Unit 3 Third unit placeholder exercises

In these exercises you will learn how to start a micro design for Windows 2008 R2 logging

Exercise 1 Obtain the documents necessary to

create a micro design for Windows
2008 R2 logging
1. The instructor has downloaded the Windows 7 and 2008 Security Target document from
http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf. Obtain this file from the
Internet or from the instructor.

2. The instructor has downloaded the Common Criteria Part 2: Security functional components
from http://www.commoncriteriaportal.org/files/ccfiles/CCPART2V3.1R4.pdf. Obtain this file
from the Internet or from the instructor.

3. The instructor has downloaded the Security Audit Events for Windows 7 and Windows Server
2008 R2 from http://www.microsoft.com/en-us/download/confirmation.aspx?id=21561. Obtain
this file from the Internet or from the instructor.

© Copyright IBM Corp. 2015 3-1

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 3 Third unit placeholder exercises
Exercise 2 Create re-usable list of audit controls

Uempty
Exercise 2 Create re-usable list of audit
controls
1. Open the Common Criteria Part 2: Security functional components using the Adobe Acrobat
reader.or web-browser.

2. Search the document for the string Audit:

3. Whenever you find an occurrence of the string, determine the class, family and components
that require auditing. Complete the following table 1.

Note: The table format is available as an excel sheet, CC Audit Controls list, available from your
instructor.

Table 1 Common Criteria components requiring auditing

Class Family Component

FAU FAU_ARP FAU_ARP.1
FAU_SAA FAU_SAA.1
FAU_SAA.2
FAU_SAA.3
FAU_SAA.4
FAU_SAR FAU_SAR.1
FAU_SAR.2
FAU_SAR.3
FAU_SEL FAU_SEL.1
FAU_STG FAU_STG.3
FAU_STG.4
FCO FCO_NRO FCO_NRO.1

FCS FCS_CKM FCS_CKM.1

© Copyright IBM Corp. 2015 3-2

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 3 Third unit placeholder exercises
Exercise 2 Create re-usable list of audit controls

Uempty
Class Family Component
FDP FDP_ACC FDP_ACC.1

FIA FIA_AFL FIA_AFL.1

© Copyright IBM Corp. 2015 3-3

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 3 Third unit placeholder exercises
Exercise 2 Create re-usable list of audit controls

Uempty
Class Family Component

FMT FMT_MOF FMT_MOF.1

FPR FPR_ANO FPR_ANO.1

© Copyright IBM Corp. 2015 3-4

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 3 Third unit placeholder exercises
Exercise 2 Create re-usable list of audit controls

Uempty
Class Family Component

FRU FRU_FLT FRU_FLT.1

FTA FTA_LSA FTA_LSA.1

Note: This table is re-usable as a reference for you to quickly scan any security target document
to determine quickly if the system can produce an log or audit record for a specific Common
Criteria security control.

© Copyright IBM Corp. 2015 3-5

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 3 Third unit placeholder exercises
Exercise 3 Use the Common Criteria Security Target document

Uempty
Exercise 3 Use the Common Criteria Security
Target document
The objective is to find out if the system, aka security target, can produce a log or audit record,
whenever the system time is modified. You will determine this for the Windows 2008 R2 system.

1. Which Common Criteria Component listed in Table 1, represents the control requiring that any
modification to the system time must be audit-able? _____________________

2. Open the st_vid10390-st.pdf.file.

3. Search the st_vid10390-st.pdf file for the component you found for question 1.

4. Which table in the st_vid10390-st.pdf file informs you if the control can be audited by Windows
2008 R2? __________________________________________________________________

5. What does chapter 6 of the same document

explain?____________________________________________________________________
___________________________________________________________________________

6. Read the first paragraphs of Chapter 6 up to paragraph 6.1.1.2 Audit Log Review

7. To which Windows 2008 R2 event category does the event belong that is required by the
Common Criteria Control you found for question #1?_________________________________

8. Where are the Windows 2008 R2 audit records stored? _______________________________

9. Return to the Common Criteria Part 2: Security functional components document. What does
the FAU_SEL.1 control specify as a requirement?
___________________________________________________________________________
___________________________________________________________________________
___________________________________________________________________________

© Copyright IBM Corp. 2015 3-6

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 3 Third unit placeholder exercises
Exercise 3 Use the Common Criteria Security Target document

Uempty
10. Return to the st_vid10390-st.pdf file. Which event property types can a Windows 2008 R2
administrator use to select which events are generated by the system, according to paragraph
6.1.1.3 Selective Audit?
• _________________________
• _________________________
• _________________________
• _________________________
• _________________________

11. What is the required audit selection configuration on a Windows 2008 R2 system to generate
the event required to audit any modification of the system time?
___________________________________________________________________________
___________________________________________________________________________

The information gathered in this exercise is used in your detailed micro design for logging. The
conclusion are:
• The Windows 2008 R2 systems meets the Common Criteria component requirement covering
the modification of the system time.
• The Windows 2008 r2 audit subsystem must and can be configured to generate the event.

The information on how to configure the Windows 2008 R2 audit subsystem, is determined in step
11.

12. Open the Security Audit Events for Windows 7 and Windows Server 2008 R2 file.

13. using this file, now complete the following table 2 that can be included in your detailed micro
design on logging for the Common Criteria component requirement covering the modification of
the system time.

Table 2 Windows 2008 R2 Audit Controls, configuration and events

Control Select Audit events
Configuration
FIA_AFL.1 Category: 4740, 4800, 6279.
Account
Management,
Logon.
Outcome:
Success and
Failure.

© Copyright IBM Corp. 2015 3-7

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.
V7.0
Unit 3 Third unit placeholder exercises
Exercise 3 Use the Common Criteria Security Target document

Uempty
Table 2 Windows 2008 R2 Audit Controls, configuration and events
Control Select Audit events
Configuration

Note: The FIA_AFL.1 component refers to the system’s capability to audit the action taken when
the system has identified consecutive logon failures.

© Copyright IBM Corp. 2015 3-8

Course materials may not be reproduced in whole or in part without the prior written permission of IBM.