![[Public Interpretations Database]](/assets/images/public-interps.jpg){kind=small}
I-0084: Audit Least Disruptive Action
NUMBER: I-0084
STATUS: Approved by CCEVS Management and Mailed to Public Mailing
List
TITLE: Audit Least Disruptive Action
APPROVAL POSTING: [announce 0472]
EFFECTIVE: 1994-07-12
REQUIREMENT: Audit
CRITERIA CLASSES: B3, A1
DOCUMENT(S): Trusted Facility Manual
RELATED TO:
I-0172 Audit Of Imminent Security Violations
I-0242 Auditing And Imminent Violations (C1-CI-02-87)
STATEMENT:
The following interprets the requirement that ``...and if the occurrence or accumulation of these security relevant events continues, the system shall take the least disruptive action to terminate the event.''The action taken to terminate an imminent violation shall eliminate the capability to repeat the event, at least until a recurrence of the event would not indicate an imminent violation. The product developer shall provide a convincing argument for why the proposed action is the ``least disruptive'' of possible actions.
PROJECTED IMPACT:
Negligible impact anticipated.SUPPORT:
This interpretation partially modifies C1-CI-02-87 ([announce 0059], I-0242).``Least disruptive'' applies to the other subjects, not the violators. The definition of least disruptive is often product and even environment dependent. The developer's knowledge of the market for the product and the product's design should provide a strong basis for an argument for a least disruptive action.
As examples of standard low disruption actions, for multiple login attempts the user's account or, in some cases, the terminal could be locked; for excessive use of identified auditable covert channels, access to the shared resource could be denied or the subject could be killed and the account locked.