[Public Interpretations Database]

I-0246: Action For Audit Log Overflow (C1-CI-01-89)

 
NUMBER:               I-0246
STATUS:               Formally Superseded

TITLE:                Action For Audit Log Overflow (C1-CI-01-89)
SUPERSEDED BY:        
     I-0005           Action For Audit Log Overflow

EFFECTIVE:            1989-01-09
SUPERSEDED:           1993-10-20

REQUIREMENT:          Audit
CRITERIA CLASSES:     C2, B1, B2, B3, A1
DOCUMENT(S):          Trusted Facility Manual
RELATED TO:
     I-0005           Action For Audit Log Overflow

STATEMENT:

The following interprets the requirement that ``The TCB shall to able to create, maintain, and protect from modification or unauthorized access or destruction an audit trail of accesses to the objects it protects...''

The TCB must maintain all audit data. If the audit data storage/collection media should become full or otherwise inaccessible, the system must take well-defined action. When this condition arises, the system must give clear indication that the condition has occurred and it must also identify the action taken. By default, the action taken must be that the system cease performing auditable events (e.g., halt temporarily, shut down). The system may allow the administrator to explicitly specify an alternate action to be taken when the condition arises (e.g., discard some or all audit data, overwrite existing audit data, request new audit media). The issuance of this instruction must be auditable. The TFM must fully describe the administrator's options.

Note: This interpretation is a reformatting of an interpretation adopted and announced before the formation of the IWG ("old-style interpretation"). The CRITERION and INTERPRETATION portions of the "old-style interpretation" are included in this STATEMENT. The remainder of the "old-style interpretation" is included in the SUPPORT of this interpetation. Because a different style was used for "old-style interpretations", the SUPPORT section of this interpretation MUST be read in order to get a full sense of what this interpretation requires.

PROJECTED IMPACT:

Negligible impact anticipated.

SUPPORT:

This is a reformatting of C1-CI-01-89 into the format of IWG queue entries.

Specific Application:

This interp was prompted by the possibility of the audit data storage/collection media becoming full or otherwise inaccessible (e.g., device power loss or malfunction).

Possible Interpretations:

  1. The audit trail must always be capable of completely and accurately reflecting all actions taken by users, provided that the actions had been specified as being auditable. Should a situation occur that causes the audit media to become full, or unavailable, the system must be capable of discontinuing processing of auditable events.

  2. The audit trail must always be capable of completely and accurately reflecting all actions taken by users, provided that the actions had been specified as being auditable. Should a situation occur that causes the audit media to become full, or unavailable, the system need not be capable of discontinuing processing of auditable events.

Issues:

  1. If the audit log overflows or otherwise becomes inaccessible the TCB is not maintaining an accurate audit trail (i.e.,the data is being lost).

  2. It may be more critical to an individual site that the system continue to run as opposed to keeping accurate audit data.

  3. Some systems provide potential audit trails large enough to make their filling very unlikely under normal operation.

Rationale:

When an auditor/system administrator/security officer specifies the auditing of actions, the TCB should not violate that specification under any circumstances. The administrator, when specifying the auditing of that event, is implicitly stating that the site wishes to collect information on every occurrence of the specified action.

Some sites, however, may have a greater desire to continue to operate than to maintain an accurate and complete audit trail. These differing viewpoints suggest that a mechanism be capable of either continuing to operate or maintaining a completely accurate audit trail (or a combination of both).

Since the audit trail becoming full or inaccessible is a predictable system state, then a well defined solution is possible and can reasonably be expected.

Unless the auditing mechanism allows an authorized user to specify, in advance, what actions to take when an event occurs that may cause the audit media to become full or unavailable, it should be assumed that the site's wishes to maintain auditing data (and thus remain secure) are greater than its wishes to continue to operate.