As a Security Administrator, responsible for global monitoring and auditing of security events, I need Top Secret to get "OK-B" bypass-audit-records in a clear and unambigous manner.
Therefore I suggest to change the design of:
"Any resource access that is allowed as a result of one of the NO***CHK Bypass attributes is logged as a bypass event." (taken from TSS Audit Guide, Chapter 2: Misuse of CA Top Secret, page 15) and interpreted (1) as: "if the bypass attribute is set for a security check then this will be the reason for the event's success and will cause an OK+B Event" (as stated in CA Support case)
"Any resource access that is allowed as a result of one of the NO***CHK Bypass attributes is logged as a bypass event." (is the same TSS Audit Guide, Chapter 2: Misuse of CA Top Secret, page 15) but interpreted (2) as: "If the ressource access is granted only because of the bypass privilege of an acid (without NOxxxCHK the access would be denied), only then an OK+B record is written.
Interpretation (1) entails
- that OK+B records are written, even if the acid has the regular permission to access the ressource (=misleading)
- that OK+B records are written also if the ressource is not protected by top secret (=overhead and waste of ressources)
- that under certain conditions (see several technotes) an OK+A record is written in place of an OK+B record. (=misleading)
- .... ?
while Interpretation (2) exactly puts down, that the privileged acid functionally made use of its privilege. (and this is, what an auditor mostly wants to know.)
If this suggested change to Interpretation (2) is not possible for performance-, never-change-a-design- or other reasons, I propose the creation of additional bypass privilege attributes (for example to NORESCHK an analogous NORESCKA, which would function the same way like NORESCHK, but cuts audit-adequate OK+B records according to interpretation (2).