Cray UNICOS/lc Operating System 2.1 Security Target for CAPP Compliance Version: 1.15 Last Update: 2008­10­07 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ atsec is a trademark of atsec information security GmbH Cray and the Cray logo are registered trademarks of Cray Incorporated. IBM is a registered trademark of International Business Machines Corporation in the United States, other countries, or both. Intel and Pentium are trademarks of Intel Corporation in the United States, other countries, or both. Java and all Java-based products are trademarks of Sun Microsystems, Inc., in the United States, other countries, or both. Linux is a registered trademark of Linus Torvalds. UNIX is a registered trademark of The Open Group in the United States and other countries. This document is provided AS IS with no express or implied warranties. Use the information in this document at your own risk. This Security Target is derived from the “SUSE Linux Enterprise Server 9 Security Target with the certification- sles-ibm-eal4 package, Version 3.10” Security Target sponsored by the IBM Corporation for the EAL4+ evaluation, and the “SuSE Linux Enterprise Server V 8 with Service Pack 3 Security Target with CAPP compliance”, version 2.7 sponsored by the IBM Corporation for the EAL3 evaluation. The original Security Targets are copyrighted by IBM Corporation and atsec information security GmbH. This document may be reproduced or distributed in any form without prior permission provided the copyright notice is retained on all copies. Modified versions of this document may be freely distributed provided that they are clearly identified as such, and this copyright is included intact. Copyright of the original Security Target © 2004, 2005, 2006 by atsec GmbH, and IBM Corporation or its wholly owned subsidiaries. Copyright of the changes from the original Security Target © 2004, 2005, 2006 by atsec information security corp and Cray Inc. or its wholly owned subsidiaries. 2008­10­07 Cray / Novell / atsec Page 2 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ Document History Version Date Summary Author 0.01 2004­10­21 Initial Version , derived from the ST used for the IBM SLES8 EAL3 evaluation. Andreas Siegert, atsec 1.0 2006­08­11 Update for SLES 10 SP1 on Cray hardware Klaus Weidner, atsec 1.1 2006­08­18 Add specific TOE description and adapt TSF Klaus Weidner, atsec 1.2 2006­08­18 Formatting changes Klaus Weidner, atsec 1.3 2006­09­01 Minor editorial changes Klaus Weidner, atsec 1.4 2006­09­04 changed ALC_FLR.3 to ALC_FLR.1 Klaus Weidner, atsec 1.5 2006­09­05 Minor clarifications and corrections Klaus Weidner, atsec 1.6 2006­09­06 Clarified TOE description Klaus Weidner, atsec 1.7 2006­09­07 add FPT_TRC.1 Klaus Weidner, atsec 1.8 2006­10­03 Version number change plus minor editorial changes Dinesh Vakharia, atsec 1.9 2006­11­14 minor changes based on evaluator feedback Klaus Weidner, atsec 1.10 2007­08­02 update authentication data management Klaus Weidner, atsec 1.11 2008­03­06 clarify ACLs; update installation methods; CNL clarification; password change by admins Klaus Weidner, atsec 1.12 2008­07­24 Update of TOE version Andreas Siegert, atsec 1.13 2008­08­22 Editorial changes, changes to FCS_CKM.1(3) Andreas Siegert, atsec 1.14 2008­09­18 Update of FCS_CKM.1(1) Andreas Siegert, atsec 1.15 2008­10­07 Addition of standard to FCS_CKM.1(1) Andreas Siegert, atsec 2008­10­07 Cray / Novell / atsec Page 3 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ Table of Content 1 Introduction..................................................................................................................................................................8 1.1 ST Identification...................................................................................................................................................8 1.2 ST Overview........................................................................................................................................................8 1.3 CC Conformance.................................................................................................................................................8 1.4 Strength of Function............................................................................................................................................8 1.5 Structure................................................................................................................................................................8 1.6 Terminology.........................................................................................................................................................9 2 TOE Description........................................................................................................................................................10 2.1 Intended Method of Use....................................................................................................................................10 2.2 Summary of Security Features............................................................................................................................12 2.2.1 Identification and Authentication...............................................................................................................12 2.2.2 Audit............................................................................................................................................................12 2.2.3 Discretionary Access Control......................................................................................................................12 2.2.4 Object Reuse...............................................................................................................................................13 2.2.5 Security Management.................................................................................................................................13 2.2.6 Secure Communication................................................................................................................................13 2.2.7 TSF Protection............................................................................................................................................13 2.3 Software.............................................................................................................................................................13 2.4 