Platform Computing Inc. 3760 14th Avenue Markham, Ontario L3R 3T7 Canada Tel: (905) 948-8448 Fax: (905) 948-9975 email: info@platform.com www.platform.com PLATFORM LSF HPC 6.2 Security Target EAL 2 Prepared for: Prepared by: Platform Computing Inc. 3760 14th Avenue Markham, ON L3R 3T7 AEPOS Technologies Corporation 200 Montcalm Street, Suite 200 Gatineau, Quebec J8Y 3B5 Client Contract No.: CS1557.008 Date: February 21, 2006 DOCUMENT ORIGIN AND APPROVAL RECORD Prepared by: D. White IT Security Consultant Date Prepared by: N. MacAskill Senior IT Security Consultant Date Reviewed by: G. Jenson, P.Eng, PMP Manager, IT Security Engineering Date Approved by: J. Detombe Director, IT Security Date Accepted by: I. Mackay Director, Engineering Operations Date CS1557.008, Revision .09 February 21, 2006 ii REVISION HISTORY Date of Issue Revision Number Description of Change November 14, 2005 .01 Initial Release November 25, 2005 .02 Incorporated comments provided to AEPOS from Platform (comments received on November 22) December 15, 2005 .03 Incorporated OR comments received from DOMUS January 4, 2006 .04 Removed reference to version 6.2x and replaced with 6.2 January 6, 2006 .05 Incorporated OR comments received from CSE January 11, 2006 .06 Changed Assurance Documentation names February 14, 2006 .07 Removed the word "query" from FMT_MTD.1.1 Added additional resource "CPU time limit" to FRU_RSA.1.1 February 15, 2006 .08 Changed the name of AM_ATE_FUN document. Additional minor changes required for the document to be consistent with changes in revision .07 February 21, 2006 .09 Clarified ITSF_ADMIN section on pages 23 and 24 CS1557.008, Revision .09 February 21, 2006 iii TABLE OF CONTENTS Page 1. INTRODUCTION TO THE SECURITY TARGET..................................................... 1 1.1 Security Target Identification.......................................................................................... 1 1.2 Security Target Overview ................................................................................................ 1 1.3 CC Conformance Claim................................................................................................... 1 1.4 Protection Profile Conformance Claim .......................................................................... 1 1.5 Security Target Organization.......................................................................................... 2 1.6 Related Standards and Documents ................................................................................. 3 2. TARGET OF EVALUATION DESCRIPTION........................................................... 3 2.1 TOE Functional Description............................................................................................ 3 2.2 Features.............................................................................................................................. 7 2.2.1 Access Control............................................................................................................ 7 2.2.2 Audit ........................................................................................................................... 7 2.2.3 Identification and Authentication ............................................................................... 7 2.2.4 Security Management ................................................................................................. 8 2.2.5 Protection of TOE Security Functions........................................................................ 8 2.2.6 Resource Allocation.................................................................................................... 8 2.2.7 User and Authentication Data Protection ................................................................... 8 3. TOE SECURITY ENVIRONMENT ........................................................................... 8 3.1 Assets.................................................................................................................................. 8 3.2 Statement of Assumptions................................................................................................ 9 3.2.1 Personnel Assumptions............................................................................................... 9 3.2.2 Physical Assumptions................................................................................................. 9 3.3 Statement of Threats......................................................................................................... 9 3.3.1 Threats Countered by the TOE ................................................................................... 9 3.3.2 Threats Countered by the IT Environment ............................................................... 10 3.4 Organizational Security Policy...................................................................................... 10 4. SECURITY OBJECTIVES ..................................................................................... 10 4.1 TOE Security Objectives................................................................................................ 10 4.1.1 TOE IT Security Objectives...................................................................................... 10 CS1557.008, Revision .09 February 21, 2006 iv 4.2 Environmental Security Objectives............................................................................... 11 4.2.1 IT Environmental Security Objectives...................................................................... 11 4.2.2 Non-IT Security Objectives for the Environment..................................................... 11 5. IT SECURITY REQUIREMENTS........................................................................... 