| Proposed Solution: To address this interpretation, the following changes are made to CC
v2.1, Part 1: (additions marked thusly; deletions marked thusly)
- Add the following paragraph before paragraph 149 in CC v2.1 Part
1:
Lists used to complete assignments must be non-empty. "None"
(or equivalent wording) is only available as a choice if it is explicitly
provided; furthermore, if the "none" option is chosen, no additional
selection options may be chosen. If "none" is not given as an option
in a selection, it is permissible to combine the choices in a selection
with "and"s and "or"s.
To address this interpretation, the following changes are made to CC
v2.1, Part 2: (additions marked thusly; deletions marked thusly)
- FAU_GEN.1 is relabeled as FAU_GEN.1-NIAP-0407. Unless otherwise noted
in these changes, all normative and informative material associated
with FAU_GEN.1 is incorporated unchanged into FAU_GEN.1-NIAP-0407, and
all references to FAU_GEN.1 in the CC, CEM, or other Common Criteria
documentation are changed to refer to FAU_GEN.1-NIAP-0407.
- Subclause 3.2, FAU_GEN.1 is modified as follows:
FAU_GEN.1.1-NIAP-0407 The TSF shall be able to generate
an audit record of the following auditable events:
a) Start-up and shutdown of the audit functions;
b) All auditable events for the [selection: minimum, basic,
detailed, not specified] level of audit; and
c) [selection: [assignment: other specifically defined
auditable events], "no additional events"].
FAU_GEN.1.2-NIAP-0407 The TSF shall record within each audit
record at least the following information:
a) Date and time of the event, type of event, subject identity,
and the outcome (success or failure) of the event; and
b) For each audit event time, based on the auditable event definitions
of the functional components included in the PP/ST, [selection:
[assignment: other audit relevant information], "no
other information"]
- The following is added after Subclause C.2, paragraph 567:
For FAU_GEN.1.1-NIAP-0407c, the PP/ST author should select
"no additional events" if there are no additional events to be audited.
In such a case, the assignment should not be completed.
For FAU_GEN.1.2-NIAP-0407b, the PP/ST author should select "no
other information" if the only information to be recorded is that
listed in item a. In such a case, the assignment should not be completed.
- Subclause C.2, paragraphs 568 and 569 are modified as follows:
For FAU_GEN.1.1-NIAP-0407c, the PP/ST author should
assign a list of other specifically defined auditable events to be
included in the list of auditable events. These events could be auditable
events of a functional requirement that are of higher audit level
than requested in FAU_GEN.1.1b, as well as the events generated through
the use of a specified Application Programming Interface (API). This
assignment need not be completed if "no additional events" was selected.
For FAU_GEN.1.2-NIAP-0407b, the PP/ST author should assign,
for each auditable events included in the PP/ST, a list of other
audit relevant information to be included in audit event records.
This assignment need not be completed if "no additional events"
was selected.
- FAU_SAA.1 is relabeled as FAU_SAA.1-NIAP-0407. Unless otherwise noted
in these changes, all normative and informative material associated
with FAU_SAA.1 is incorporated unchanged into FAU_SAA.1-NIAP-0407, and
all references to FAU_SAA.1 in the CC, CEM, or other Common Criteria
documentation are changed to refer to FAU_SAA.1-NIAP-0407.
- Subclause 3.3, FAU_SAA.1 is modified as follows:
FAU_SAA.1.2-NIAP-0407 The TSF shall enforce the
following rules for monitoring audited events:
a) Accumulation or combination of [assignment: subset of defined
auditable events] known to indicate a potential security violation;
b) [selection: [assignment: any other rules],
"no additional rules"]
- The following is added after Subclause C.3, paragraph 576:
Selection:
For FAU_SAA.1.2-NIAP-0407b, the PP/ST author should select "no
additional rules" if there are no additional rules to be applied.
In such a case, the assignment should not be completed.
- Subclause C.3, paragraph 577, is modified as follows:
In FAU_SAA.1.2-NIAP-0407.b, the
PP/ST author should specify any other rules that the TSF should use
in its analysis of the audit trail. Those rules could include specific
requirements to express the needs for the events to occur in a certain
period of time (e.g. period of the day, duration). This assignment
need not be completed if "no additional rules" was selected.