Configurations.....................................................................................................................................................13 2.4.1 File systems..................................................................................................................................................14 2.4.2 TOE Hardware.............................................................................................................................................14 2.4.3 TOE Environment........................................................................................................................................15 3 TOE Security Environment.......................................................................................................................................16 3.1 Introduction.........................................................................................................................................................16 3.2 Threats.................................................................................................................................................................16 3.2.1 Threats countered by the TOE.....................................................................................................................16 3.2.2 Threats to be countered by measures within the TOE environment............................................................17 3.3 Organizational Security Policies.........................................................................................................................17 3.4 Assumptions........................................................................................................................................................17 3.4.1 Physical Aspects..........................................................................................................................................17 3.4.2 Personnel Aspects........................................................................................................................................17 3.4.3 Connectivity Aspects...................................................................................................................................18 4 Security Objectives....................................................................................................................................................19 4.1 Security Objectives for the TOE.........................................................................................................................19 4.2 Security Objectives for the TOE Environment...................................................................................................19 5 Security Requirements...............................................................................................................................................21 5.1 TOE Security Functional Requirements.............................................................................................................21 5.1.1 Security Audit (FAU)..................................................................................................................................21 5.1.2 Cryptographic Support (FCS)......................................................................................................................27 5.1.3 User Data Protection (FDP)........................................................................................................................29 5.1.4 Identification and Authentication (FIA).....................................................................................................32 2008­10­07 Cray / Novell / atsec Page 4 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 5.1.5 Security Management (FMT).....................................................................................................................35 5.1.6 Protection of the TOE Security Functions (FPT).......................................................................................39 5.1.7 Strength of Function....................................................................................................................................40 5.2 TOE Security Assurance Requirements............................................................................................................40 5.3 Security Requirements for the IT Environment.................................................................................................40 5.4 Security Requirements for the Non-IT Environment.........................................................................................41 6 TOE Summary Specification.....................................................................................................................................42 6.1 Security Enforcing Components Overview........................................................................................................42 6.1.1 Introduction..................................................................................................................................................42 6.1.2 Kernel Services...........................................................................................................................................42 6.1.3 Non-Kernel TSF Services...........................................................................................................................42 6.1.4 Network Services........................................................................................................................................43 6.1.5 Security Policy Overview............................................................................................................................43 6.1.6 TSF Structure .............................................................................................................................................44 6.1.7 TSF Interfaces.............................................................................................................................................44 6.1.8 Secure and Non-Secure States ...................................................................................................................45 6.2 Description of the Security Enforcing Functions..............................................................................................45 6.2.1 Introduction.................................................................................................................................................45 