Specifications
Security Target Version 1.0 9/29/2014
27
Requirement Auditable Events
Additional Audit
Record Content
Guidance Notes
mechanism.
FTP_ITC.1
All attempts to establish a
trusted channel.
Detection of modification
of channel data.
Identification of the
initiator and target of
channel.
The Inter-TSF trusted channel is
IPsec. Audit messages will be
the same as for
FCS_IPSEC_EXT.1.
FTP_TRP.1
All attempts to establish a
remote administrative
session.
Detection of modification
of session data.
Identification of the
initiating IT entity (e.g.,
IP address).
Depending on whether the
remote administrator is using
HTTPS or SSH, the audit
messages will be the same as
FCS_SSH_EXT.1 or
FCS_HTTPS_EXT.1. Audit
message 125022 includes the
identification of the claimed user
identity.
Table 2 Audit Events
Assurance Activity:
The evaluator shall check the administrative guide and ensure that it lists all of the auditable
events and provides a format for audit records. Each audit record format type must be covered,
along with a brief description of each field. The evaluator shall check to make sure that every audit
event type mandated by the PP is described and that the description of the fields contains the
information required in FAU_GEN.1.2, and the additional information specified in Table 9.
The evaluator shall in particular ensure that the operational guidance is clear in relation to the
contents for failed cryptographic events. In Table 9, information detailing the cryptographic mode
of operation and a name or identifier for the object being encrypted is required. The evaluator shall
ensure that name or identifier is sufficient to allow an administrator reviewing the audit log to
determine the context of the cryptographic operation (for example, performed during a key
negotiation exchange, performed when encrypting data for transit) as well as the non-TOE
endpoint of the connection for cryptographic failures relating to communications with other IT
systems.
The evaluator shall also make a determination of the administrative actions that are relevant in the
context of this PP. The TOE may contain functionality that is not evaluated in the context of this
PP because the functionality is not specified in an SFR. This functionality may have
administrative aspects that are described in the operational guidance. Since such administrative
actions will not be performed in an evaluated configuration of the TOE, the evaluator shall
examine the operational guidance and make a determination of which administrative commands,
including subcommands, scripts, and configuration files, are related to the configuration
(including enabling or disabling) of the mechanisms implemented in the TOE that are necessary to
enforce the requirements specified in the PP, which thus form the set of 'all administrative actions'.
The evaluator may perform this activity as part of the activities associated with ensuring the
AGD_OPE guidance satisfies the requirements.
The evaluator shall test the TOE’s ability to correctly generate audit records by having the TOE
generate audit records in accordance with the assurance activities associated with the functional
requirements in this PP. Additionally, the evaluator shall test that each administrative action
applicable in the context of this PP is auditable. When verifying the test results, the evaluator shall
ensure the audit records generated during testing match the format specified in the administrative
guide, and that the fields in each audit record have the proper entries.
Note that the testing here can be accomplished in conjunction with the testing of the security