12 5.1 Audit................................................................................................................................. 12 5.1.1 Audit Data Generation (FAU_GEN.1) ..................................................................... 12 5.1.2 Audit Review (FAU_SAR.1).................................................................................... 13 5.1.3 Restricted Audit Review (FAU_SAR.2)................................................................... 13 5.2 User Data Protection....................................................................................................... 13 5.2.1 Subset Access Control (FDP_ACC.1)...................................................................... 13 5.2.2 Security Attribute based Access Control (FDP_ACF.1) .......................................... 13 5.3 Security Management..................................................................................................... 14 5.3.1 Management of Security Attributes (FMT_MSA.1) ................................................ 14 5.3.2 Static Attribute Initialization (FMT_MSA.3)........................................................... 14 5.3.3 Management of TSF Data (FMT_MTD.1)............................................................... 14 5.3.4 Specification of Management Functions (FMT_SMF.1).......................................... 14 5.3.5 Security Roles (FMT_SMR.1).................................................................................. 14 5.4 Resource Allocation ........................................................................................................ 15 5.4.1 Maximum Quotas (FRU_RSA.1) ............................................................................. 15 5.5 SFR Dependencies........................................................................................................... 15 5.6 TOE Security Assurance Requirements....................................................................... 17 5.7 Strength of Function Requirement................................................................................ 18 5.8 Security Requirements for the IT Environment.......................................................... 18 5.8.1 Subset Access Control (FDP_ACC.1)...................................................................... 18 5.8.2 Security Attribute based Access Control (FDP_ACF.1) .......................................... 18 5.8.3 Basic Internal Transfer Protection (FDP_ITT.1)...................................................... 20 5.8.4 User Authentication Before Any Action (FIA_UAU.2)........................................... 20 5.8.5 User Identification Before Any Action (FIA_UID.2)............................................... 20 5.8.6 Management of Security Attributes (FMT_MSA.1) ................................................ 20 5.8.7 Static Attribute Initialization (FMT_MSA.3)........................................................... 20 5.8.8 Specification of Management Functions (FMT_SMF.1).......................................... 20 5.8.9 Security Management Roles (FMT_SMR.1)............................................................ 21 5.8.10 Internal TOE TSF data transfer (FPT_ITT.1)........................................................... 21 5.8.11 Reliable Time Stamps (FPT_STM.1) ....................................................................... 21 5.8.12 Non-bypassability of the TSP (FPT_RVM.1) .......................................................... 21 5.8.13 TSF Domain Separation (FPT_SEP.1) ..................................................................... 21 6. TOE SUMMARY SPECIFICATION........................................................................ 21 CS1557.008, Revision .09 February 21, 2006 v 6.1 Statement of TOE Security Functions .......................................................................... 21 6.2 Statement of Assurance Measures................................................................................. 24 7. RATIONALE .......................................................................................................... 26 7.1 Security Objectives Rationale........................................................................................ 26 7.1.1 Security Objectives Sufficiency................................................................................ 27 7.1.1.1 Threats................................................................................................................... 27 7.1.1.2 Policies.................................................................................................................. 27 7.1.2 Security Objectives Sufficiency................................................................................ 29 7.1.2.1 Assumptions.......................................................................................................... 29 7.1.2.2 Threats................................................................................................................... 29 7.1.2.3 Policies.................................................................................................................. 29 7.1.3 Security Requirements Rationale.............................................................................. 30 7.2 TOE Summary Specification Rationale........................................................................ 35 7.2.1 IT Security Functions Rationale (SFRs)................................................................... 36 7.3 Assurance Measures Rationale...................................................................................... 