6.2.2 Identification and Authentication (IA).......................................................................................................46 6.2.3 Audit (AU)...................................................................................................................................................48 6.2.4 Discretionary Access Control (DA).............................................................................................................50 6.2.5 Object Reuse (OR).......................................................................................................................................56 6.2.6 Security Management (SM).........................................................................................................................57 6.2.7 Secure Communication (SC).......................................................................................................................59 6.2.8 TSF Protection (TP).....................................................................................................................................62 6.3 Supporting functions not part of the TSF...........................................................................................................65 6.3.1 User Processes.............................................................................................................................................65 6.4 Assurance Measures............................................................................................................................................66 6.5 TOE Security Functions requiring a Strength of Function.................................................................................66 7 Protection Profile Claims...........................................................................................................................................68 7.1 PP Reference.......................................................................................................................................................68 7.2 PP Tailoring........................................................................................................................................................68 8 Rationale....................................................................................................................................................................69 8.1 Security Objectives Rationale.............................................................................................................................69 8.1.1 Security Objectives Coverage......................................................................................................................69 8.1.2 Security Objectives Sufficiency...................................................................................................................70 8.2 Security Requirements Rationale........................................................................................................................71 8.2.1 Internal Consistency of Requirements.........................................................................................................71 8.2.2 Security Requirements Instantiation Rationale............................................................................................76 8.2.3 Security Requirements Coverage.................................................................................................................77 8.2.4 Security Requirements Dependency Analysis.............................................................................................78 8.2.5 Strength of function.....................................................................................................................................80 8.2.6 Evaluation Assurance Level........................................................................................................................80 2008­10­07 Cray / Novell / atsec Page 5 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 8.3 TOE Summary Specification Rationale..............................................................................................................80 8.3.1 Security Functions Justification...................................................................................................................80 8.3.2 Assurance Measures Justification................................................................................................................83 8.3.3 Strength of function.....................................................................................................................................83 8.4 PP Claims Rationale...........................................................................................................................................83 9 Abbreviations.............................................................................................................................................................85 2008­10­07 Cray / Novell / atsec Page 6 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ References [CC] Common Criteria for Information Technology Security Evaluation, Version 2.3, August 2005, Part 1 to 3 [CEM] Common Methodology for Information Technology Security Evaluation, Version 2.3, August 2005 [GUIDE] ISO/IEC PDTR 15446 Title: Information technology – Security techniques – Guide for the production of protection profiles and security targets, ISO/IEC JTC 1/SC 27 N 2449, 2000-01-04 [CAPP] Controlled Access Protection Profile, Issue 1.d, 8 October 1999 [ECG] Evaluated Configuration Guide in its current version [SSH-AUTH] RFC 4252: The Secure Shell (SSH) Authentication Protocol, http://www.ietf.org/rfc/rfc4252.txt [SSH-TRANS] RFC 4253: The Secure Shell (SSH) Transport Layer Protocol, http://www.ietf.org/rfc/rfc4253.txt [HMAC] RFC 2104: HMAC: Keyed-Hashing for Message Authentication, http://www.ietf.org/rfc/rfc2104.txt [SSLv3] The SSL Protocol Version 3.0, http://wp.netscape.com/eng/ssl3/draft302.txt [TLS-AES] RFC 3268: Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS), http://www.ietf.org/rfc/rfc3268.txt [X.509] ITU-T RECOMMENDATION X.509 | ISO/IEC 9594-8: INFORMATION TECHNOLOGY - OPEN SYSTEMS INTERCONNECTION - THE DIRECTORY: PUBLIC-KEY AND ATTRIBUTE CERTIFICATE FRAMEWORKS 2008­10­07 Cray / Novell / atsec Page 7 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 1 Introduction This is version 1.15 of the Security Target document for the evaluation of the Cray UNICOS/lc Operating System 2.1. This Security Target has been derived from the Security Target used for the previous evaluation of “SUSE Linux Enterprise Server 9 and the certification-sles-ibm-eal4 package” at the EAL4+ level. The major changes to this Security Target are:  Updated TOE boundary, now includes hardware  Updates for the Massively Parallel Processing (MPP) hardware  Updated kernel and system software (UNICOS/lc)  Assurance level is EAL3+ 1.1 ST Identification Title: Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+, Version 1.15 Keywords: Linux, Open Source, general-purpose operating system, POSIX, UNIX. This document is the security target for the CC evaluation of the Cray UNICOS/lc Operating System 2.1 operating system product, and is conformant to the Common Criteria for Information Technology Security Evaluation [CC] with extensions as defined in the Controlled Access Protection Profile [CAPP]. 