[Public Interpretations Database]

I-0422: Clarification Of ``Audit Records''

 
TYPE:                 Guidance
NUMBER:               I-0422
STATUS:               Approved, Acceptable to CCIMB, No CCIMB Interpretation

TITLE:                Clarification Of ``Audit Records''
SUPERSEDES:
     I-0370           Clarification Of ``Audit Records''

EFFECTIVE:            2000-12-05

SOURCE REFERENCE:     CC v2.1 Part 2 Subclause 3.6 FAU_STG
                      CC v2.1 Part 2 Subclause C.6 FAU_STG
RELATED TO:
     I-0370           Clarification Of ``Audit Records''
     I-0371           Some Modifications To The Audit Trail Are Authorized
     I-0423           Some Modifications To The Audit Trail Are Authorized
     I-0429           Selecting One Or More
CCIMB ENTRY:          CCIMB-INTERP-0109

ISSUE:

There is a confusion introduced with the Part 2 usage of the term "Audit Records", as opposed to the term "Audit Trail". The Part 2 Annex, Section C.6, clarifies by implication that the term "Audit Records" refers to the records in the audit trail, as the application notes refer almost exclusively to the "audit trail" or the records in the trail. The problem with the use of the term "audit records" is that audit records may appear outside the audit trail, for example, after they have been retrieved through a selection.

STATEMENT

In the .1 and .2 elements of the FAU_STG.1 and FAU_STG.2 components, the phrase "audit records" refers to audit records stored in the "audit trail," as described in the Part 2 Annex. However, the use of the phrase "audit records" in this way does not preclude the actions specified as acceptable in FAU_STG.2.3, FAU_STG.3, and FAU_STG.4.

SPECIFIC INTERPRETATION

[Note: The changes stated below are ADVISORY ONLY, and represent one approach to addressing the guidance in the statement. Other approaches that achieve the same goal are acceptable.]

To address this interpretation, the following changes are made to the CC v2.1, Part 2: (additions marked thusly; deletions marked thusly)

  • FAU_STG.1 is relabeled as FAU_STG.1-NIAP-0422. Unless otherwise noted in these changes, all normative and informative material associated with FAU_STG.1 is incorporated unchanged into FAU_STG.1-NIAP-0422, and all references to FAU_STG.1 in the CC, CEM, or other Common Criteria documentation is changed to refer to FAU_STG.1-NIAP-0422.

  • The elements in FAU_STG.1 are replaced with the following elements:

    FAU_STG.1.1-NIAP-0422: The TSF shall protect the stored audit records in the audit trail from unauthorised deletion.

    FAU_STG.1.2-NIAP-0422: The TSF shall be able to [selection: prevent, detect] modifications to the audit records in the audit trail.

  • FAU_STG.2 is relabeled as FAU_STG.2-NIAP-0422. Unless otherwise noted in these changes, all normative and informative material associated with FAU_STG.2 is incorporated unchanged into FAU_STG.2-NIAP-0422, and all references to FAU_STG.2 in the CC, CEM, or other Common Criteria documentation is changed to refer to FAU_STG.2-NIAP-0422.

  • Elements FAU_STG.2.1 and FAU_STG.2.2 are replaced with the following elements:

    FAU_STG.2.1-NIAP-0422: The TSF shall protect the stored audit records in the audit trail from unauthorised deletion.

    FAU_STG.2.2-NIAP-0422: The TSF shall be able to [selection: prevent, detect] modifications to the audit records in the audit trail.

SUPPORT:

The term "audit records" is used in Part 2 to permit truncation of an audit trail (i.e., deletion of some of the records from the trail). Further, there may be the need to permit some assigned action to address a subset of the records in the trail. As a result, it would be inappropriate to simply substitute "audit trail" for "audit records".

Note: This interpretation is superseding a previously-approved formal interpretation primarily to reflect modifications to the interpretation format. The intent of the interpretation has not been changed, although some specifics of the criteria changes or the support may have been clarified or corrected.

2003-07: This interpretation was reviewed by the CCIMB, who issued the following statement:

The CCIMB saw no need to adopt this national interpretation. However, the intent of this national interpretation is agreed, and its use will not adversely impact mutual recognition.

"Audit records in the audit trail" will always be encompassed by "stored audit records". This component is only concerned with the storage of the audit records within the audit trail. FAU_STG will not be included within the statement of SFRs for the TOE if there is a syslog server in the environment. Therefore, this component does not have to concern itself with the protection of audit records while queued in memory, prior to transfer to the syslog server.