accurate audit trail, the administrator must have the capability to stop auditable actions whenever it is impossible to audit them (e.g., halt temporarily, shut down). To allow flexibility when performance is more important than the loss of audit data, a system may provide other possible options when auditing is impossible (e.g., discard some or all audit data, overwrite existing audit data, request new audit media).

This interpretation requires that appropriate action be taken any time the TCB detects that audit data are being lost or are otherwise not collectable, whether because of, for example, overflow of permanent storage or lack of space in internal buffers. This interpretation is limited to losses that are detected during collection; the loss of already collected and permanently stored audit data is not covered here.

The intent of this interpretation is to encourage vendors to provide a choice of action, since different operational environments clearly have different needs: one administrator may prefer to continue operating and overwrite old audit data, when operation is more important than accountability, whereas another administrator might consider accountability more important and want to retain the audit trail even at the expense of losing function. However, if no choice is permitted, the only action that can meet the TCSEC requirement to ``maintain and protect'' the audit trail is to cease performing auditable events altogether when the audit trail is unavailable.