38 LIST OF TABLES TABLE 2.1- DAEMON ALLOCATION 7 TABLE 5.1: SFR DEPENDENCY TABLE FOR THE TOE 15 TABLE 5-2: SFR DEPENDENCY TABLE FOR THE IT ENVIRONMENT 16 TABLE 5.3: SECURITY ASSURANCE COMPONENTS 17 TABLE 6.1: SECURITY ASSURANCE COMPONENTS 25 TABLE 7.1: SUMMARY OF CORRESPONDENCE BETWEEN THREATS /POLICIES AND SO'S FOR THE TOE 27 TABLE 7.2: SUMMARY OF CORRESPONDENCE BETWEEN THREATS/ASSUMPTIONS/POLICIES AND SO'S FOR THE IT ENVIRONMENT 28 TABLE 7.3: SECURITY REQUIREMENTS RATIONALE FOR THE TOE 30 TABLE 7.4: SECURITY REQUIREMENTS RATIONALE FOR THE IT ENVIRONMENT 33 TABLE 7.5: SUMMARY OF CORRESPONDENCE BETWEEN THE TSF AND SFRS 36 TABLE 7.6: TOE SECURITY FUNCTIONS RATIONALE 36 TABLE 7.7: ASSURANCE MEASURES RATIONALE 38 LIST OF FIGURES FIGURE 2.1: PLATFORM LSF HPC COMPUTING ENVIRONMENT..............................................................5 LIST OF ANNEXES ANNEX "A": GLOSSARY CS1557.008, Revision .09 February 21, 2006 vi Platform Computing Inc. 3760 14th Avenue Markham, Ontario L3R 3T7 Canada Tel: (905) 948-8448 Fax: (905) 948-9975 email: info@platform.com www.platform.com 1. INTRODUCTION TO THE SECURITY TARGET 1.1 Security Target Identification Title: Platform Load Sharing Facility (LSF) High Performance Computing (HPC) 6.2 Security Target EAL 2 Product: Platform LSF HPC 6.2 ST Revision Number: .06 DRAFT Manufacturer: Platform Computing Inc. 1.2 Security Target Overview This ST describes the IT security requirements for the Platform’s LSF HPC 6.2 software. The LSF HPC 6.2 software manages batch compute jobs on clusters of computer systems. Users use the LSF to submit jobs that require significant CPU time, memory, and/or disk space. Several server processes running on each system co-ordinate to distribute the load across the cluster. User jobs are submitted using the LSF HPC 6.2 queuing software and the LSF HPC determines where jobs will be run. The LSF software requires support from the underlying operating system for some security functionality. For the purpose of this evaluation the operating system is Red Hat Enterprise Linux AS version 3 Update 3. This version of Linux has been CC certified at the EAL 3+ level. The LSF HPC can: • Utilize computing resources at maximum capacity; • Take full advantage of high performance network interconnects available on clustered systems and supercomputers; • Use topology-based scheduling that enables maximum application performance for industry leading interconnects; • Provide scalability and performance; and • Utilize an extensive library of third party application integrations. 1.3 CC Conformance Claim The Target of Evaluation (TOE) is conformant with: • CC Version 2.2 Part 2; and • CC Version 2.2 Part 3 1.4 Protection Profile Conformance Claim This ST does not claim conformance to any Protection Profile. CS1557.008; Revision .09 February 21, 2006 1 CS1557.008, Revision .09 February 21, 2006 2 1.5 Security Target Organization The main sections of the ST are the target of evaluation (TOE) description, TOE security environment, security objectives, IT security requirements, TOE summary specification, rationale, and annexes. The TOE description provides general information about the TOE, defines the evaluated configuration for the TOE, and serves as an aid to understanding its security requirements. The TOE security environment describes security aspects of the environment in which the TOE is to be used and the manner in which it is to be employed. The TOE security environment includes: • assumptions regarding the TOE’s intended usage and environment of use; • threats relevant to secure TOE operation; and • organizational security policies with which the TOE must comply. The security objectives reflect the stated intent of the TOE and its environment. They pertain to how the TOE will counter identified threats and how it will cover identified organizational security policies and assumptions. Each security objective is categorized as being for the TOE or for the environment. The security requirements section provides the IT security requirements as follows: • TOE security functional requirements (SFRs); • TOE security assurance requirements (SARs); and • IT environment security functional requirements. The TOE summary specification (TSS) provides a description of the TOE security functions (TSF) that the TOE provides in order to satisfy the SFRs. The TSS also describes the assurance measures that will be used to satisfy the SARs. The determination of whether or not the TSFs and SARs satisfy the security requirements is the objective of the TOE evaluation. The rationale presents evidence that the ST is a complete and cohesive set of requirements and that a conformant TOE would provide an effective set of IT security countermeasures within the security environment. The rationale is in three main parts. First, a security objectives rationale demonstrates that the stated security objectives are traceable to all of the aspects identified in the TOE security environment and are suitable to cover them. Then, a security requirements rationale demonstrates that the security requirements (TOE and environment) are traceable to the security objectives and are suitable to meet them. Finally, a TOE summary specification rationale demonstrates that the TOE security functions and assurance measures are traceable to the security requirements and are suitable to meet them. CS1557.008, Revision .09 February 21, 2006 3 1.6 Related Standards and Documents 1. Common Criteria Version 2.2 - Common Criteria for Information Technology Security Evaluation; Part 1: Introduction and general model, Part 2: Security functional requirements, and Part 3: Security assurance requirements. 2. Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 2.2. 