-
Notifications
You must be signed in to change notification settings - Fork 2
Audit Events
19 December 2023
Audit Events should be defined as the last elements in a <f-component> using the <audit-event> element. There can be zero or more <audit-event> elements in an <f-component>.
When the <audit-events-in-sfrs/> is specified in the PP Preferences, then the audit events are defined in their associated SFRs and Audit Tables are automatically generated. Defining audit events with the SFRs will become mandatory in the near future. Audit event should not be manually defined in tables.
There can be as many <audit-events> elements in an <f-component> as there are auditable events associated with the SFR. But there should at least be an empty <audit-event/> element.
A typical audit event looks like this in XML:
<audit-event>
<audit-event-descr>Failure to establish a HTTPS Session.</audit-event-descr>
<audit-event-info>Reason for failure.</audit-event-info>
<audit-event-info>Non-TOE endpoint of connection (IP address) for failures.</audit-event-info>
</audit-event>The contents of the <audit-event-descr> element appear in the "Auditable Events" column of the Audit Table. The contents of each <audit-event-info> element appears in the "Additional Audit Record Contents" column.
If the <audit-event-info> element is omitted, the "Additional Audit Record Contents" is set to "No additional information."
An empty audit-event element <audit-event/> indicates that the there are no audit events for the SFR. A row is generated in the appropriate audit table with the "Auditable Events" field containing "No events specified" with the "Additional Audit Record Contents" field set to "N/A." If the audit event is omitted entirely, then the SFR is not represented in the table at all.
The type attribute can be set to "optional" to indicate that the audit event should be selectable.
<audit-event type="optional">
<audit-event-descr>Establishment/Termination of a HTTPS session.</audit-event-descr>
<audit-event-info type="optional">Non-TOE endpoint of connection (IP address).</audit-event-info>
</audit-event>The above would be represented in the audit table with an "Auditable Events" entry of [selection: Establishment/Termination of a HTTPS session, None]. The ST Author gets to decide whether that audit event is required.
Similarly, the <audit-event-info> tag can have a type attribute that can be set to "optional." This makes the the information selectable. In the above example, the "Additional Audit Record Contents" would contain [selection: Non-TOE endpoint of connection (IP address), None].
The table attribute is used to assign an audit event into a particular table. This is especially useful for audit events that appear attached to SFRs in an "Additional SFRs" section of a PP Module. In this case the audit tables must be manually declared and each audit event must be specifically assigned to the table.
For example, if an audit table is declared as:
<section id="sec-at-os-addnl" title="Auditable Events for MDF Additional SFRs">
<audit-table id="at-os-addnl" table="tab-at-os-addnl" title="Auditable Events for MDF Additional SFRs"/>
</section> then an audit event would be assigned to that table like this:
<audit-event table="tab-at-os-addnl">
<audit-event-descr>Establishment/Termination of a HTTPS session.</audit-event-descr>
<audit-event-info>Non-TOE endpoint of connection (IP address).</audit-event-info>
</audit-event>See also, Audit Tables.