- FAU_SEL.1 is relabeled as FAU_SEL.1-NIAP-0407. Unless otherwise noted
in these changes, all normative and informative material associated
with FAU_SEL.1 is incorporated unchanged into FAU_SEL.1-NIAP-0407, and
all references to FAU_SEL.1 in the CC, CEM, or other Common Criteria
documentation are changed to refer to FAU_SEL.1-NIAP-0407.
- Subclause 3.5, FAU_SEL.1 is modified as follows:
FAU_SEL.1.1-NIAP-0407 The TSF shall be able to include
or exclude auditable events from the set of audited events based on
the following attributes:
a) [selection: object identity, user identity, subject identity,
host identity, event type]
b) [selection: [assignment: list of additional attributes
that audit selectivity is based upon], "no additional
attributes"]
- The following is added after Subclause C.5, paragraph 624:
For FAU_SEL.1.1-NIAP-0407b, the PP/ST author should select
"no additional attributes" if there are no additional attributes upon
which audit selectivity is based. In such a case, the assignment should
not be completed.
- Subclause C.5, paragraph 625, is modified as follows:
For FAU_SEL.1.1-NIAP-0407b, the PP/ST author should
specify any additional attributes upon which audit selectivity is
based. This assignment should not be completed if "no additional
attributes" was selected.
- FAU_STG.4-NIAP-0387 is relabeled as FAU_STG.4-NIAP-0407. Unless otherwise
noted in these changes, all normative and informative material associated
with FAU_STG.4-NIAP-0387 is incorporated unchanged into FAU_STG.4-NIAP-0407,
and all references to FAU_STG.4-NIAP-0387 in the CC, CEM, or other Common
Criteria documentation are changed to refer to FAU_STG.4-NIAP-0407.
- Subclause 3.6, FAU_STG.4-NIAP-0387 is modified as follows:
FAU_STG.4.1-NIAP-0407 The TSF shall [selection: "ignore
auditable events", "prevent auditable events, except those taken by
the authorised user with special rights", "overwrite the oldest stored
audit records"] and [selection: [assignment: other actions
to be taken in case of audit storage failure], "take no
other actions"] if the audit trail is full.
- The following is added after Subclause C.6, paragraph 639:
For FAU_STG.4-NIAP-0407.1, the PP/ST author should select
"take no other actions" if there are no additional actions to be taken
when the audit trail is full. In such a case, the assignment should
not be completed.
- Subclause C.6, paragraph 640, is modified as follows:
In FAU_STG.4.1-03870407, the PP/ST
author should specify other actions that should be taken in case of
audit storage failure, such as informing the authorised user. This
assignment should not be completed if "take no other actions" was
selected.
- FAU_STG.NIAP-0387-1 is relabeled as FAU_STG.NIAP-0407-1. Unless otherwise
noted in these changes, all normative and informative material associated
with FAU_STG.NIAP-0387-1 is incorporated unchanged into FAU_STG.NIAP-0407-1,
and all references to FAU_STG.NIAP-0387-1 in the CC, CEM, or other Common
Criteria documentation are changed to refer to FAU_STG.NIAP-0407-1.
- Subclause 3.6, FAU_STG.NIAP-0387-1 is modified as follows:
FAU_STG.NIAP-0387-1.1-NIAP-0407. The TSF shall provide
an authorised administrator with the capability to select one or more
of the following actions [selection: "ignore auditable events",
"prevent auditable events, except those taken by the authorised user
with special rights", "overwrite the oldest stored audit records"]
and [selection: [assignment: other actions to be taken in
case of audit storage failure], "no additional options"]
to be taken if the audit trail is full.
FAU_STG.NIAP-0387-1.2-NIAP-0407 The TSF shall [selection: "ignore
auditable events", "prevent auditable events, except those taken
by the authorised user with special rights", "overwrite the oldest
stored audit records"] and [selection: [assignment: other
actions to be taken in case of audit storage failure], "take
no other actions"] if the audit trail is full.
