Re: I-0347: Including Sensitive Information In Audit Records
- Subject: Re: I-0347: Including Sensitive Information In Audit Records
- From: "NIAP Interpretations Board" <ccevs-nib@nist.gov>
- Date: Wed, 10 Jul 2002 11:44:32 -0700
- Content-description: Mail message body
- Content-transfer-encoding: 7BIT
- Content-type: text/plain; charset=US-ASCII
- Priority: normal
- Reply-to: cc-cmt@nist.gov
[NOTE: This proposal is being re-posted after being updated to reflect
comments the IWG received on its previous posting, or comments arising
from further IWG discussion of the proposal.]
This transaction consists of a proposal for a NIAP Interpretation of a
Common Criteria document. It is being posted in accordance with the
procedures of the IWG.
Comments on this proposal are welcomed and should be posted to this
transaction chain. If any party wishes to post a comment anonymously,
the comment should be mailed to ccevs-cmt@nist.gov in a form suitable
for posting. All comments should be posted no later than Monday, August
5, 2002.
CCITSE/CEM NIAP INTERPRETATION (PROPOSED)
________________________________________________________________
_
I-0347: Including Sensitive Information In Audit Records
________________________________________________________________
_
TYPE: NIAP Interpretation
NUMBER: I-0347
STATUS: Reposted for External Review
TITLE: Including Sensitive Information In Audit Records
PREVIOUS POSTING: _No posting_
COMMENTS DUE BY: Monday, August 5, 2002 to ccevs-cmt@nist.gov
SOURCE REFERENCE: CC v2.1 Part 2 Subclause 7.5 FIA_UID
CC v2.1 Part 2 Subclause G.5 FIA_UID
RELATED TO:
I-0006 Audit Of User-Id For Invalid Login
I-0187 Auditing User ID On Failed Login Attempts (C1-CI-01-84)
ISSUE:
In the FIA_UID family, the CC specifically calls for the inclusion of
the user identity in the audit record, even though it is possible that
a user, confused by the I&A protocol, provides a password when the
user identity is requested. There may be other instances in the CC
where the audit requirement either explicitly or implicitly requires
data to be logged that might be sensitive. Yet, the example given in
CC Part 2, Annex C, paragraph 558, under FAU_GEN, suggests that the
CC's intention was to allow the PP/ST author to exclude sensitive data
from the required data to be logged. However, this paragraph is in a
non-normative portion of the CC. Please clarify.
STATEMENT
The CC should allow PP/ST authors to selectively exempt specific
sensitive attribute data from being placed into audit records while
still being able to claim compliance with one of the three levels of
selecting security-relevant audit events (minimum, basic, detailed).
SPECIFIC INTERPRETATION
To address this interpretation, the following changes are made to CC
v2.1, Part 2: (additions marked _thusly_; deletions marked _[DEL:_
thusly _:DEL]_ ):
* FAU_GEN.1-NIAP-0460 is relabeled as FAU_GEN.1-NIAP-0347. Unless
otherwise noted in these changes, all normative and informative
material associated with FAU_GEN.1-NIAP-0460 is incorporated
unchanged into FAU_GEN.1-NIAP-0347, and all references to
FAU_GEN.1-NIAP-0460 in the CC, CEM, or other Common Criteria
documentation are changed to refer to FAU_GEN.1-NIAP-0347.
* Subclause 3.2, FAU_GEN.1, is changed as follows:
FAU_GEN.1.2-NIAP_[DEL:_ -0410 _:DEL]_ _-0347_ The TSF shall
record
within each audit record at least the following information:
a) Date and time of the event, type of event, subject identity (if
applicable), and the outcome (success or failure) of the event;
and
b) For each audit event _[DEL:_ time _:DEL]_ _type_, based on the
auditable event definitions of the functional components included
in the PP/ST, [selection: [assignment: other audit relevant
information_, excluding sensitive fields_], "no other
information"]
* The following paragraph is added in Subclause C.2, after paragraph
561:
_A PP/ST author may also decided that certain information called
out in the audit section for a functional component may be
sensitive information, due to the design of the system or usage
patterns. The PP/ST author should provide justification for any
information called out for auditing in the component that has been
removed for sensitivity reasons._
* The following changes are made to Subclause C.2, paragraph 569:
For FAU_GEN-NIAP_[DEL:_ -0460 _:DEL]_ _-0347_.1.1b, the PP/ST
author should assign, for each auditable event_[DEL:_ s _:DEL]_
included in the PP/ST, a list of other audit relevent information
to be included in audit event records. _Sensitive information may
be excluded with a convincing justification_.
SUPPORT:
_This interpretation modifies the CC as changed by I-0460._
In the FCS_CKM family, the audit events specifically exclude secret or
private keys from the attributes to be logged; in some other cases,
such as FPT_ITI and FIA_SOS, no attributes are to be logged,
presumably because they may contain secrets. This leads one to believe
that the CC's goal is not to record sensitive information in the audit
trail.
However, in the FIA_UID family, the CC specifically calls for the
inclusion of the user identity in the audit record, even though it is
possible that a user, confused by the I&A protocol, provides a
password when the user identity is requested.
The example given in CC Part 2, Annex C, paragraph 558, under
FAU_GEN,
suggests that the CC's intention was to allow the PP/ST author to
exclude sensitive data from the required data to be logged. However,
this paragraph is in a non-normative portion of the CC. This
interpretation permits an author to exclude information, when
justification is provided.
Such a justification would be provided as part of the explanation of
the assignment operation called out in FAU_GEN.1.1b.
Date Index |
Thread Index |
Problems or questions? Contact list-master@nist.gov