[Public Interpretations Database]

I-0348: Audit Data Loss Prevention Method May Be Site-Selectable

 
TYPE:                 NIAP Interpretation
NUMBER:               I-0348
STATUS:               Formally Superseded

TITLE:                Audit Data Loss Prevention Method May Be Site-Selectable
SUPERSEDED BY:        
     I-0414           Site-Configurable Prevention Of Audit Loss

EFFECTIVE:            2000-03-27
SUPERSEDED:           2002-03-11

SOURCE REFERENCE:     CC v2.1 Part 2 Subclause 3.6 FAU_STG
                      CC v2.1 Part 2 Subclause C.6 FAU_STG
RELATED TO:           <None>
CCIMB ENTRY:          CCIMB-INTERP-0101

STATEMENT

The following interprets the FAU_STG.4 component: "The TSF shall [selection: 'ignore auditable events', 'prevent auditable events, except those taken by the authorised user with special rights', 'overwrite the oldest stored audit records'] and [assignment: other actions to be taken in case of audit storage failure] if the audit trail is full."

It is acceptable for the TSF to allow the actions to be taken when the audit trail is full to be site-configurable, as long as the TSF provides a pre-determined set of acceptable operations and an acceptable operation is defined as a default.

RECOMMENDED CRITERIA CHANGES

To address this interpretation, the following new component should be added to the FAU_STG family:

FAU_STG.x Site-Configurable Prevention of Audit Loss

Management: FAU_STG.x

The following actions could be considered for the management functions in FMT:

  1. Maintenance (deletion, modification, addition) of actions to be taken in case of audit storage failure.

Audit: FAU_STG.x

The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:

  1. Basic: Actions taken due to the audit storage failure.

  2. Basic: Selection of an action to be taken when there is an audit storage failure.

Hierarchical to: FAU_STG.4

FAU_STG.x.1. The TSF shall provide the capability to [selection: 'ignore auditable events', 'prevent auditable events, except those taken by the authorised user with special rights', 'overwrite the oldest stored audit records'] and [assignment: other actions to be taken in case of audit storage failure], if the audit trail is full.

FAU_STG.x.2. The TSF shall [selection: 'ignore auditable events', 'prevent auditable events, except those taken by the authorised user with special rights', 'overwrite the oldest stored audit records'] and [assignment: other actions to be taken in case of audit storage failure] if the audit trail is full and no other action has been selected.

Dependencies:

  • FAU_STG.1 Protected Audit Trail Storage

  • FMT_MTD.1 Management of TSF Data

The following should be added to the Part 2 Annex for the new component:

User Application Notes:

This component specifies the behaviours that the TOE must be capable of taking when the audit trail is full. It also provides a default behaviour to take if no behaviour is explicitly selected.

Potential behaviours that could be selected include the ability to ignore audit records, or to freeze the TOE such that no auditable events can take place. If the latter is selected, the requirement states that the authorised user with specific rights can continue to generate auditable events (actions). This permits the administrator to reset the system. Consideration should be given to the choice of the action to be taken by the TSF in the case of audit storage exhaustion, as ignoring events, which provides better availability of the TOE, will also permit actions to be performed without being recorded and without the user being accountable.

Operations

Selection:

In FAU_STG.x.1, the PP/ST author should select whether the TSF shall provide the ability to ignore auditable actions, prevent auditable actions from happening, and/or overwrite the oldest audit records.

In FAU_STG.x.2, the PP/ST author should select whether the TSF shall ignore auditable actions, prevent auditable actions from happening, and/or overwrite the oldest audit records if no action has been selected.

Assignment:

In FAU_STG.x.1, the PP/ST author should specify other actions that should be taken in case of audit storage failure, such as informing the authorised user.

In FAU_STG.x.2, the PP/ST author should specify other actions that should be taken in case of audit storage failure when no action has been selected, such as informing the authorised user.

Additionally, the management section for the existing FAU_STG.4 should be re-written to indicate that there are no management activities forseen.

SUPPORT:

The FAU_STG.4 element explicitly states the actions to be taken by the TSF when the audit log is full. This wording implicitly disallows the actions to be taken to be site-selectable. Further, making such actions site selectable would not be an acceptable refinement, as an ST meeting the refined version would not meet the unrefined version.

As a result, a new component is required that allows site-selectable actions. Having the ability to have actions site-selectable increases the flexibility of the TOE, and allows the TOE to adjust to changing security needs.

This new component provides a default action to be taken if no explicit action is selected.

As part of the preparation of this component, it was uncovered that the management section for FAU_STG.4 indicates that site-selectable options are permitted, even though that is an improper refinement, and it is not mentioned as a possibility by the application notes.