TD0066: Clarification of FAU_STG_EXT.1 Requirement in ESM PPs
PP_ESM_AC_V2.1, PP_ESM_ICM_V2.1, PP_ESM_PM_V2.1
The Assurance Activity for the FAU_STG_EXT.1 External Audit Trail Storage requirement specified a test for log reconciliation that did not align with the requirements outlined in the Security Functional Requirement.
In general, the reconciliation of the audit log is what is preferred. This helps to prevent the possibility of an attacker essentially circumventing auditing of audit stop/start by pulling the plug, doing malicious things, and then reconnecting, which would essentially render FAU_GEN inoperable. However, there is a precedent that such reconciliation is not mandatory.
If the ST claims that the TOE does audit reconciliation, then the test cited in the assurance activity in FAU_STG.1 must be run.
If the TOE cannot perform audit reconciliation, then the TSS and the Guidance must explicitly state that there may be a gap in the audit server audit record if the connection between the audit server and ESM product is broken. The TSS must provide a characterization of that loss; further, the Guidance must provide instructions to the administrator on how to configure the ESM product to minimize the loss (e.g., increase local buffer size, inform the administrator of the loss of the connection, etc.). Lastly, the described loss minimization mechanisms must be tested to ensure that they behave as documented.
Clarification of requirements