Specifications
Security Target Version 1.0 9/29/2014
29
Test 2 [conditional]: If the TSF supports specification of more complex audit pre-selection criteria
(e.g., multiple attributes, logical expressions using attributes) then the evaluator shall devise tests
showing that this capability is correctly implemented. The evaluator shall also, in the test plan,
provide a short narrative justifying the set of tests as representative and sufficient to exercise the
capability.
5.2.1.6 Protected Audit Trail Storage (Local Storage) (FAU_STG.1)
FAU_STG.1.1
Refinement: The TSF shall protect [3*(3*31768 bytes)] locally stored audit records in the audit
trail from unauthorized deletion.
FAU_STG.1.2
The TSF shall be able to prevent unauthorized modifications to the stored audit records in the
audit trail.
Component Assurance Activity:
The evaluator shall examine the TSS to ensure it describes the amount of audit data that are stored
locally; what happens when the local audit data store is full; and how these records are protected
against unauthorized access. The evaluator shall also examine the operational guidance to
determine that it describes the relationship between the local audit data and the audit data that are
sent to the audit log server. For example, when an audit event is generated, is it simultaneously
sent to the external server and the local store, or is the local store used as a buffer and 'cleared'
periodically by sending the data to the audit server.
5.2.1.7 External Audit Trail Storage (FAU_STG_EXT.1)
FAU_STG_EXT.1.1
The TSF shall be able to transmit the generated audit data to an external IT entity using a trusted
channel implementing the [IPsec] protocol.
Component Assurance Activity:
The evaluator shall examine the TSS to ensure it describes the means by which the audit data are
transferred to the external audit server, and how the trusted channel is provided. Testing of the
trusted channel mechanism will be performed as specified in the associated assurance activities for
the particular trusted channel mechanism. The evaluator shall also examine the operational
guidance to ensure it describes how to establish the trusted channel to the audit server, as well as
describe any requirements on the audit server (particular audit server protocol, version of the
protocol required, etc.), as well as configuration of the TOE needed to communicate with the audit
server. The evaluator shall perform the following test for this requirement:
Test 1: The evaluator shall establish a session between the TOE and the audit server according to
the configuration guidance provided. The evaluator shall then examine the traffic that passes
between the audit server and the TOE during several activities of the evaluator’s choice designed
to generate audit data to be transferred to the audit server. The evaluator shall observe that these
data are not able to be viewed in the clear during this transfer, and that they are successfully
received by the audit server. The evaluator shall record the particular software (name, version)
used on the audit server during testing.
5.2.1.8 Action in Case of Loss of Audit Server Connectivity (FAU_STG_EXT.3)
FAU_STG_EXT.3.1
The TSF shall [generate a local log message indicating failure of an IPsec tunnel] if the link to
the external IT entity collecting the audit data generated by the TOE is not available.
Component Assurance Activity: