TD0778: Clarification of FMT_SMF.1/HOST SFR
FMT_SMF.1.1/HOST SFR is the PP Module for Endpoint Detection and Response Version 1.0 requires that sending Host Data from the Agent to the Server is based upon a configured timeframe. This is inconsistent with the equivalent SFR from the Host Agent module which allows broader functionality by allowing the data to be sent based upon a configured frequency.
Additionally, some management of EDR products is performed through a product's configuration files stored at the OS level. These configuration changes would only be able to be managed by the root admin of the OS which would be the admin of the TOE which installed the software. The SFR is unclear about permitting the root OS user to be the administrator of the EDR. If this is permitted, it is also not clear in test 3 what this means for a non-root user (i.e. the SOC Analyst and a Read-Only User) who would not have access to the configuration file.
FMT_SMF.1/HOST in MOD_EDR_V1.0 is modified as follows, with green highlighted and underlined text indicating additions and red highlighted text with strikethrough indicating deletions:
Refinement: The EDR shall be capable of performing the following functions that control behavior of the Host Agent:
Application Note: This requirement captures all the configuration functionality the EDR provides the administrator to configure the EDR Host Agents. The frequency for sending data to the EDR can be specified as a time value, but does not have to be. A value like Aggressive, Normal, Low Bandwidth is a measure of control of frequency and meets the requirement. For EDR products, some management is performed through a product’s configuration files stored at the OS level. In these cases, the OS Administrator can be considered the Administrator of the TOE.
Chart legend: M = Mandatory, O = Optional, - = N/A
Test 3 of FMT_SMF.1/HOST in MOD_EDR_V1.0-SD is modified as follows, with green highlighted and underlined text indicating additions:
The Application Note of FAU_GEN.1.1/EDR in MOD_EDR_V1.0 is modified as follows, with green highlighted and underlined text indicating additions:
Application Note: The intent of this requirement is to specify the minimum set of audit records generated about actions on the EDR. Changes made to configuration files at the OS level will be audited by the OS and are not covered by this requirement.
See issue description.