TD0629: Audit Events for Startup and Shutdown
The MDM PP requires an audit event for the shut down of the MDM system. For MDMs that are not designed to have a distinct start-up or shut-down phase there is not a situation where there would be a start-up or shut-down event.
FAU_GEN.1.1(1) in the Protection Profile for Mobile Device Management v4.0 is modified as follows, with strikethroughs denoting deletion and underlines denoting additions:
FAU_GEN.1(1) Refinement: The TSF shall [selection: invoke platform-provided functionality, implement functionality] to generate an audit record of the following auditable events:
a. Start up and shut down of the MDM System
ab. All administrative actions
bc. [selection: Commands issued to the MDM Agent, none]
cd. Specifically defined auditable events listed in Table 2
de. [selection: start up and shut down of the MDM system, [assignment: other events], no other events].
Application Note: This requirement outlines the events for which an audit record must be generated by either the MDM System or the MDM Server platform. Each of these audit records may be written by the MDM System or may be dispatched to the operating system on which it runs. It is acceptable to select both "invoke platform-provided functionality" and "implement functionality." It should be specified which auditable events are completed by the MDM System and which are completed by the MDM platform.
The ST author can include other auditable events in the assignment; they are not limited to the list presented. All audits must contain at least the information mentioned in FAU_GEN.1.2(1), but may contain more information which can be assigned.
For distributed TOEs each component must generate an audit record for each of the SFRs that it implements. If more than one TOE component is involved when an audit event is triggered, the event has to be audited on each component (e.g. rejection of a connection by one component while attempting to establish a secure communication channel between two components should result in an audit event being generated by both components). This is not limited to error cases but also includes events about successful actions like successful build up/tear down of a secure communication channel between TOE components.
Item a above requires the audtiting of the start-up and shutdown of the given component of the MDM System. If the TOE is distributed, this applies to all components. If the TOE is not distributed then MDM System is equivalent to MDM Server.
Item ab above requires all administrative actions to be auditable. Administrative actions refer to any management functions specified by FMT_MOF.1(1). Thus no additional specification for the auditability of these actions is specified in Table 2 aside from those that require additional record content. If the TOE is distributed and the given component does not deal with setting the policy applied to the MDM Agent, it is acceptable to not have any administrative actions to audit.
Item bc includes those commands, which may be performed automatically based on triggers or on a schedule. If the TOE component, if distributed, interacts directly with the MDM Agent, then "Commands issued to an MDM Agent" must be selected. If the TOE component, if distributed, does not interact directly with the MDM Agent, then it is acceptable to select "none".
Depending on the specific requirements selected by the ST author from Security Functional Requirements, Optional Requirements, Selection-Based Requirements, and Objective Requirements, the ST author should include the appropriate auditable event from Table 2 in the ST for the requirements selected.
In item d above, "start up and shut down of the MDM system" must be selected if the TSF has a start-up and shut-down phase. Additionally, if the TOE is distributed, this applies to all components. If the TOE is not distributed then MDM System is equivalent to MDM Server. If the TSF does not have a distinct start-up or shut-down phase (e.g., a cloud service), this selection is not required.
See issue description.