[Public Interpretations Database]

I-0347: Including Sensitive Information In Audit Records

 
TYPE:                 Guidance
NUMBER:               I-0347
STATUS:               Approved, Acceptable to CCIMB, No CCIMB Interpretation

TITLE:                Including Sensitive Information In Audit Records

EFFECTIVE:            2002-08-22

SOURCE REFERENCE:     CC v2.1 Part 2 Subclause 7.5 FIA_UID
                      CC v2.1 Part 2 Subclause G.5 FIA_UID
RELATED TO:
     I-0006           Audit Of User-Id For Invalid Login
     I-0187           Auditing User ID On Failed Login Attempts (C1-CI-01-84)

ISSUE:

In the FIA_UID family, the CC specifically calls for the inclusion of the user identity in the audit record, even though it is possible that a user, confused by the I&A protocol, provides a password when the user identity is requested. There may be other instances in the CC where the audit requirement either explicitly or implicitly requires data to be logged that might be sensitive. Yet, the example given in CC Part 2, Annex C, paragraph 558, under FAU_GEN, suggests that the CC's intention was to allow the PP/ST author to exclude sensitive data from the required data to be logged. However, this paragraph is in a non-normative portion of the CC. Please clarify.

STATEMENT

The CC should allow PP/ST authors to selectively exempt specific sensitive attribute data from being placed into audit records while still being able to claim compliance with one of the three levels of selecting security-relevant audit events (minimum, basic, detailed).

SPECIFIC INTERPRETATION

[Note: The changes stated below are ADVISORY ONLY, and represent one approach to addressing the guidance in the statement. Other approaches that achieve the same goal are acceptable.]

To address this interpretation, the following changes are made to CC v2.1, Part 2: (additions marked thusly; deletions marked thusly):

  • FAU_GEN.1-NIAP-0410 is relabeled as FAU_GEN.1-NIAP-0347. Unless otherwise noted in these changes, all normative and informative material associated with FAU_GEN.1-NIAP-0410 is incorporated unchanged into FAU_GEN.1-NIAP-0347, and all references to FAU_GEN.1-NIAP-0410 in the CC, CEM, or other Common Criteria documentation are changed to refer to FAU_GEN.1-NIAP-0347.

  • Subclause 3.2, FAU_GEN.1, is changed as follows:

    FAU_GEN.1.2-NIAP-0410-0347 The TSF shall record within each audit record at least the following information:

    a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and

    b) For each audit event timetype, based on the auditable event definitions of the functional components included in the PP/ST, [selection: [assignment: other audit relevant information, excluding sensitive fields], "no other information"]

  • The following paragraph is added in Subclause C.2, after paragraph 561:

    A PP/ST author may also decided that certain information called out in the audit section for a functional component may be sensitive information, due to the design of the system or usage patterns. The PP/ST author should provide justification for any information called out for auditing in the component that has been removed for sensitivity reasons.

  • The following changes are made to Subclause C.2, paragraph 569:

    For FAU_GEN-NIAP-0410-0347.1.1b, the PP/ST author should assign, for each auditable events included in the PP/ST, a list of other audit relevent information to be included in audit event records. Sensitive information may be excluded with a convincing justification.

SUPPORT:

This interpretation modifies the CC as changed by I-0410.

In the FCS_CKM family, the audit events specifically exclude secret or private keys from the attributes to be logged; in some other cases, such as FPT_ITI and FIA_SOS, no attributes are to be logged, presumably because they may contain secrets. This leads one to believe that the CC's goal is not to record sensitive information in the audit trail.

However, in the FIA_UID family, the CC specifically calls for the inclusion of the user identity in the audit record, even though it is possible that a user, confused by the I&A protocol, provides a password when the user identity is requested.

The example given in CC Part 2, Annex C, paragraph 558, under FAU_GEN, suggests that the CC's intention was to allow the PP/ST author to exclude sensitive data from the required data to be logged. However, this paragraph is in a non-normative portion of the CC. This interpretation permits an author to exclude information, when justification is provided.

Such a justification would be provided as part of the explanation of the assignment operation called out in FAU_GEN.1.1b.

2003-07: This was reviewed by the CCIMB, who issued the following statement:

The CCIMB saw no need to adopt this national interpretation. However, use of this national interpretation will not adversely affect mutual recognition.

The definition of "audit relevant information" in 1.2 is to be viewed as axiomatic.

The CCIMB believes that an event/information that is security relevant is not necessarily audit relevant, so the proposed clarification is not really necessary.