![[Public Interpretations Database]](/assets/images/public-interps.jpg){kind=small}
I-0009: Audit Tools Are Part Of TCB
NUMBER: I-0009
STATUS: Withdrawn
REASON: This was originally intended to overturn C1-CI-02-85, but
it was withdrawn when an interp with greater scope (I-
0299) was used for that purpose.
TITLE: Audit Tools Are Part Of TCB
REQUIREMENT: Audit
CRITERIA CLASSES: C2, B1, B2, B3, A1
DOCUMENT(S): <None>
RELATED TO: <None>
STATEMENT:
This interprets the requirement at C2 that "The ADP system administrator shall be able to selectively audit the actions of any one or more users based on individual identity" and, at B1 and above, "The ADP system administrator shall be able to selectively audit the actions of any one or more users based on individual identity and/or object security level."The interfaces and mechanisms used by an administrator to meet the analysis and selection aspects of the Audit requirements shall be considered part of the TCB and shall meet all other relevant TCSEC requirements for TCB components (e.g., System Architecture, Design Documentation). This applies even if audit analysis and selection is implemented in a physically separate system component.
PROJECTED IMPACT:
This reverses part of the statement in formal interpretation C1-CI-02-85 that discusses audit tools.Some products may require additional analysis and scrutiny to assess the trustworthiness of off-line audit analysis tools.
SUPPORT:
It is inconsistent for the TCSEC to state a functional requirement (audit analysis) and then allow it to be met by untrusted code. All TCSEC requirements that are applicable to the product implementation must be satisfied by the TCB.If audit analysis and selection is performed by a separate computer system, that system must be sufficiently trustworthy to satisfy the audit-related requirements, but as it has no policy enforcement responsibility and no interface for untrusted users, that analysis would likely be considerably simpler than for the rest of the product. Inclusion of the tools in the TCB should not significantly increase the complexity of the analysis.
A previous interpretation (C1-CI-02-85) stated that audit tools need not be included in the TCB as long as they are kept under configuration management. The rationale may have been that the A1 Configuration Management requirement describes some tools that are not part of the TCB but that must be kept under configuration management; however, those are tools used by the system developers, not by an end-user. That rationale also overlooks the weakening of the Configuration Management requirement below A1, and its total absence below B2.
Note that the vendor may supply additional audit-related tools beyond the minimum required to meet the Audit requirement without considering them part of the TCB, provided that there exist TCB components sufficient to meet the minimum Audit requirements.
Particularly at B3 and A1, where the System Architecture requirement discusses minimizing complexity of the TCB, it may be appropriate to have two types of audit analysis tools: one simple set of tools, sufficient to meet the TCSEC requirements, and part of the TCB, and another set of tools, outside the TCB, but able to provide more sophisticated analysis and report generation capabilities.