2. TARGET OF EVALUATION DESCRIPTION The Target of Evaluation (TOE) is the LSF HPC 6.2. The TOE logical boundary is considered to be the LSF HPC 6.2 software. The TOE is installed and operated on one or more hosts. Hosts are defined as an individual computer in the cluster. The group of hosts running the software work together as a single unit, combining computing power and sharing workload and resources. The TOE includes the Multi-Cluster option which allows for organizations to have separate, independently managed clusters. Communication between the clusters is secured using Stunnel, which is an SSL encryption wrapper that wraps around standard, non-secure network traffic for certain services and prevents interceptors from being able to "sniff" the communication between client and server1 . The TOE requires support from the underlying operating system for some security functionality. For the purpose of this evaluation the operating system is Red Hat Enterprise Linux AS version 3 Update 3. This version of Linux has been CC certified at the EAL 3+ level. 2.1 TOE Functional Description Diagram 2.1 is a general representation of the LSF environment. The Platform LSF HPC provides a multiprocessing computing environment that permits software applications (jobs) to run concurrently on several different hosts (processors), thus reducing the execution time. The Platform LSF HPC is comprised of one or more clusters, each of which includes the following: • Submission Hosts which are responsible for submitting jobs that require processing. • A Master Host which controls the allocation of these jobs to the hosts that will perform the processing. The Master acts as a coordinator for the Cluster, performing all the scheduling and dispatching tasks. • Compute Hosts, also called Execution Hosts, which are responsible for executing the jobs that have assigned to them. • A Master Candidate Host which is a Server (Compute or Submission) which can assume the role of Master Host in the event of a failure on that system. 1 Stunnel is a security function provided by the IT environment. CS1557.008, Revision .09 February 21, 2006 4 All hosts take on the designations of Client or Server. A Client, as typified by a Submission Host, is only capable of submitting jobs to the Master. It cannot assume any other role. A Server is capable of submitting jobs, like a Client, but it is also capable of performing the Master Host and computing functions (Compute Host). In the event that the Master Host goes down, one of the Server Hosts called a Master Candidate will assume its role. CS1557.008; Revision .06 Figure 2.1 – Platform LSF HPC Computing Environment February 21, 2006 5 Before being processed by the Master Host, all batch jobs are placed in a queue. Queues are system-wide, i.e., they are not associated with a specific host. It is the job of the Master Host to determine which Compute Host is to receive the job. Each queue is defined by a unique set of job control and execution parameters. It is also possible to submit interactive jobs to a queue. In this case, I/O is directed to a session running on a specific terminal where the job originated. The interactive session must be completed before the next job can be submitted to that session. The following daemons, which run on the various LSF HPC hosts, make up the logical boundary of the TOE: • Master Batch Daemon (mbatchd) – This daemon provides job request and dispatch functionality and runs on the master host. This daemon is responsible for the overall state of jobs in the system. It receives job submission, and information query requests, manages jobs held in queues and dispatches jobs to hosts as determined by mbschd. • Master Batch Scheduler Daemon (mbschd) – This daemon makes scheduling decisions based on job requirements and policies. This daemon runs on the master host. • Slave Batch Daemon (sbatchd) - The Slave Batch Daemon runs on each server host. This daemon receives the request to run the job from mbatchd and manages local execution of the job. It is responsible for enforcing local policies and maintaining the state of jobs on the host. sbatchd forks a child process for every job. The child sbatchd runs an instance of res to create the execution environment in which the job runs. The child sbatchd exits when the job is complete. • Remote Execution Server (RES) – RES runs on each server host. It accepts remote execution requests to provide transparent and secure remote execution of jobs and tasks. • Load Information Manager (LIM) – The LIM runs on each server host. The LIM collects host load and configuration information and forwards it to the master LIM running on the master host. • Master LIM - The Master LIM runs on the master host. It receives load information from the LIMs running on hosts in the cluster. It forwards load information to mbatchd, which forwards this information to mbschd to support scheduling decisions. If the master LIM becomes unavailable, a LIM on another host automatically takes over. • Process Information Manager (PIM) - PIM runs on each server host. It is started by LIM, which periodically checks on pim and restarts it if it dies. It collects information about job processes running on the host such as CPU and memory used by the job, and reports the information to sbatchd. CS1557.008; Revision .06 February 21, 2006 6 CS1557.008, Revision .09 February 21, 2006 7 A mapping of daemons to hosts is shown in Table 2.1. Table 2.1- Daemon Allocation Master Submission Execution Daemon mbatchd X mbsched X sbatchd X X X RES X X X Master LIM X LIM X X PIM X X X 2.2 Features The primary security features offered by the TOE with support from the IT environment are as follows. 2.2.1 Access Control Role based access control is enforced for the Primary Cluster Administrator, Cluster Administrator, Queue Administrator, Queue user and Any User roles. An access request is granted or denied based on a set of configuration files that define user-to-role and role-to- authorization mappings. 