commoncriteria / mobile-device

Protection Profile for Mobile Device Fundamentals
The Unlicense
14 stars 3 forks source link

Guidance/Test EAs for FAU_STG.4? #51

Closed jfisherbah closed 2 years ago

jfisherbah commented 3 years ago

FAU_STG.4 is currently evaluated solely as a TSS activity. Other PPs with similar SFRs typically have guidance and test activities associated with this functionality (whether it's in the same Part 2 SFR or a separate extended SFR).

For example, the NDcPP defines a similar requirement as FAU_STG_EXT.1.3 and the ND SD has both guidance (para 43) and test (para 44 Test 2 part (2)) EAs associated with it.

Should similar EAs be added here for FAU_STG.4? If not, it is still a best practice to add stub headers for AGD/ATE EAs with statements that there are no EAs of that type for that SFR just so that it's clear to the reader that no information is missing.

woodbe commented 3 years ago

I would agree with the addition, but I would fear that making this change in 3.2 without more review may have unintended consequences in testing (if explicit testing is added). I say this because on most of the mobile devices the auditing is pretty fixed, so there isn't normally a way for the evaluator to say choose a smaller log size so they could ensure a wrap event in a reasonable time (one that they could plan to happen) without adding this to the list of "vendor assisted tests" that would need to be performed.

I know for Samsung, the only way (off hand) to shrink the log size is to fill the disk (it takes a percentage of free space up to a max), but even then I'm not sure what you would end up with in terms of size (since it would take a bit of effort to fill storage, or you would need a special build with a small partition, but they you get back to just having a special build again).

This is definitely something to investigate with the larger community (I for one, want to talk to my auditing team).

I do agree that maybe adding the stub headers would be good now though, for consistency.

jfisherbah commented 3 years ago

For now the "There are no x evaluation activities for this component" stubs will be added for Guidance and Test. Note that the same will also be done for other SFRs that are currently missing EAs for any type (e.g. FAU_STG.1 is similarly missing Guidance and Test activities right now).