- The following is added in Subclause C.6, in the annex text for FAU_STG.NIAP-0387-1,
in the "Operations" section, in the "Selection:" subsection, after the
first paragraph:
For FAU_STG.NIAP-0387-1.1-NIAP-0407, the PP/ST author should
select "no additional options" if there are no additional options
to be provided to an authorised user. In such a case, the assignment
should not be completed.
- The following is added in Subclause C.6, in the annex text for FAU_STG.NIAP-0387-1,
in the "Operations" section, in the "Selection:" subsection, after the
last paragraph:
For FAU_STG.NIAP-0387-1.2-NIAP-0407, the PP/ST author should
select "take no other actions" if there are no additional actions
to be taken when the audit trail is full. In such a case, the assignment
should not be completed.
- In Subclause C.6, in the annex text for FAU_STG.NIAP-0387-1, in the
"Operations" section, the "Assignment" text is modified as follows:
In FAU_STG.NIAP-0387-1.1-NIAP-0407, the PP/ST author
should specify other actions that should be taken in case of audit
storage failure, such as informing an authorized user. This assignment
should not be completed if "no additional options" was selected.
In FAU_STG.NIAP-0387-1.2-NIAP-0407, the PP/ST author should
specify other actions that should be taken in case of audit storage
failure when no action has been selected, such as informing the
authorized user. This assignment should not be completed if "take
no other actions" was selected.
- FDP_ACF.1-NIAP-0416 is relabeled as FDP_ACF.1-NIAP-0407. Unless otherwise
noted in these changes, all normative and informative material associated
with FDP_ACF.1-NIAP-0416 is incorporated unchanged into FDP_ACF.1-NIAP-0407,
and all references to FDP_ACF.1-NIAP-0416 in the CC, CEM, or other Common
Criteria documentation are changed to refer to FDP_ACF.1-NIAP-0407.
- Subclause 6.2, FDP_ACF.1-NIAP-0416 is modified as follows:
FDP_ACF.1.3-NIAP-0407 The TSF shall explicitly authorise
access of subjects to objects based on the following additional rules:
[selection: [assignment: rules, based on security attributes,
that explicitly authorise access of subjects to objects], "no
additional rules"]
FDP_ACF.1.4-NIAP-0407 The TSF shall explicitly deny access
of subjects to objects based on the following rules: [selection:
[assignment: rules, based on security attributes, that explicitly
deny access of subjects to objects], "no additional explicit
denial rules"]
- In Subclause F.2, the following is added after the "Operations" subheader
after paragraph 761:
Selection:
For FDP_ACF.1.3-NIAP-0407, the PP/ST author should select "no additional
rules" if there are no additional rules used to explicitly authorise
access. In such a case, the assignment should not be completed.
For FDP_ACF.1.4-NIAP-0407, the PP/ST author should select "no additional
explicit denial rules" if there are no additional rules used to
explicitly denial access. In such a case, the assignment should
not be completed.
- Subclause F.2, paragraph 765 and 766, are modified as follows:
In FDP_ACF.1.3-NIAP-0407, the PP/ST author should
specify the rules, based on security attributes, that explicitly authorise
access of subjects to objects that will be used to explicitly authorise
access. These rules are in addition to those specified in FDP_ACF.1.1.
They are included in FDP_ACF.1.3 as they are intended to contain exceptions
to the rules in FDP_ACF.1.1. An example of rules to explicitly authorise
access is based on a privilege vector associated with a subject that
always grants access to objects covered by the access control SFP
that has been specified. If such a capability is not desired, then
the PP/ST author should select specify "none"
"no additional rules" instead.
In FDP_ACF.1.4-NIAP-0407, the PP/ST author should specify
the rules, based on security attributes, that explicitly deny access
of subjects to objects. These rules are in addition to those specified
in FDP_ACF.1.1. They are included in FDP_ACF.1.4 as they are intended
to contain exceptions to the rules in FDP_ACF.1.1. An example of
rules to explicitly deny access is based on a privilege vector associated
with a subject that always denies access to objects covered by the
access control SFP that has been specified. If such a capability
is not desired, then the PP/ST author should select specify
"none" "no additional explicit denial rules" instead.