2.2.2 Audit The TOE provides an audit capability that generates audit records for security critical events. 2.2.3 Identification and Authentication The TOE with support from the Linux OS provides user identification and authentication functionality. Authentication is the process of identification of a user, device or other entity, (typically based on a password or pass phrase) known only to a single user, which when paired with the user’s identification allows access to a secure resource. The TOE validates user accounts at the system level, which enables the user account to be to be valid on all hosts. Users must have valid accounts on all hosts. This allows any user to run a job with their own permissions on any host in the cluster. CS1557.008, Revision .09 February 21, 2006 8 2.2.4 Security Management The TOE provides roles to manage security functions. Only authorized roles are permitted to manage the TOE and perform administrative functions. 2.2.5 Protection of TOE Security Functions The TOE with support from the IT environment provides reliable timestamps via the OS’s internal real time clock. The underlying OS ensures that the TOE Security Policy enforcement functions are invoked and succeed before each function within the TOE Scope of Control (TSC) is allowed to proceed. The underlying OS maintains a security domain for its own execution that protects it from interference and tampering by untrusted subjects. 2.2.6 Resource Allocation The TOE provides the functionality to allocate resource limitations to ensure that a user or process cannot monopolize a resource and cause a denial of service. 2.2.7 User and Authentication Data Protection The TOE with support from the environment provides both user and authentication data protection. User and authentication data, which is communication between the clusters, is secured using Stunnel. Stunnel is an SSL encryption wrapper that wraps around standard, non- secure network traffic for certain services and prevents interceptors from being able to "sniff" the communication between client and server. 3. TOE SECURITY ENVIRONMENT This section identifies the security problem that exists with the protection of identified assets. The security problem is expressed as threats and policy that the TOE, operating in its environment, must address. For the TOE to fulfill its security requirements, specific conditions must be upheld in the operating environment. These conditions are expressed as assumptions. 3.1 Assets The assets of concern to this ST are defined as follows: • LSF Users. LSF users are defined as a user account which has permission to submit jobs to the LSF cluster. • Administrative Users. Administrative users are defined as those users required to configure and manage the TOE. CS1557.008, Revision .09 February 21, 2006 9 • Information. User data held within the LSF including data in transit between remote hosts. • TSF data. TSF data is defined as data that is required to support the secure operations on the data held within the LSF. This data includes: authentication data, configuration data/files, audit data, access control attributes such as permission bits. • Objects. Objects are defined as cluster, queue, job and host. The TOE’s role based access control policy governs subject access to the identified objects. 3.2 Statement of Assumptions The specific conditions listed below are assumed to exist in the LSF HPC operating environment. Each assumption is stated in bold type font. An application note, in normal font, which supplies additional information and interpretation, follows it. 3.2.1 Personnel Assumptions A.TRUSTED_ADMIN The system administrative personnel are trusted and not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided by the administrator/user documentation. Furthermore, the administrators of the TOE have been adequately trained in order for them to securely configure the TOE. 3.2.2 Physical Assumptions A.PHYSICAL The TOE resides in a controlled and physically secure environment. 3.3 Statement of Threats The following threats are addressed by the TOE operating in its intended environment or by technical security measures provided by the IT environment or by non-technical security measures (personnel, procedural and physical measures) in the environment. 3.3.1 Threats Countered by the TOE T.DENIAL_OF _SERVICE A TOE user or process could monopolize TOE resources thereby causing denial of service. T.ACCESS A TOE user could gain access to objects they are not permitted access to. CS1557.008, Revision .09 February 21, 2006 10 3.3.2 Threats Countered by the IT Environment T.E.TRANSIT Data transferred between nodes is disclosed to or is modified by an authorized user or process. T.E.ACCESS_TOE An unauthorized user gains access to the underlying OS, thereby gaining unauthorized access to the TOE. 3.4 Organizational Security Policy Each policy is stated in bold type font, and is followed by an application note, in normal font, which supplies additional information and interpretation. P.AUTHORIZED_USERS Only those users who have been authorized to access the information within the system may access the system. P.NEED_TO_KNOW The system must limit the access to, modification of, and destruction of the information in protected resources to those authorized users which have a “need to know” for that information. P.ACCOUNTABILITY The users of the system shall be held accountable for their actions within the system. 