The Security audit review family defines requirements related to review of the audit information.
These functions should allow pre-storage or post-storage audit selection that includes, for example, the ability to selectively review:
- the actions of one or more users (e.g. identification, authentication, TOE entry, and access control actions);
- the actions performed on a specific object or TOE resource;
- all of a specified set of audited exceptions; or
- actions associated with a specific TSP attribute.
Application Notes
The distinction between audit reviews is based on functionality. Audit review (only) encompasses the ability to view audit data. Selectable review is more sophisticated, and requires the ability to perform searches based on a single criterion or multiple criteria with logical (i.e. and/or) relations, sort audit data, filter audit data, before audit data are reviewed.