- FDP_ETC.2 is relabeled as FDP_ETC.2-NIAP-0407. Unless otherwise noted
in these changes, all normative and informative material associated
with FDP_ETC.2 is incorporated unchanged into FDP_ETC.2-NIAP-0407, and
all references to FDP_ETC.2 in the CC, CEM, or other Common Criteria
documentation are changed to refer to FDP_ETC.2-NIAP-0407.
- Subclause 6.4, FDP_ETC.2 is modified as follows:
FDP_ETC.2.4-NIAP-0407 The TSF shall enforce the
following rules when user data is exported from the TSC: [selection:
[assignment: additional exportation control rules], "no
additional rules"]
- In subclause F.4, the following is added after the "Operations" subheader
after paragraph 783:
Selection:
For FDP_ETC.2.4-NIAP-0407, the PP/ST author should select "no additional
rules" if there are no additional exportation control rules. In
such a case, the assignment should not be completed.
- Subclause F.4, paragraph 784, is modified as follows:
In FDP_ETC.2.4-NIAP-0407, the PP/ST author should
specify any additional exportation control rules or "none"
if there are no additional exportation control rules. These
rules will be enforced by the TSF in addition to the access control
SFPs and/or information flow control SFPs selected in FDP_ETC.2.1.
This assignment should not be completed if "no additional rules"
was selected.
- FDP_IFF.1-NIAP-0417 is relabeled as FDP_IFF.1-NIAP-0407. Unless otherwise
noted in these changes, all normative and informative material associated
with FDP_IFF.1-NIAP-0417 is incorporated unchanged into FDP_IFF.1-NIAP-0407,
and all references to FDP_IFF.1-NIAP-0417 in the CC, CEM, or other Common
Criteria documentation are changed to refer to FDP_IFF.1-NIAP-0407.
- Subclause 6.6, FDP_IFF.1 is modified as follows:
FDP_IFF.1.3-NIAP-0407 The TSF shall enforce the
following information flow control rules: [selection: [assignment:
additional information flow control SFP rules], "no additional
information flow control SFP rules"]
FDP_IFF.1.4-NIAP-0407 The TSF shall provide the following
[selection: [assignment: list of additional SFP capabilities],
"no additional SFP capabilities"]
FDP_IFF.1.5-NIAP-0407 The TSF shall explicitly authorise
an information flow based on the following rules: [selection:
[assignment: rules, based on security attributes, that explicitly
authorise information flows], "no explicit authorisation
rules"]
FDP_IFF.1.6-NIAP-0407 The TSF shall explicitly deny an information
flow based on the following rules: [selection: [assignment:
rules, based on security attributes, that explicitly deny information
flows], "no explicit denial rules"]
- In subclause F.6, the following is added after the "Operations" subheader
after paragraph 808:
Selection:
For FDP_IFF.1.3-NIAP-0407, the PP/ST author should select "no additional
information flow control SFP rules" if there are no additional rules.
In such a case, the assignment should not be completed.
For FDP_IFF.1.4-NIAP-0407, the PP/ST author should select "no additional
SFP capabilities" if there are no additional capabilities to be
provided by the TOE for the SFP. In such a case, the assignment
should not be completed.
For FDP_IFF.1.5-NIAP-0407, the PP/ST author should select "no explicit
authorisation rules" if there are no additional rules that govern
authorisation. In such a case, the assignment should not be completed.
For FDP_IFF.1.6-NIAP-0407, the PP/ST author should select "no explicit
denial rules" if there are no additional rules that govern denial.
In such a case, the assignment should not be completed.
- Subclause F.6, paragraphs 812 through 815 are modified as follows:
In FDP_IFF.1.3-NIAP-0407 the PP/ST author should
specify any additional information flow control SFP rules that the
TSF is to enforce. If there are no additional rules then the PP/ST
author should specify "none" select "no additional
information flow control SFP rules" instead, in which case this assignment
should not be completed.
