At the time a PP/ST is developed, the PP/ST author knows the significant attributes of the FSPs of the TOE, and which of those attributes are to be derived from user-based information. Thus, it is possible for the PP/ST author to know which user attributes are to be bound to subjects created on the user's behalf. However, there is no way to specify such in the PP/ST.

The following interprets the FAU_STG.4 component: "The TSF shall [selection: 'ignore auditable events', 'prevent auditable events, except those taken by the authorised user with special rights', 'overwrite the oldest stored audit records'] and [assignment: other actions to be taken in case of audit storage failure] if the audit trail is full." It is acceptable for the TSF to allow the actions to be taken when the audit trail is full to be site-configurable, as long as the TSF provides a pre-determined set of acceptable operations and an acceptable operation is defined as a default.

To address this interpretation, the following new component should be added to the FAU_STG family: FAU_STG.x Site-Configurable Prevention of Audit Loss Management: FAU_STG.x The following actions could be considered for the management functions in FMT: 1.Maintenance (deletion, modification, addition) of actions to be taken in case of audit storage failure. Audit: FAU_STG.x The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST: 1.Basic: Actions taken due to the audit storage failure. 2.Basic: Selection of an action to be taken when there is an audit storage failure. Hierarchical to: FAU_STG.4 FAU_STG.x.1. The TSF shall provide the capability to [selection: 'ignore auditable events', 'prevent auditable events, except those taken by the authorised user with special rights', 'overwrite the oldest stored audit records'] and [assignment: other actions to be taken in case of audit storage failure], if the audit trail is full. FAU_STG.x.2. The TSF shall [selection: 'ignore auditable events', 'prevent auditable events, except those taken by the authorised user with special rights', 'overwrite the oldest stored audit records'] and [assignment: other actions to be taken in case of audit storage failure] if the audit trail is full and no other action has been selected. Dependencies: FAU_STG.1 Protected Audit Trail Storage FMT_MTD.1 Management of TSF Data The following should be added to the Part 2 Annex for the new component: User Application Notes: This component specifies the behaviours that the TOE must be capable of taking when the audit trail is full. It also provides a default behaviour to take if no behaviour is explicitly selected. Potential behaviours that could be selected include the ability to ignore audit records, or to freeze the TOE such that no auditable events can take place. If the latter is selected, the requirement states that the authorised user with specific rights can continue to generate auditable events (actions). This permits the administrator to reset the system. Consideration should be given to the choice of the action to be taken by the TSF in the case of audit storage exhaustion, as ignoring events, which provides better availability of the TOE, will also permit actions to be performed without being recorded and without the user being accountable.

Operations Selection: In FAU_STG.x.1, the PP/ST author should select whether the TSF shall provide the ability to ignore auditable actions, prevent auditable actions from happening, and/or overwrite the oldest audit records. In FAU_STG.x.2, the PP/ST author should select whether the TSF shall ignore auditable actions, prevent auditable actions from happening, and/or overwrite the oldest audit records if no action has been selected. Assignment: In FAU_STG.x.1, the PP/ST author should specify other actions that should be taken in case of audit storage failure, such as informing the authorised user. In FAU_STG.x.2, the PP/ST author should specify other actions that should be taken in case of audit storage failure when no action has been selected, such as informing the authorised user. Additionally, the management section for the existing FAU_STG.4 should be re-written to indicate that there are no management activities forseen.

This new component provides a default action to be taken if no explicit action is selected. As part of the preparation of this component, it was uncovered that the management section for FAU_STG.4 indicates that site-selectable options are permitted, even though that is an improper refinement, and it is not mentioned as a possibility by the application notes.