LSPP Requirement Specifically for Auditing

Emily Ratliff emilyr at us.ibm.com
Mon Oct 3 16:08:20 UTC 2005 





I inadvertently responded only to Steve Grubb with comments on one LSPP
Requirement. My email is below with his response following. I did get his
permission to forward his email to this mailing list.


Hi Steve,

> 2 Audit User Space
> 2.1 Events shall contain unique session identifier and/or terminal
We can confirm with the evaluators, but I don't think that the above
correctly captures the requirement. Are you are referring to FAU_SAR.1 in
RBACPP? It says "FAU_SAR.1.1 The TSF shall provide the set of authorized
RBAC administrators with the capability to read the following audit
information from the audit records: ... (e) The User Session Identifier or
Terminal Type". FAU_SAR.1 stands for Selectable Audit Review.

In the Common Criteria specification, part 2, FAU_SAR.1 states "Audit
review provides the capability to read information from the audit records."

Which means that if the field is in the audit record, the administrator
must have the capability to read the information, not that the field has to
be in every audit record. If it had to be in every audit record, then it
would have been specified in an FAU_GEN requirement.

The key for this requirement is the capability to read.

Klaus? Anyone from HP care to comment on your evaluator's interpretation?

Emily

*****

On Monday 03 October 2005 11:06, you wrote:
> We can confirm with the evaluators, but I don't think that the above
> correctly captures the requirement. Are you are referring to FAU_SAR.1 in
> RBACPP?

Yes. The one you quoted (2.1) is in the user space section which should
generally have a terminal associated with it.

> Which means that if the field is in the audit record, the administrator
> must have the capability to read the information, not that the field has
to
> be in every audit record. If it had to be in every audit record, then it
> would have been specified in an FAU_GEN requirement.

Makes sense. We can strike the one in 3.6 and keep the one at 2.1. I listed
it
twice in case we decided not to keep the one in the kernel.

> Klaus? Anyone from HP care to comment on your evaluator's interpretation?

I think you only sent the mail to me. I would like to get an official
reading
on this just so we can put it behind us.

-Steve


Emily Ratliff
IBM Linux Technology Center, Security
emilyr at us.ibm.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20051003/fb7c29c6/attachment.htm>

More information about the Linux-audit mailing list