[Public Interpretations Database]

I-0187: Auditing User ID On Failed Login Attempts (C1-CI-01-84)

 
NUMBER:               I-0187
STATUS:               Formally Superseded

TITLE:                Auditing User ID On Failed Login Attempts (C1-CI-01-84)
SUPERSEDED BY:        
     I-0006           Audit Of User-Id For Invalid Login

EFFECTIVE:            1984-06-15
SUPERSEDED:           1993-10-20

REQUIREMENT:          Audit
CRITERIA CLASSES:     C2, B1, B2, B3, A1
DOCUMENT(S):          <None>
RELATED TO:
     I-0006           Audit Of User-Id For Invalid Login

STATEMENT:

The following interprets the requirement that ``...The TCB shall be able to record the following types of events: use of identification and authentication mechanisms,... For each recorded event, the audit record shall identify: date and time of the event, user, type of event, and success or failure of the event.''

It is accepted that the audit mechanism be required to produce a record on all login attempts. When a valid user-id is specified in the attempt, the audit record must have some means of identifying that user-id. In the case that no valid user-id is specified, the audit record should be generated indicating that a failed login attempt has occured. It is further recommended that the decision as to whether to record the character string supplied be left to the vendor.

Note: This interpretation is a reformatting of an interpretation adopted and announced before the formation of the IWG ("old-style interpretation"). The CRITERION and ACCEPTED INTERPRETATION portions of the "old-style interpretation" are included in this STATEMENT. The remainder of the "old-style interpretation" is included in the SUPPORT of this interpetation. Because a different style was used for "old-style interpretations", the SUPPORT section of this interpretation MUST be read in order to get a full sense of what this interpretation requires.

PROJECTED IMPACT:

Negligible impact anticipated.

SUPPORT:

This is a reformatting of C1-CI-01-84 into the format of IWG queue entries.

Specific Application:

The SCOMP does not record the character string in the audit record. Instead all user names are translated to a number (user- id) and the user-id is stored in the audit record. In the case of a user not entering a valid user name, (i.e., a string that does not correspond to a valid user-id), the SCOMP leaves the user-id portion of the record blank.

Possible Interpretations:

The following are proposed interpretations of the above section of the Criteria:

  1. The use of identification and authentication mechanisms is the equivalent of attempting to login. Therefore, any attempt to login, whether or not a valid user-id is supplied must produce an audit record. This audit record must contain the user-id if a valid user-id was supplied. If no valid user-id was supplied then the characters entered at the terminal must be recorded.

  2. The use of identification and authentication mechanisms is the equivalent of attempting to login. Therefore, any attempt to login, whether or not a valid user-id is supplied must produce an audit record. This audit record must contain the user-id if a valid user-id was supplied. If no valid user-id was supplied then the audit record need only contain the information that a failed login attempt has occured, and the other identifying information such as port/terminal number, date and time, etc.

Issues:

  1. Recording the character string entered by the user would make obvious to a security administrator when someone is trying certain methods of guessing user-ids (AAAA, AAAB, AAAC,...).

  2. It is obvious that the "user" cannot be identified, as required by the Criteria, since the proper authentication has not been provided. Therefore, the next best thing is to record what the user provided as identification in the audit record.

  3. Recording invalid user-ids is a possible security exposure. A legitimate user may devulge his password by a common scenario where the user becomes confused and enters his password as a user-id after a failed attempt to login with his correct user-id.

  4. Asking the vendors to record the actual characters that are entered is an implementation detail and should not be included in an interpretation of the Criteria.

Rationale:

It is agreed that the "user" can not be identified when an invalid ID is entered. Therefore, the decision that needs to be made is whether the character string that was entered as an ID needs to be recorded in the audit log. It was decided that, although recording the character string can give the security administrator a clue as to how a potential penetrator is trying to get into his system, the benefits of this are outweighed by the possible security exposure that may result when a user becomes confused and enters his password in place of his ID immediately after mistyping his password on a previous attempt. It was also noted that the Criteria does not specify implementation details and that these should not be considered in Criteria interpretations.