1.2 ST Overview This security target documents the security characteristics of the “Cray UNICOS/lc Operating System 2.1” operating system (Official name: Cray UNICOS/lc Operating System 2.1). The Cray UNICOS/lc Operating System is a highly-configurable Linux-based operating system which has been developed to provide a good level of security as required in commercial environments. It also meets all of the requirements of the Controlled Access Protection Profile developed by the Information Systems Security Organization within the National Security Agency to map the TCSEC C2 class of the U.S. Department of Defense (DoD) Trusted Computer System Evaluation Criteria (TCSEC) to the Common Criteria framework. This Security Target therefore claims full compliance with the requirements of this Protection Profile and also includes additional functional and assurance packages beyond those required by CAPP. Several systems running the Cray UNICOS/lc Operating System can be connected to form a networked system. The communication aspects within the Cray UNICOS/lc Operating System used for this connection are also part of the evaluation. Communication links can be protected against loss of confidentiality and integrity by security functions of the TOE based on cryptographic protection mechanisms. This evaluation focuses on the use of the TOE as a server or a network of servers. Therefore a graphical user interface has not been included as part of the evaluation. In addition the evaluation assumes the operation of the network of servers in a non-hostile environment. The TOE includes the hardware and firmware used to run the software components. 1.3 CC Conformance This ST is CC Part 2 extended and Part 3 conformant, with a claimed Evaluation Assurance Level of EAL3 augmented by ALC_FLR.1. The extensions to part 2 of the Common Criteria are those introduced by the Controlled Access Protection Profile [CAPP]. 1.4 Strength of Function The claimed strength of function for this TOE is: SOF-medium. 1.5 Structure The structure of this document is as defined by [CC] Part 1 Annex C.  Section 2 is the TOE Description. 2008­10­07 Cray / Novell / atsec Page 8 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+  Section 3 provides the statement of TOE security environment.  Section 4 provides the statement of security objectives.  Section 5 provides the statement of IT security requirements.  Section 6 provides the TOE summary specification, which includes the detailed specification of the IT Security Functions.  Section 7 provides the Protection Profile claim  Section 8 provides the rationale for the security objectives, security requirements and the TOE summary specification. 1.6 Terminology This section contains definitions of technical terms that are used with a meaning specific to this document. Terms defined in the [CC] are not reiterated here, unless stated otherwise. Administrative User: This term refers to an administrator of the TOE. Some administrative tasks require use of the root username and password so that they can become the superuser (with a user ID of 0). Those users that have been assigned this capability are administrative users. Authentication data: This includes the password for each user of the product. Authentication mechanisms using other authentication data than a password are not supported in the evaluated configuration. Cray UNICOS/lc Operating System: This refers to the Linux/SLES based operating system running on the nodes in the system. In the context of this ST, it excludes the mixed Linux/Catamount OS. Named Object: In this TOE, objects that are subject to discretionary access control, specifically file system objects and IPC objects. Node: A component of the TOE (system) consisting of one or more CPUs, memory, and other hardware, software, and firmware components running a single instance of the TOE kernel. Object: In this TOE, objects belong to one of three categories: file system objects, IPC objects, and memory objects. Product: The term product is used to define software components that comprise the system. Role: A role represents a set of actions that an authorized user, upon assuming the role, can perform. In this TOE only the roles of administrative user and normal user are supported. Subject: There are two classes of subjects in this TOE:  untrusted internal subject - this is a process running on behalf of some user, running outside of the TSF (for example, with no privileges).  trusted internal subject - this is a process running as part of the TSF. Examples are service daemons and the process implementing the identification and authentication of users. System: The hardware, software, and firmware components of the TOE forming a Massively Parallel Processor (MPP) system consisting of nodes which are connected/networked together and configured to form a usable system. Target of Evaluation (TOE): The target of evaluation is defined in the introduction (chapter 1). User: Any individual/person who has a unique user identifier and who interacts with the TOE. 2008­10­07 Cray / Novell / atsec Page 9 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 2 TOE Description The target of evaluation (TOE) is the Cray UNICOS/lc Operating System 2.1 running on a Cray XT4 or Cray XT5 computer system. The TOE software is based on SUSE Linux Enterprise Server 10 Service Pack 1, a general purpose, multi-user, multi-tasking Linux based operating system. It provides a platform for a variety of applications in the governmental and commercial environment. It is