PD -0125: Audit Pre-Selection in the CIMC PP

["Observation Decisions Review Board" <faigin@aero.org>]

Based on a recent OD, the ODRB has issued the following PD:

PD -0125: Audit Pre-Selection in the CIMC PP

ISSUE
The CIMC PP contains the following requirements:

FAU_SEL.1.1 (iteration 1)

	The IT environment shall be able to include or exclude auditable events from 
the set of audited events based on the following attributes: 

	a) [ST selection: object identity, user identity, subject identity, host 
identity, event type] 

	b) [ST assignment: list of additional attributes that audit selectivity is 
based upon].

	Application Note: For FAU_SEL.1.1a, the ST author should select whether the 
security attributes upon which audit selectivity is based, is related to object 
identity, user identity, subject identity, host identity, or event type. For 
FAU_SEL.1.1b, the ST author should specify any additional attributes upon which 
audit selectivity is based.

FAU_SEL.1.1 (iteration 2)

 
	The TSF shall be able to include or exclude auditable events from the set of 
audited events based on the following attributes: 

	a) [ST selection: object identity, user identity, subject identity, host 
identity, event type] 

	b) [ST assignment: list of additional attributes that audit selectivity is 
based upon]. 

	Application Note: For FAU_SEL.1.1a, the ST author should select whether the 
security attributes upon which audit selectivity is based, is related to object 
identity, user identity, subject identity, host identity, or event type. For 
FAU_SEL.1.1b, the ST author should specify any additional attributes upon which 
audit selectivity is based.

Can an ST correctly claim compliance to this PP if the TOE's audit selection 
occurs only after the audit records have been collected? The product does not 
generate large volumes of audit data, and it does not appear there is any 
function that might be useable to flood the audit trail. 

PD 0116 addressed this question in the context of the IDS PP, noting:

	The [IDS] PP author was consulted to determine the intent behind the 
requirement, and has said that the requirement for audit pre selection must be 
met with pre selection.

In the CIMC PP, the FAU_SEL requirements are included in the set of 
requirements that address the objective O.Individual accountability and audit 
records; this objective states "Provide individual accountability for audited 
events. Record in audit records: date and time of action and the entity 
responsible for the action." There appears to be no additional specificity as 
to the rationale for FAU_SEL.

So, in the context of the CIMC PP, can an appropriate rationale justify the 
mitigation of the requirement to pre select records before storage in the audit 
trail? 

RESOLUTION
The FAU_SEL.1 requirement must be met as stated: the ability to pre-select 
audit data is required. The proposed resolution whereby a rationale could 
suffice to justify conformance to the PP regardless of the lack of pre-
selection of audit records is not acceptable.

RATIONALE
The PP points of contact were consulted to verify the intent. While the PP 
requires the audit pre-selection capability in order to avoid denial-of-service 
attacks, it is also required for tuning the system (there are going to be 
millions of queries to each of these responders) and to ensure that critical 
events are mapped to the environment in which the responder is deployed.

There is no way of determining whether or not automated pings can be launched 
against a security critical component with "access logs", given the TOE's 
inability to pre-select audit criteria. Although administrative audits are 
addressed by the TOE, that is not enough for a medium-assurance product in a 
Certificate Management infrastructure.

While this PD's approach to audit is different from that of PD-0116, it must be 
understood that they refer to different PPs; the points of contact for these 
PPs had different intents in including the audit requirement in their 
respective PPs. This underscores the importance for PP authors to clearly 
articulate their intents.