In FDP_IFF.1.4-NIAP-0407 the PP/ST author should specify
any additional SFP capabilities that the TSF is to provide. If there
are no additional capabilities then the PP/ST author should specify
"none" select "no additional SFP capabilities" instead,
in which case this assignment should not be completed.
In FDP_IFF.1.5-NIAP-0407, the PP/ST author should specify
the rules, based on security attributes, that explicitly authorise
information flows. These rules are in addition to those specified
in the preceding elements. They are included in FDP_IFF.1.5 as they
are intended to contain exceptions to the rules in the preceding
elements. An example of rules to explicitly authorise information
flows is based on a privilege vector associated with a subject that
always grants the subject the ability to cause an information flow
for information that is covered by the SFP that has been specified.
If such a capability is not desired, then the PP/ST author should
specify "none" select "no explicit authorisation
rules" instead, in which case this assignment should not be completed.
In FDP_IFF.1.6-NIAP-0407, the PP/ST author should specify
the rules, based on security attributes, that explicitly deny information
flows. These rules are in addition to those specified in the preceding
elements. They are included in FDP_IFF.1.6 as they are intended
to contain exceptions to the rules in the preceding elements. An
example of rules to explicitly authorise information flows is based
on a privilege vector associated with a subject that always denies
the subject the ability to cause an information flow for information
that is covered by the SFP that has been specified. If such a capability
is not desired, then the PP/ST author should specify "none"
select "no explicit denial rules" instead, in which case this
assignment should not be completed.
- FDP_IFF.2-NIAP-0417 is relabeled as FDP_IFF.2-NIAP-0407. Unless otherwise
noted in these changes, all normative and informative material associated
with FDP_IFF.2-NIAP-0417 is incorporated unchanged into FDP_IFF.2-NIAP-0407,
and all references to FDP_IFF.2-NIAP-0417 in the CC, CEM, or other Common
Criteria documentation are changed to refer to FDP_IFF.2-NIAP-0407.
- Subclause 6.6, FDP_IFF.2 is modified as follows:
FDP_IFF.2.3-NIAP-0407 The TSF shall enforce the
following information flow control rules: [selection: [assignment:
additional information flow control SFP rules], "no additional
information flow control SFP rules"]
FDP_IFF.2.4-NIAP-0407 The TSF shall provide the following
[selection: [assignment: list of additional SFP capabilities],
"no additional SFP capabilities"]
FDP_IFF.2.5-NIAP-0407 The TSF shall explicitly authorise
an information flow based on the following rules: [selection:
[assignment: rules, based on security attributes, that explicitly
authorise information flows], "no explicit authorisation
rules"]
FDP_IFF.2.6-NIAP-0407 The TSF shall explicitly deny an information
flow based on the following rules: [selection: [assignment:
rules, based on security attributes, that explicitly deny information
flows], "no explicit denial rules"]
- In subclause F.6, the following is added after the "Operations" subheader
after paragraph 822:
Selection:
For FDP_IFF.2.3-NIAP-0407, the PP/ST author should select "no additional
information flow control SFP rules" if there are no additional rules.
In such a case, the assignment should not be completed.
For FDP_IFF.2.4-NIAP-0407, the PP/ST author should select "no additional
SFP capabilities" if there are no additional capabilities to be
provided by the TOE for the SFP. In such a case, the assignment
should not be completed.
For FDP_IFF.2.5-NIAP-0407, the PP/ST author should select "no explicit
authorisation rules" if there are no additional rules that govern
authorisation. In such a case, the assignment should not be completed.
For FDP_IFF.2.6-NIAP-0407, the PP/ST author should select "no explicit
denial rules" if there are no additional rules that govern denial.
In such a case, the assignment should not be completed.
- Subclause F.6, paragraphs 824 through 827 are modified as follows:
In FDP_IFF.2.3-NIAP-0407 the PP/ST author should
specify any additional information flow control SFP rules that the
TSF is to enforce. If there are no additional rules then the PP/ST
author should specify "none" select "no additional
information flow control SFP rules" instead, in which case this assignment
should not be completed.