available on a broad range of computer systems, ranging from departmental servers to multi-processor enterprise servers. The evaluation covers a Cray XT4 and Cray XT5 computer system consisting of nodes running evaluated software components of the Cray UNICOS/lc Operating System. Multiple TOE systems may be connected in a network. The hardware platforms selected for the evaluation consist of machines which are available when the evaluation has completed and which will remain available for a substantial period of time afterwards. The TOE Security Functions (TSF) consists of operating system functions that run in kernel mode plus some trusted processes. These are the functions that enforce the security policy as defined in this Security Target. Tools and commands executed in user mode that are used by an administrative user need also to be trusted to manage the system in a secure way. The basic tools required for the secure configuration and management of the TOE are included as part of the TSF in this evaluation. Other tools exist that can be used for configuration and management functions; these tools have not been part of this evaluation. The hardware and associated firmware are considered to be part of the TOE as required by the NIAP interpretation of CAPP. The TOE is delivered preinstalled with the evaluated configuration. The TOE includes standard networking applications, such as ftp, stunnel, and ssh. The TOE supports the Portals high speed node interconnect protocol. System administration tools include the standard commands. The evaluated configuration includes a text console available for trusted users. The TOE environment also includes applications that are not evaluated, but are used as unprivileged tools to access public system services. For example a network server using a port above 1024 may be used as a normal application running without root privileges on top of the TOE. The Evaluated Configuration Guide provides guidance how to set up such applications on the TOE in a secure way. 2.1 Intended Method of Use The TOE is a Linux based multi-user multi-tasking operating system consisting of an MPP system of nodes each running its own kernel. 2008­10­07 Cray / Novell / atsec Page 10 of 85 © Cray, atsec 2008 Compute Node Compute Node Compute Node Compute Node Compute Node Compute Node Compute Node Compute Node Login Node Login Node Lustre server Node Lustre server Node NFS-ext3 server Node ALPS TOE boundary ALPS SSH, IP networking Portals interconnect Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ Users can login to login nodes using the ssh protocol, and use the Application Level Placement Scheduler (ALPS) to submit noninteractive jobs for execution on compute nodes. The compute nodes do not permit direct login. The system also contains other service nodes to support the login and compute nodes, such as fileservers for the Lustre and NFS/ext3 filesystems. Those nodes are restricted to access by administrators only and not available for non-interactive users. boot nodes are responsible for system initialization and cannot be influenced by non- administrative users. The nodes are internally connected by the Portals based high speed interconnect. Externally, the TOE is accessible through standard IP based networking over Ethernet. The TOE may provide services to several users at the same time. After successful login, the users have access to a general computing environment, allowing the start-up of user applications, issuing user commands at shell level, creating and accessing files. The TOE provides adequate mechanisms to separate the users and protect their data. Privileged commands are restricted to administrative users. The TOE uses the standard UNIX model of normal (unprivileged) users and administrative users that have the capability to get full root privileges. So, whenever this Security Target mentions the administrative user role it is identical to the term "root". The TOE is intended to operate in a networked environment with other instantiations of the TOE as well as other well-behaved client systems operating within the same management domain. All those systems need to be configured in accordance with a defined common security policy which also covers the prevention of a direct access to the network by untrusted users using raw sockets. The TOE permits one or more processors and attached peripheral and storage devices to be used by multiple users to perform a variety of functions requiring controlled shared access to the data stored on the system. Such installations are typical for workgroup or enterprise computing systems accessed by users local to, or with otherwise protected access to, the computer system. It is assumed that responsibility for the safeguarding of the data protected by the TOE can be delegated to the TOE users. All data is under the control of the TOE. The data is stored in named objects, and the TOE can associate with each named object a description of the access rights to that object. All individual users are assigned a unique user identifier within the MPP system that forms the TOE. This user identifier is used as the basis for access control decisions. The TOE authenticates the claimed identity of the user before allowing the user to perform any further actions. The TOE enforces controls such that access to data objects can only take place in accordance with the access restrictions placed on that object by its owner or administrative users. Ownership of named objects may be transferred under the control of the access control policy. Access rights (e.g., read, write, execute) can be assigned to data objects with respect to subjects (users). Once a subject is granted access to an object, the content of that object may be freely used to influence other objects accessible to this subject. The Cray UNICOS/lc Operating System has significant security extensions compared to standard UNIX systems:  Access Control Lists  A journaling file system (ext3)  A high performance distributed file system  The Application Level Placement Scheduler (ALPS)  Integrated pluggable authentication framework (PAM)  A dedicated auditing subsystem. This auditing subsystem allows for the auditing of security critical events and provides tools for the administrative user to configure the audit subsystem and evaluate the audit records.  