The NRL IS Security Course Handbook

ADP/Network Audits

A Trusted Computer System is a system that employs formal hardware and software integrity measures sufficient to allow its use for processing sensitive or classified information. These systems are given a designation based on how many measures are employed. While some large lab systems meet full high level trusting capabilities, most personal computers at NRL are designated class C2 functionality. This designation means the ADP must employ discretionary access control, memory clearing before reuse, individual accountability, and audit trails before approval to process classified data. These controls do not need to be automated into the operating system.
Obviously, users performing classified processing on a stand alone system in a dedicated mode can easily incorporate physical safeguards such as removable drives, user approval, audit trail log books, or other controls based on their needs. Networked systems, however, have a number of audit controls, some of which are automatically incorporated into their network software.
Fully trusted systems that process classified information at NRL require formal audit procedures. These procedures are normally built into trusted systems prior to their certification. According to the National Computer Security Center's Trusted Computer System Evaluation Criteria (TCSEC) the audit mechanism should be capable of monitoring every time a system is accessed, who accessed it, and which file was accessed. Auditing on trusted systems primarily concerns audit trails and controls for computer access.

The TCSEC gives the following as the Accountability Control Objective:

"Systems that are used to process or handle classified or other sensitive information must assure individual accountability whenever either a mandatory or discretionary security policy is invoked. Furthermore, to assure accountability the capability must exist for an authorized and competent agent to access and evaluate accountability information by a secure means, within a reasonable amount of time and without undue difficulty."

Formal Audit Requirements for Trusted Systems

The minimum trust requirements for all DoD computer systems at NRL is level C2 functionality. C2 is considered the benchmark for audit trails. The following sections, derived from NCSC-TG-001, describe the audit requirements for class C2.

6.1.1 Auditable Events: The following events shall be subject to audit at the C2 class:

1. Use of identification and authentication mechanisms

2. Introduction of objects into a user's address space

3. Deletion of objects from a user's address space

4. Actions taken by computer operators and system administrators and/or system security administrators

5. All security-relevant events (as defined in Section 5 of this guideline)

6. Production of printed output

6.1.2 Auditable Information
The following information shall be recorded on the audit trail at the C2 class:

1. Date and time of the event

2. The unique identifier on whose behalf the subject generating the event was operating

3. Type of event

4. Success or failure of the event

5. Origin of the request (e.g., terminal ID) for identification/authentication events

6. Name of object introduced, accessed, or deleted from a user's address space

7. Description of modifications made by the system administrator to the user/system security databases