In FDP_IFF.2.4-NIAP-0407 the PP/ST author should specify
any additional SFP capabilities that the TSF is to provide. If there
are no additional capabilities then the PP/ST author should specify
"none" select "no additional SFP capabilities" instead,
in which case this assignment should not be completed.
In FDP_IFF.2.5-NIAP-0407, the PP/ST author should specify
the rules, based on security attributes, that explicitly authorise
information flows. These rules are in addition to those specified
in the preceding elements. They are included in FDP_IFF.2.5 as they
are intended to contain exceptions to the rules in the preceding
elements. An example of rules to explicitly authorise information
flows is based on a privilege vector associated with a subject that
always grants the subject the ability to cause an information flow
for information that is covered by the SFP that has been specified.
If such a capability is not desired, then the PP/ST author should
specify "none" select "no explicit authorisation
rules" instead, in which case this assignment should not be completed.
In FDP_IFF.2.6-NIAP-0407, the PP/ST author should specify
the rules, based on security attributes, that explicitly deny information
flows. These rules are in addition to those specified in the preceding
elements. They are included in FDP_IFF.2.6 as they are intended
to contain exceptions to the rules in the preceding elements. An
example of rules to explicitly authorise information flows is based
on a privilege vector associated with a subject that always denies
the subject the ability to cause an information flow for information
that is covered by the SFP that has been specified. If such a capability
is not desired, then the PP/ST author should specify "none"
select "no explicit denial rules" instead, in which case this
assignment should not be completed.
- FDP_ITC.1 is relabeled as FDP_ITC.1-NIAP-0407. Unless otherwise noted
in these changes, all normative and informative material associated
with FDP_ITC.1 is incorporated unchanged into FDP_ITC.1-NIAP-0407, and
all references to FDP_ITC.1 in the CC, CEM, or other Common Criteria
documentation are changed to refer to FDP_ITC.1-NIAP-0407.
- Subclause 6.7, FDP_ITC.1 is modified as follows:
FDP_ITC.1.3-NIAP-0407 The TSF shall enforce the
following rules when importing user data controlled under the SFP
from outside the TSC: [selection: [assignment: additional
importation control rules], "no additional rules"]
- In subclause F.7, the following is added after the "Operations" subheader
after paragraph 855:
Selection:
For FDP_ITC.1.3-NIAP-0407, the PP/ST author should select "no additional
rules" if there are no additional importation control rules. In
such a case, the assignment should not be completed.
- Subclause F.7, paragraph 857, is modified as follows:
In FDP_ITC.1.3-NIAP-0407, the PP/ST author should
specify any additional importation control rules or "none"
select "no additional rules" if there are no additional importation
control rules. These rules will be enforced by the TSF in addition
to the access control SFPs and/or information flow control SFPs selected
in FDP_ITC.1.1. This assignment should not be completed if "no
additional rules" was selected.
- FDP_ITC.2 is relabeled as FDP_ITC.2-NIAP-0407. Unless otherwise noted
in these changes, all normative and informative material associated
with FDP_ITC.2 is incorporated unchanged into FDP_ITC.2-NIAP-0407, and
all references to FDP_ITC.2 in the CC, CEM, or other Common Criteria
documentation are changed to refer to FDP_ITC.2-NIAP-0407.
- Subclause 6.7, FDP_ITC.2 is modified as follows:
FDP_ITC.2.5-NIAP-0407 The TSF shall enforce the
following rules when importing user data controlled under the SFP
from outside the TSC: [selection: [assignment: additional
importation control rules], "no additional importation rules"]
- In subclause F.7, the following is added after the "Operations" subheader
after paragraph 858:
Selection:
For FDP_ITC.2.5-NIAP-0407, the PP/ST author should select "no additional
importation rules" if there are no additional importation rules.
In such a case, the assignment should not be completed.
- Subclause F.7, paragraph 860, is modified as follows:
In FDP_ITC.2.5-NIAP-0407, the PP/ST author should
specify any additional importation control rules or "none"
select "no additional importation rules if there are no additional
importation rules. These rules will be enforced by the TSF in addition
to the access control SFPs and/or information flow control SFPs selected
in FDP_ITC.2.1. This assignment should not be completed if "no
additional rules" was selected.
|