NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0744:  Corrections to Test Issues with FAU_COL_EXT.1.1

Publication Date
2023.06.14

Protection Profiles
MOD_EDR_V1.0

Other References
FAU_COL_EXT.1.1, MOD_EDR_V1.0-SD

Issue Description

 Test 4 uses the word “file” versus “document”, which is inconsistent with the SFR wording

The conditions for Test 5 do not match the conditions based upon the SFR wording. Test 5 is written to cover the assignments in bullet e and f of the SFR. The application note states: “The assignments may be empty, a single item, or multiple items.”

Resolution

FAU_COL_EXT.1.1 in MOD_EDR_V1.0 PP-Module is modified as follows, with highlighted strikethroughs denoting deletions and highlighted underlines denoting additions:

FAU_COL_EXT.1.1 The EDR shall collect the following minimum set of endpoint data from a Host Agent:

a. Operating System (OS) version, architecture, and IP Address,

b. Privileged and unprivileged endpoint account login activity,

c. Process creation,

d. Libraries and modules loaded by processes,

e. Filenames and [selection: [assignment: other metadata], no other metadata] of files created and [selection: [assignment: other

activities performed to files], no other activities] on persistent storage,

f. [selection: [assignment: Other host data], no other host data].

Application Note: The intent of this requirement is to specify the minimum set of endpoint

data that the EDR must be capable of collecting. The assignments may be empty, a single

item, or multiple items.

Tests 4 and 5 for FAU_COL_EXT.1 in Section 2.2.1 of the MOD_EDR_V1.0 SD are modified as follows, with highlighted strikethroughs denoting deletions and highlighted underlines denoting additions:

Test 4a: The evaluator shall create a new non-empty documentfile within persistent storage and verify that the activity is 

accurately reported to the EDR based on filename and any other metadata indicated in bullet e.

Test 4b [conditional]: If other activities performed on files are indicated in bullet e, the evaluator shall perform them on a non-empty file within persistent storage and verify that the activity is accurately reported to the EDR based on filename and any other metadata indicated in bullet e.

Test 5 [conditional]: If other host data is indicated in the assignment in bullet f, Tthe evaluator shall perform an action that causes an event to occur for all items in the assignment and verify the activity is reported to the EDR.

Justification

See issue description.

 
 
Site Map              Contact Us              Home