User application notes
This component defines the criteria used for the selection of events to be audited. Those criteria could permit inclusion or exclusion of events from the set of auditable events, based on user attributes, subject attributes, objects attributes, or event types.
The existence of individual user identities is not assumed for this component. This allows for TOEs such as routers that may not support the notion of users.
For a distributed environment, the host identity could be used as a selection criteria for events to be audited.
The management function FMT_MTD.1 Management of TSF data will handle the rights of authorised users to query or modify the selections.
Operations
Selection:
For FAU_SEL.1.1a, the PP/ST author should select whether the security attributes upon which audit selectivity is based, is related to object identity, user identity, subject identity, host identity, or event type.
Assignment:
For FAU_SEL.1.1b, the PP/ST author should specify any additional attributes upon which audit selectivity is based.