Re: PD 0129: Deletion of the oldest audit events when audit storage space is exhausted

["Observation Decisions Review Board" <faigin@aero.org>]

On February 6, 2007, Yokota Hirofumi raised some questions about PD
0129. He specifically asked about the notation used, and the distinction
between the two SFRs added in the PD.

With respect to the labeling convention: We, too, find it confusing. The
original notation was developed for NIAP Interpretations (not PDs) in
the hopes that readers of STs could easily determine the source of a
requirement (CC or Interpretion). It provided not to work too well, and
is no longer being used by the NIB. The notation was never applied to PP
development.

In this case, the ODRB was simply following the notation that was
already used in the PD.

Yokota, however, was right in questioning why there were two
requirements:

FAU_STG.NIAP-0414-3-NIAP-0429. The TSF shall alert the administrator
[selection: time period, number of records, percent free audit storage
space available] before audit storage reaches capacity.

FAU_STG.NIAP-0414-3-NIAP-0429-virus. The TSF shall display an alert on
the screen of the Central Administrator if a session is active
[selection: time period, number of records, percent free audit storage
space available] before audit storage failure.

In reviewing our records, it appears that only the first of these was
intended for the PD; the second seems to have shown up from an editing
error. The PD will be corrected to only include the first SFR (i.e., the
one without "-virus").

Additionally, we're going to modify the PD to give an example of how the
section might look, as the wording is confusing. The intent is to be
able to say SFRs along the lines of:

    ...shall alert the administrator [10 minutes] before audit storage
    reaches capacity. 

    ...shall alert the administrator [10 records] before audit storage
    reaches capacity. 

    ...shall alert the administrator [when 3% of the storage space
    remains] before audit storage reaches capacity.