TD0749: Update to FHA_CHA_EXT.1
The FHA_CHA_EXT.1 SFR wording in the PP-Module for Host Agent Version 1.0 creates implementation decision for the TOE developer which is not typical for the technology type nor the precedence for the handling of collected data while a component is offline. The TOE does not store the data on a time basis but instead uses a maximum file size basis. Therefore, technically the TOE's ability to store data has no limit based upon time. However, the TOE could not meet the test case under non-normal standards; for example, a lot of activity on the protected system and the configuration of a small file size. This does not invalidate the SFR though as the SFR states "Absent storage space exhaustion" and this technically would be storage space exhaustion that occurs prior to the 72 hours occurring.
Sized based implementations are common for caching data and have been normal For TSFs in many other Protection Profiles for different types of data (audit, MDM collected data). Additionally, a sized based approach will normally result in more data being stored during a connection outage versus a time-based approach particularly when 72 hours is the allowed lowest limit. Thus, the current SFR wording and assurance activities are limiting a better implementation method.
FHA_CHA_EXT.1 in MOD_HA_V1.0 is modified as follows, with highlighted strikethroughs denoting deletion and highlighted underlines denoting additions:
FHA_CHA_EXT.1 Cache Host Agent Collected Data
FHA_CHA_EXT.1.1 Absent storage space exhaustion tThe Host Agent shall cache and manage collected data
up to [assignment: size of cache storage capacity] for a minimum of [assignment: value greater than 72] hours on [selection: persistent storage,
non-persistent storage] if the trusted channel is not available.
Application Note: The term collected data here is understood to be any type of collected
endpoint data by the Host Agent destined for an ESM server. The ST author specifies the size
of the cache storage and whether it is implemented in persistent or non-persistent storage.
The term manage here is
understood to be a ruleset for what is done if storage limits are reached. To meet this
requirement a Host Agent must be capable of locally caching or queuing data for a minimum
value that is greater than 72 hours (3 days) during periods of network dis-connectivity. In a
future revision, the selection of non-persistent storage will be removed.
FHA_CHA_EXT.1.2 The Host Agent shall [selection: overwrite previous data according to the following rule: [assignment: rule for overwriting previously cached data], [assignment: other actions]] when the local cache is full.
Application Note: This requirement addresses how the Host Agent handles collected data while the trusted path is not available and the local cache is full.
The test Evaluation Activity for FHA_CHA_EXT.1 in Section 4.1 of the MOD_HA_V1.0 SD is modified as follows, with highlighted strikethroughs denoting deletion and highlighted underlines denoting additions:
The evaluator shall test the Host Agent's ability to cache data by disconnecting the endpoint from the network for a period of 72
hours to simulate a network connectivity failure, these should be actual hours not via changing system time. The evaluator shall
exercise behaviors on the endpoint during the 72-hour time frame outage to generate Host Agent data. Example behaviors could be
running programs, performing some authentications, installing/uninstalling software, or sample test cases provided by the
vendor to generate Host Agent data. The evaluator will then reconnect the endpoint to the network and verify on the ESM
system that the missing data from the 72 hour time frame outage is available on the ESM management portal.
See issue description.