4. SECURITY OBJECTIVES 4.1 TOE Security Objectives This section defines the security objectives of the TOE. Security objectives are categorized as either IT security objectives or non-IT security objectives and serve to reflect the stated intent to counter identified threats and/or comply with any organizational security policies identified. Each objective is stated in bold type font. If required, an application note, in normal font, which supplies additional information and interpretation, follows it. 4.1.1 TOE IT Security Objectives O.ACCESS _CONTROL The TOE must provide the means to enforce an access control policy among subjects and objects. CS1557.008, Revision .09 February 21, 2006 11 O.AUDITING The TSF must record the security relevant actions of users of the TOE. The TSF must present this information to authorized administrators. O.ADMIN The TOE must provide functionality, which enables an authorized administrator to effectively manage the TOE and its security functions, and must ensure that only authorized administrators are able to access such functionality. O.AVAILABILITY The TOE must provide functionality to control the use of resources by users and subjects such that a denial of service will not occur due to the monopolization of TOE resources. 4.2 Environmental Security Objectives 4.2.1 IT Environmental Security Objectives O.E.I_AND_A The IT environment must provide the means to identify and authenticate users of the TOE. O.E.DISCRETIONARY_ACCESS The IT environment must control access to resources based on the identity of users. O.E.SECURE _CHANNEL The IT environment must provide the means to transmit authentication data and user data securely to remote hosts. O.E.ENFORCEMENT The underlying OS (IT environment) must be designed and implemented in a manner which ensures that the organizational policies are enforced. O.E.TIME_STAMPS The IT environment must provide reliable time-stamps for the audit records. 4.2.2 Non-IT Security Objectives for the Environment The non-IT Environmental security objectives are as follows. O.E.PHYSICAL Those responsible for the physical security of the TOE must ensure that the TOE is protected from physical attack. O.E.TRUSTED_ADMIN CS1557.008, Revision .09 February 21, 2006 12 Those responsible for the management and configuration of the TOE must be trusted and adequately trained to perform their management functions. 5. IT SECURITY REQUIREMENTS This section specifies the Security Functional Requirements (SFRs) for the TOE and the IT environment. All SFRs were drawn from Part 2 of the CC. In the section that follows some SFRs have been iterated as both the TOE and the IT environment perform the security function. To distinguish between the iterations a (1) after the SFR title indicates a security function for the TOE and a (2) after the SFR title indicates a security function for the IT environment. 5.1 Audit 5.1.1 Audit Data Generation (FAU_GEN.1) FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the [selection: basic] level of audit; and c) Auditable events include: ƒ userok: Request from bad port () ƒ userok: Forged username suspected from ƒ resControl: Operation permission denied, uid = FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity, and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the ST: The audit function will record all write and execute operations on the following: ƒ Configure a cluster; ƒ Control (start and shutdown) of a cluster; ƒ Control (open and close) a queue; ƒ Submit a job; ƒ Control (suspend, resume, terminate and change a priority of a job); ƒ Add, configure and delete a host; ƒ Control (open and close) a host. CS1557.008, Revision .09 February 21, 2006 13 5.1.2 Audit Review (FAU_SAR.1) FAU_SAR.1.1 The TSF shall provide [assignment: Primary Cluster Administrator] with the capability to read [assignment: all audit information] from the audit records. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. 5.1.3 Restricted Audit Review (FAU_SAR.2) FAU_SAR.2.1 The TSF shall prohibit all users read access to the audit records, except those users that have been granted explicit read-access. 5.2 User Data Protection 5.2.1 Subset Access Control (FDP_ACC.1) (1) FDP_ACC.1.1 The TSF shall enforce the [assignment: Role Based Access Control Policy] on [assignment: list of subjects, objects and operations among subjects and objects covered by the SFP]. Subjects: Primary Cluster Administrator, Cluster Administrator, Queue Administrator, Queue User, Any User. Objects: Cluster, Queue, Job, Host Operations: read, write, execute. 5.2.2 Security Attribute based Access Control (FDP_ACF.1) (1) FDP_ACF.1.1 The TSF shall enforce the [assignment: Role Based Access Control Policy] to objects based on the following: a) The assigned user role; and b) The following access control attributes associated with an object: read, write and execute permission bits. FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: a) A subject can access an object only if the subject has been assigned a role. b) A subject's active role must be authorized for the subject. This rule ensures that users can take on only roles for which they are authorized. c) A subject can access an object only if the object is authorized for the subject's active role. CS1557.008, Revision .09 February 21, 2006 14 FDP_ACF.1.3 The TSF shall explicitly authorize access of subject to objects based on the following additional rules: [assignment: no additional rules.] FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the [assignment: subjects can only access objects that are authorized for their role. An attempt to access an object not part of a role will be denied.] 5.3 Security Management 5.3.1 Management of Security Attributes (FMT_MSA.1) (1) FMT_MSA.1.1 The TSF shall enforce the [assignment: Role Based Access Control Policy] to restrict the ability to [selection: change default, query, modify, delete [assignment: no other operations]] the security attributes [assignment: role assignment, cluster queue and host configuration, resource allocation limits] to [assignment: the Primary Cluster Administrator]. 