Basic hardware check functions. They allow an administrative user to check on demand if the basic security functions of the hardware the TOE relies upon are provided correctly. The following node types are part of the TOE:  Boot node: allowing the modification of the operating system instances of the remaining nodes and initiating the boot of the Cray computer system  Login node: allowing the login of external users via SSH. This node is intended to be used to initiate jobs on the compute nodes using the ALPS mechanism 2008­10­07 Cray / Novell / atsec Page 11 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+  Lustre nodes: the Lustre file system nodes provide the Lustre network file system that can be used from the other nodes  SDB node: the database node contains management data about the different nodes which are used by ALPS to place jobs efficiently  Compute nodes: user jobs are executed on the compute nodes The following entities are not part of the TOE:  SMW: The software management workstation is used to initially set up the Cray computer system and can be used to perform updates to the operating system as it has also write access to the data store holding the OS images for the different nodes. The SMW however does not perform any tasks relevant for the runtime operation of the Cray computer system. The SMW can be used to start up the boot node. 2.2 Summary of Security Features The primary security features of the TOE are:  Identification and Authentication  Audit  Discretionary Access Control  Object reuse functionality  Security Management  Secure Communication  TSF Protection These primary security features are supported by domain separation and reference mediation, which ensure that the features are always invoked and cannot be bypassed. 2.2.1 Identification and Authentication The TOE provides identification and authentication using pluggable authentication modules (PAM) based upon user passwords. The quality of the passwords used can be enforced through configuration options controlled by the TOE. Other authentication methods (e. g. Kerberos authentication, token based authentication) that are supported by the TOE as pluggable authentication modules are not part of the evaluated configuration. Functions to ensure medium password strength and limit the use of the su command and restrict root login to specific terminals are also included. A synchronization mechanism ensures that credential data is replicated among all login nodes in the system. 2.2.2 Audit The TOE provides an audit capability that allows generating audit records for security critical events. The administrative user can select which events are audited and for which users auditing is active. A list of events that can be audited is defined in chapter 5 and 6. The TOE provides tools that help the administrative user extract specific types of audit events, audit events for specific users, audit events related to specific file system objects, or audit events within a specific time frame from the overall audit records collected by the TOE. The system stores audit records in human-readable text format. The audit system detects when the capacity of the audit trail exceeds configurable thresholds, and the system administrator can define actions to be taken when the threshold is exceeded. The possible actions include generating a syslog message to inform the administrator, switching the affected node or entire system to single user mode (this prevents all user-initiated auditable actions), or halting the affected node or entire system. The audit function also ensures that no audit records get lost due to exhaustion of the internal audit buffers. In the unlikely case of unrecoverable resource exhaustion, the kernel audit component can be configured to initiate a kernel panic to prevent all further auditable events on that node. 2.2.3 Discretionary Access Control Discretionary Access Control (DAC) restricts access to file system objects based on Access Control Lists (ACLs) that include the standard UNIX permissions for user, group and others. Access control mechanisms also protect IPC objects from unauthorized access. 2008­10­07 Cray / Novell / atsec Page 12 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ The TOE includes the NFS and ext3 file systems, which support POSIX ACLs. Use of POSIX ACLs allows defining access rights to files within this type of file system down to the granularity of individual users. Other filesystems supported by the TOE, such as Lustre, support DAC using standard UNIX permissions (based on user/group/other rights) only, but do not support ACLs. 2.2.4 Object Reuse File system objects as well as memory and IPC objects will be cleared before they can be reused by a process belonging to a different user. 2.2.5 Security Management The management of the security critical parameters of the TOE is performed by administrative users. A set of commands that require root privileges are used for system management. Security parameters are stored in specific files that are protected by the access control mechanisms of the TOE against unauthorized access by users that are not administrative users. 2.2.6 Secure Communication The TOE supports secure communication with other systems via the SSH v2 and SSL v3 protocol. Communication via the SSH v2 and SSL v3 protocols is protected against unauthorized disclosure and modification via cryptographic mechanisms. The TOE also allows for secure authentication of the communicating parties using the SSL v3 protocol with client and server authentication. This allows establishing a secure communication channel between different machines running the TOE even over an insecure network. The SSL v3 protocol can be used to tunnel otherwise unprotected protocols in a way that allows an application to secure its TCP based communication with other servers (provided the protocol uses a single TCP port). 