I inadvertently responded only to Steve Grubb with comments on one LSPP Requirement. My email is below with his response following. I did get his permission to forward his email to this mailing list.
Hi Steve,
> 2 Audit User Space
> 2.1 Events shall contain unique session identifier and/or terminal
We can confirm with the evaluators, but I don't think that the above correctly captures the requirement. Are you are referring to FAU_SAR.1 in RBACPP? It says "FAU_SAR.1.1 The TSF shall provide the set of authorized RBAC administrators with the capability to read the following audit information from the audit records: ... (e) The User Session Identifier or Terminal Type". FAU_SAR.1 stands for Selectable Audit Review.
In the Common Criteria specification, part 2, FAU_SAR.1 states "Audit review provides the capability to read information from the audit records."
Which means that if the field is in the audit record, the administrator must have the capability to read the information, not that the field has to be in every audit record. If it had to be in every audit record, then it would have been specified in an FAU_GEN requirement.
The key for this requirement is the capability to read.
Klaus? Anyone from HP care to comment on your evaluator's interpretation?
Emily
*****
On Monday 03 October 2005 11:06, you wrote:
> We can confirm with the evaluators, but I don't think that the above
> correctly captures the requirement. Are you are referring to FAU_SAR.1 in
> RBACPP?
Yes. The one you quoted (2.1) is in the user space section which should
generally have a terminal associated with it.
> Which means that if the field is in the audit record, the administrator
> must have the capability to read the information, not that the field has to
> be in every audit record. If it had to be in every audit record, then it
> would have been specified in an FAU_GEN requirement.
Makes sense. We can strike the one in 3.6 and keep the one at 2.1. I listed it
twice in case we decided not to keep the one in the kernel.
> Klaus? Anyone from HP care to comment on your evaluator's interpretation?
I think you only sent the mail to me. I would like to get an official reading
on this just so we can put it behind us.
-Steve
Emily Ratliff
IBM Linux Technology Center, Security
emilyr@us.ibm.com