RE: SFRs - Requirement Specification or Implementation Description?

Subject: RE: SFRs - Requirement Specification or Implementation Description?

From: Nir Naaman <nir.naaman@metasec.com>

Date: Wed, 29 Nov 2006 22:23:23 +0200

Content-type: multipart/alternative; boundary="Boundary_(ID_6oMEsCszEOIzywI6DrOucQ)"

In-reply-to: <CD6BB6072E0DF243B7862BAC93CA291A03E45445@0581-its-exmp01.us.saic.com>

Thread-index: AccT6JeXzmJMr92QRxGbAQPqDzqAwwAA40gQ

I would agree with the notion expressed by other on this list that FAU_GEN.1 can be met by a TOE that does not provide a management function to turn audit on and off. Determining that a TOE does not meet this requirement should involve demonstrating that it is possible to turn audit on or off without a corresponding audit record being generated.

FAU_GEN.1 only specifies that certain events (such as shutdown of the audit functions) should be auditable if they occur. For example, a requirement that unsuccessful use of the authentication mechanism be audited does not mean that the TSF shall ensure that use of the authentication mechanism shall be unsuccessful.

An ST could include an SFR for providing a capability to turn the audit function on and off. Because this is a security management function, the Part 2 component that best expresses such a requirement is FMT_SMF.1.

Nir

From: cc-cmt@nist.gov [mailto:cc-cmt@nist.gov] On Behalf Of Apted, Tony J. [RA]
Sent: Wednesday, November 29, 2006 8:55 PM
To: Multiple recipients of list
Subject: SFRs - Requirement Specification or Implementation Description?

What is the purpose of Security Functional Requirements (SFRs) in a Security Target? Are they intended to specify what security functionality is to be provided by the TOE, or to specify the security functionality the TOE implements?

This question is raised as the result of a recent validator comment. The ST claims FAU_GEN.1 and the TSS explains that the TOE satisfies the aspect of the requirement to audit startup and shutdown of the audit function because auditing is always enabled – when the TOE starts up, an audit record of TOE startup is generated, which indicates the startup of the audit function (and, similarly, the TOE generates an audit record that it is shutting down, indicating shutdown of the audit function). To my knowledge, and in my own experience, this reasoning has always been acceptable for justifying that a TOE satisfies this aspect of FAU_GEN.1. The validator, however, insists that the ST must explicitly state its audit requirement because it clearly does not audit startup and shutdown of the audit function (because the TOE does not provide a capability to turn the audit function on and off).

I am interested in other people’s views about this.

Anthony J. Apted

Lead Evaluator/Senior System Security Engineer

SAIC CCTL

Ph: (410) 953-6837

Fx: (410) 953-7001