2.2.7 TSF Protection While in operation, the kernel software and data are protected by the hardware memory protection mechanisms. The memory and process management components of the kernel ensure a user process cannot access kernel storage or storage belonging to other processes. Non-kernel TSF software and data are protected by DAC and process isolation mechanisms. In the evaluated configuration, the reserved user ID root owns the directories and files that define the TSF configuration. In general, files and directories containing internal TSF data (e.g., configuration files) are also protected from reading by DAC permissions. The TOE including the hardware and firmware components is required to be physically protected from unauthorized access. The system kernel mediates all access to hardware components that are protected from direct access by user programs. A user process may execute unprivileged instructions and read or write to memory and processor register within the bounds defined by the kernel for the user process without those types of access being mediated by the kernel. All other types of access to hardware resources by user processes can only be performed by requests (in the form of system calls) to the kernel. The TOE provides a tool that allows an administrative user to check the correct operation of the underlying hardware. This tool performs tests to check the system memory, the memory protection features of the underlying processor, and the correct separation between user and supervisor state. 2.3 Software The Target of Evaluation is based on the following system software:  The Cray UNICOS/lc Operating System 2.1 The precise version of the TOE is 2.1.22. The TOE and its documentation is shipped preinstalled in the evaluated configuration on the target hardware. 2.4 Configurations The evaluated configurations are defined as follows:  The CC evaluated package set must be selected at install time in accordance with the description provided in the Evaluated Configuration Guide and installed accordingly. 2008­10­07 Cray / Novell / atsec Page 13 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+  The operating system supports the use of IPv4 and IPv6; only IPv4 is included within the TOE.  Both installation from DVD and installation from a defined disk partition are supported.  The default configuration for identification and authentication are the defined password based PAM modules. Support for other authentication options e.g. smartcard authentication, is not included in the evaluated configuration.  If the system console is used, it must be connected directly to the TOE and afforded the same physical protection as the TOE The TOE comprises an MPP system consisting of nodes (and optional peripherals) listed in section 2.4.2 running the system software listed the package list in section 2.3 (a server running the above listed software is referred to as a “TOE system” below). 2.4.1 File systems The evaluated configuration supports multiple file system types Filesystems using physical media (hard disk, CD-ROM or DVD-ROM):  Lustre distributed filesystem  ext3 journaling filesystem  the read-only ISO 9660 filesystem for CD-ROM and DVD-ROM drives Network file systems:  NFS network filesystem (used only by diskless clients, with the original data residing on ext3 filesystems. NFS is used as a network transport for ext3 filesystem data, using the ext3 filesystem’s metadata and access control logic) RAM based nonpersistent file systems:  The temporary filesystem (tmpfs) used as a temporary RAM based file system. This file system is not persistent across boots of the operating system. Pseudo file systems that are used as configuration or monitoring interfaces to the kernel in a running system, and that do not support arbitrary data storage:  The process file system, procfs (/proc), provides access to the process image of each process on the machine as if the process were a “file”. Process access decisions are enforced by DAC attributes inferred from the underlying process’ DAC attributes. Additional restrictions apply for specific objects in this file system.  The sysfs filesystem (sysfs) used to export and handle non-process related kernel information such as driver specific information. Access to objects there can be restricted using the DAC mechanism (which are the permission bits only). Additional restrictions apply for specific objects in this file system.  The pseudo terminal device file system (devpts) used to provide pseudo terminal support.  The miscellaneous binary file format registration file system (binfmt_misc) used to configure interpreters for executing binary files based on file header information. For example, this enables direct execution of Java files using the execve system call instead of the traditional invocation of the java interpreter with the Java file provided as an argument.  The virtual root file system (rootfs) used temporarily during system startup. 2.4.2 TOE Hardware The hardware on which the software components of the TOE are executed is considered part of the TOE. The TOE hardware is the Cray XT4 computer system and the Cray XT5 computer system (except the XT5h blade type providing a vector-based CPU) consisting of nodes each running the TOE software. The following node types are supported as part of the TOE:  Service nodes: o Login nodes available for interactive login by non-administrative users. 2008­10­07 Cray / Novell / atsec Page 14 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ o other service nodes with access restricted to administrators, for example the servers for the Lustre and NFS filesystems.  Compute nodes running a limited subset of the TOE software that are available for processes invoked by non-administrative users through ALPS. The following peripherals can be used with the TOE preserving the security functionality:  the System Management Workstation (SMW) to provide console terminal access for administrators  printers compatible with PostScript level 1 or PCL 4 attached via Ethernet  all storage devices and backup devices supported by the TOE (hard disks, DVD/CD-ROM drives, streamer drives, floppy disk drives)  all Ethernet network adapters supported by the e1000 (Intel Gigabit) driver of the TOE Note: peripheral devices are part of the TOE environment. 2.4.3 TOE Environment Several TOE systems may be interlinked in a network, and individual networks may be joined by bridges and/or routers, or by TOE systems which act as routers and/or gateways. Each of the TOE systems implements its own security policy. The TOE does not include any synchronization function for those policies. As a result a single user may have user accounts on each of those systems with different user IDs, different roles, and other different attributes. (A synchronization method may optionally be used, but it is not part of the TOE and must not use methods that conflict with the TOE requirements.) If other systems are connected to a network they need to be configured and managed by the same authority using an appropriate security policy that does not conflict with the security policy of the TOE. All links between this network and untrusted networks (e.g., the Internet) need to be protected by appropriate measures such as carefully configured firewall systems that prohibit attacks from the untrusted networks. Those protections are part of the TOE environment. 