5.3.2 Static Attribute Initialization (FMT_MSA.3) (1) FMT_MSA.3.1 The TSF shall enforce the [assignment: Role Based Access Control Policy] to provide restrictive default values for security attributes that are used to enforce the Role Based Access Control Policy. FMT_MSA.3.2 The TSF shall allow the [assignment: the Primary Cluster Administrator] to specify alternative initial values to override the default values when an object or information is created. 5.3.3 Management of TSF Data (FMT_MTD.1) FMT_MTD.1.1 The TSF shall restrict the ability to [selection: modify, delete] the [assignment: TOE configuration files] to [assignment: the Primary Cluster Administrator]. 5.3.4 Specification of Management Functions (FMT_SMF.1) (1) FMT_SMF.1.1 The TSF shall be capable of performing the following security management functions: [assignment: the audit management function and resource allocation management function, access control function]. 5.3.5 Security Roles (FMT_SMR.1) (1) FMT_SMR.1.1 The TSF shall maintain the roles: [assignment: Primary Cluster Administrator, Cluster Administrator, Queue Administrator, Queue User, Any User]. CS1557.008, Revision .09 February 21, 2006 15 FMT _SMR.1.2 The TSF shall be able to associate users with roles. 5.4 Resource Allocation 5.4.1 Maximum Quotas (FRU_RSA.1) FRU_RSA.1.1 The TSF shall enforce maximum quotas of the following resources: [assignment: job slots by host, job slots by processor, memory, swap space, tmp space, software licenses, CPU time limit] that [selection: defined groups of users] can use [selection: simultaneously and over a specified period of time]. Application Note: Defined group of users refers to users and user groups, hosts and host groups, queues, all jobs in the cluster. 5.5 SFR Dependencies Some of the IT Security Functions described above have dependencies. The following table illustrates that the security target has satisfied SFRs which have dependencies and provides remarks for those which are omitted. Table 5.1: SFR Dependency Table for the TOE Security Functional Requirement Dependencies Remarks FAU_GEN.1 FPT_STM.1 Included FAU_SAR.1 FAU_GEN.1 Included FAU_SAR.2 FAU_SAR.1 Included FDP_ACC.1 (1) FDP_ACF.1 (1) Included FDP_ACF.1 (1) FDP_ACC.1 (1), FMT_MSA.3 (1) Included FMT_MSA.1 (1) FDP_ACC.1 (1), FMT_SMF.1 (1), FMT_SMR.1 (1) Included CS1557.008, Revision .09 February 21, 2006 16 Security Functional Requirement Dependencies Remarks FMT_MSA.3 (1) FMT_MSA.1 (1), FMT_SMR.1 (1) Included FMT_MTD.1 FMT_SMR.1 (1), FMT_SMF.1 (1) Included FMT_SMF.1 (1) N/A N/A FMT_SMR.1 (1) FIA_UID.1 Satisfied by FIA_UID.2 which is hierarchical to FIA_UID.1. FRU_RSA.1 N/A N/A Table 5-2: SFR Dependency Table for the IT Environment Security Functional Requirement Dependencies Remarks FDP_ACC.1 (2) FDP_ACF.1 (2) Included FDP_ACF.1 (2) FDP_ACC.1 (2), FMT_MSA.3 (2) Included FDP_ITT.1 FDP_ACC.1 (2) Included FIA_UAU.2 FIA_UID.1 Satisfied by FIA_UID.2 which is hierarchical to FIA_UID.1. FIA_UID.2 N/A N/A FMT_MSA.1 (2) FDP_ACC.1 (2), FMT_SMF.1 (2), FMT_SMR.1 (2) Included FMT_MSA.3 (2) FMT_MSA.1 (2), FMT_SMR.1 (2) Included FMT_SMF.1 (2) N/A N/A CS1557.008, Revision .09 February 21, 2006 17 Security Functional Requirement Dependencies Remarks FMT_SMR.1 (2) FIA_UID.1 Satisfied by FIA_UID.2 which is hierarchical to FIA_UID.1. FPT_ITT.1 N/A N/A FPT_RVM.1 N/A N/A FPT_SEP.1 N/A N/A FPT_STM.1 N/A N/A 5.6 TOE Security Assurance Requirements The assurance requirements for the TOE are as specified in the EAL 2 package. This level was chosen considering the intended operational security environment for the TOE and the existing assurance measures in the development environment. The assurance requirements are summarized in Table 5-3. As none of the IT security assurance requirements are refined, they are not transcribed in the ST. The reader is referred to Part 3 of the Common Criteria. It should be noted that AVA_SOF.1 is not required for this evaluation as the password functionality is provided by IT environment. Table 5.3: Security Assurance Components Component Component Name Refined? ACM_CAP.2 Configuration items No ADO_DEL.1 Delivery procedures No ADO_IGS.1 Installation, generation, and start-up procedures No ADV_FSP.1 Informal functional specification No ADV_HLD.1 Descriptive high-level design No ADV_RCR.1 Informal correspondence demonstration No AGD_ADM.1 Administrator guidance No AGD_USR.1 User guidance No ATE_COV.1 Evidence of coverage No CS1557.008, Revision .09 February 21, 2006 18 Component Component Name Refined? ATE_FUN.1 Functional testing No ATE_IND.2 Independent testing – sample No AVA_VLA.1 Developer vulnerability analysis No 5.7 Strength of Function Requirement There is no claimed strength of function (SOF) for the TOE. The user authentication password is required at the OS level only. The reader is referred to the Red Hat Linux AS version 3 update 3 security target for the SOF explanation. 5.8 Security Requirements for the IT Environment The following security functions have been allocated to the IT environment. 5.8.1 Subset Access Control (FDP_ACC.1) (2) FDP_ACC.1.1 The TSF shall enforce the [assignment: Discretionary Access Control Policy] on [assignment: processes acting on behalf of users as subjects and the following objects: files, directories and devices] and all operations among subjects and objects covered by the Discretionary Access Control Policy. 