C.1  Security audit automatic response (FAU_ARP)

The Security audit automatic response family describes requirements for the handling of audit events. The requirement could include requirements for alarms or TSF action (automatic response). For example, the TSF could include the generation of real time alarms, termination of the offending process, disabling of a service, or disconnection or invalidation of a user account.

Application Notes

An audit event is defined to be an "potential security violation" if so indicated by the FAU_SAA components.