![[Public Interpretations Database]](/assets/images/public-interps.jpg){kind=small}
I-0073: OK To Audit Decision Regardless Of Whether Action Completed
NUMBER: I-0073
STATUS: Approved by CCEVS Management and Mailed to Public Mailing
List
TITLE: OK To Audit Decision Regardless Of Whether Action
Completed
APPROVAL POSTING: [announce 0335]
EFFECTIVE: 1993-10-20
REQUIREMENT: Audit
CRITERIA CLASSES: C2, B1, B2, B3, A1
DOCUMENT(S): <None>
RELATED TO: <None>
STATEMENT:
The following interprets the requirement that ``The TCB shall be able to record the following types of events: ... introduction of objects into a user's address space (e.g., file open, program initiation), ...''Auditing the attempted introduction of an object at the point of passing the security access control checks satisfies the above requirement, even though the object may not actually be introduced into the subject's address space because of failing later checks not related to security.
PROJECTED IMPACT:
Negligible impact anticipated.SUPPORT:
A product may be designed so that an audit record is cut immediately after the access control permissions are checked. Other checks, such as those necessary for requests for exclusive use, may occur after the security checks and cause the open to fail; however, the audit record would still be in the audit log.Although this method may create a misleading audit trail, it does provide information about what a subject attempted to access and whether the request was successful relevant to security. Even an audit of a successful open of an object does not indicate whether the subject accessed any part of the information in an object.
Note: This interpretation applies only to the introduction of an object into the subject's address space. This does not imply that incomplete auditing is either acceptable or unacceptable for other types of events.