5.8.2 Security Attribute based Access Control (FDP_ACF.1) (2) FDP_ACF.1.1 The TSF shall enforce the [assignment: Discretionary Access Control Policy] to objects based on the following: a) user identity; and b) ACLs and permission bits (read, write, execute). FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: File system objects within the ext3 file system: A subject must have search permission for every element of the pathname and the requested access for the object. A subject has a specific type access to an object if: The subject has been granted access according to the ACL_USER_OBJ or ACL_OTHER type entry in the ACL of the object. Or CS1557.008, Revision .09 February 21, 2006 19 The subject has been granted access by an ACL_USER, ACL_GROUP_OBJ or ACL_GROUP entry and the associated right is also granted by the ACL_MASK entry of the ACL if the ACL_MASK entry exist. Or The subject has been granted access by the ACL_GROUP_OBJ entry and no ACL_MASK entry exists in the ACL of the object. File system objects in other file systems: A subject must have search permission for every element of the pathname and the requested access for the object. A subject has a specific type access to an object if: The subject has the effective userid of the owner of the object and the requested type of access is within the permission bits defined for the owner. Or The subject has not the effective userid of the owner of the object but the effective group id identical to the file system objects group id and the requested type of access is within the permission bits defined for the group. Or The subject has neither the effective userid of the owner of the object nor is the effective group id identical to the file system object group id and requested type of access is within the permission bits defined for "world". FDP_ACF.1.3 The TSF shall explicitly authorize access of subject to objects based on the following additional rules: A process with a user ID of 0 is known as a root user process. These processes are generally allowed all access permissions. But if a root user process requests execute permission for a program (as a file system object), access is granted only if execute permission is granted to at least one user. FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the following rules: Write access to file system objects on a file system mounted as read-only is always denied. Write access to a file marked as immutable is always denied. CS1557.008, Revision .09 February 21, 2006 20 5.8.3 Basic Internal Transfer Protection (FDP_ITT.1) FDP_ITT.1.1 The TSF shall enforce the [assignment: Discretionary Access Control Policy] to prevent the [selection: disclosure, modification] of user data when it is transmitted between physically separated parts of the TOE. 5.8.4 User Authentication Before Any Action (FIA_UAU.2) FIA_UAU.2.1 The TSF shall require each user to be successfully authenticated before allowing any other TSF mediated actions on behalf of that user. 5.8.5 User Identification Before Any Action (FIA_UID.2) FIA_UID.2.1 The TSF shall require each user to identify itself before allowing any other TSF- mediated actions on behalf of that user. 5.8.6 Management of Security Attributes (FMT_MSA.1) (2) FMT_MSA.1.1 The TSF shall enforce the [assignment: Discretionary Access Control Policy] to restrict the ability to [selection: modify [assignment: no other operations]] the [assignment: access control attributes associated with a named object] to [assignment: administrative users and the owner of the object]. 5.8.7 Static Attribute Initialization (FMT_MSA.3) (2) FMT_MSA.3.1 The TSF shall enforce the [assignment: Discretionary Access Control Policy] to provide restrictive default values for security attributes that are used to enforce the Discretionary Access Control Policy. FMT_MSA.3.2 The TSF shall allow the [assignment: administrative users and the owner of the object] to specify alternative initial values to override the default values when an object or information is created. 5.8.8 Specification of Management Functions (FMT_SMF.1) (2) FMT_SMF.1.1 The TSF shall be capable of performing the following security management functions [assignment: object security attributes management, user attribute management, authentication data management, audit event management]. CS1557.008, Revision .09 February 21, 2006 21 5.8.9 Security Management Roles (FMT_SMR.1) (2) FMT_SMR.1.1 The TSF shall maintain the roles: [assignment: authorized administrator, users authorized by the Discretionary Access Control Policy to modify object security attributes and users authorized to modify their own authentication data]. FMT_SMR.1.2 The TSF shall be able to associate users with roles. 5.8.10 Internal TOE TSF data transfer (FPT_ITT.1) FPT_ITT.1.1 The TSF shall protect TSF data from [selection: disclosure, modification] when it is transmitted between separate parts of the TOE. 5.8.11 Reliable Time Stamps (FPT_STM.1) FPT_STM.1.1 The TSF shall be able to provide reliable time stamps for its own use. 5.8.12 Non-bypassability of the TSP (FPT_RVM.1) FPT_RVM.1.1 The TSF shall ensure that the TSP enforcement functions are invoked and succeed before each function within the TSC is allowed to proceed. 5.8.13 TSF Domain Separation (FPT_SEP.1) FPT_SEP.1.1 The TSF shall maintain a security domain for its own execution that protects it from interference and tampering by untrusted subjects. FPT_SEP.1.2 The TSF shall enforce separation between the security domains of subjects in the TSC. 6. TOE SUMMARY SPECIFICATION 6.1 Statement of TOE Security Functions This section contains a listing of the TOE security functions that satisfy the SFRs. ITSF_AUDIT The audit function records log file contents in a file. Viewing of the log files is restricted to the Primary Cluster Administrator. The following audit events are recorded: ¾ userok: Request from bad port () ¾ userok: Forged username suspected from CS1557.008, Revision .09 February 21, 2006 22 ¾ resControl: Operation permission denied, uid = ) ¾ userok: Forged username suspected from ¾ resControl: Operation permission denied, uid = ) ¾ userok: Forged username suspected from ¾ resControl: Operation permission denied, uid =