2008­10­07 Cray / Novell / atsec Page 15 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 3 TOE Security Environment 3.1 Introduction The statement of TOE security environment describes the security aspects of the environment in which the TOE is intended to be used and the manner in which it is expected to be deployed. To this end, the statement of TOE security environment identifies the list of assumptions made on the operational environment (including physical and procedural measures) and the intended method of use of the product, and defines the threats that the product is designed to counter and the organizational security policies with which the product is designed to comply. 3.2 Threats The assumed security threats are listed below. The IT assets to be protected comprise the information stored, processed or transmitted by the TOE. The term "information" is used here to refer to all data held within a system, including data in transit between systems. The TOE counters the general threat of unauthorized access to information, where "access" includes disclosure, modification and destruction. The threat agents can be categorized as either:  unauthorized users of the TOE, i.e., individuals who have not been granted the right to access the system or  authorized users of the TOE, i.e., individuals who have been granted the right to access the system The threat agents are assumed to originate from a well-managed user community in a non-hostile working environment, and hence the product protects against threats of obvious security vulnerabilities that might be exploited in the intended environment for the TOE. The TOE in accordance with the strength of function claimed protects against straightforward or intentional breach of TOE security by attackers possessing a moderate attack potential. Unauthorized users of the TOE may be motivated to impersonate as an authorized user of the TOE to get access to some or all information stored and protected by the TOE. Authorized users may be motivated to get access to objects protected by the TOE where the security functions of the TOE would prevent access to those objects (although it is assumed that their motivation to do this is low and that they are not going to spend significant time to identify exploitable vulnerabilities or launch sophisticated attacks to bypass the security functions of the TOE). It is also assumed that an unauthorized user will not spend a large amount of time, computing power or other resources to break the cryptographic functions protecting the communication links or to get physical access to any hardware used by the TOE. Authorized users are also assumed to not deliberately attack the physical part of the TOE they have access to or to deliberately use programs that could harm the hardware of the TOE, although they may accidentally perform actions that could cause damage to the hardware the TOE is based on. The threats listed below are grouped according to whether or not they are countered by the TOE. Those that are not countered by the TOE are countered by environmental or external mechanisms. 3.2.1 Threats countered by the TOE T.UAUSER An attacker (possibly, but not necessarily, an unauthorized user of the TOE) may impersonate an authorized user of the TOE. This includes the threat of an authorized user that tries to impersonate as another authorized user without knowing the authentication information. T.UAACCESS An authorized user of the TOE may access information resources without having permission from the person who owns, or is responsible for, the information resource for the type of access. T.COMPROT An attacker (possibly, but not necessarily, an unauthorized user of the TOE) may intercept a communication link between the TOE and another trusted IT product to intercept or modify information transferred between the TOE and the other trusted IT product (which may be another instantiation of the TOE) using defined protocols (SSH or SSL) in a way that cannot be detected by the TOE or the other trusted IT product. 2008­10­07 Cray / Novell / atsec Page 16 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 3.2.2 Threats to be countered by measures within the TOE environment The following threats to the system need to be countered in the TOE environment: TE.HWMF An attacker with legitimate physical access to the hardware of the TOE (examples are maintenance personnel or legitimate users) or environmental conditions may cause a hardware malfunction with the effect that a user (normal or administrative) loses stored data due to this hardware malfunction. An attacker may cause such a hardware malfunction either by having physical access to the hardware the TOE is running on or by executing software that is capable of causing hardware malfunction. Note that such a hardware malfunction may be caused accidentally without malicious intent by persons having physical access to the TOE. TE.COR_FILE An attacker (possibly, but not necessarily, an unauthorized user of the TOE) or environmental conditions like a hardware malfunction may intentionally or accidentally modify or corrupt security enforcing or relevant files of the TOE without an administrative user being able to detect this. An attacker may corrupt such files either by having physical access to the hardware the TOE is running on, by booting other software than the TOE in its evaluated configuration, or by modifying or corrupting files on backup media. Note that such a corruption may be caused accidentally without malicious intent by persons having legitimate access to media where such data is stored. 3.3 Organizational Security Policies The TOE complies with the following organizational security policies: P.AUTHORIZED_USERS Only those users who have been authorized to access the information within the system may access the system. P.NEED_TO_KNOW The organization must define a discretionary access control policy on a need-to-know basis which can be modeled based on: a) the owner of the object; and b) the identity of the subject attempting the access; and c) the implicit and explicit access rights to the object granted to the subject by the object owner or an administrative user. Application Note: Being able to model an organization's access control policy based on the three properties above ensures that the organization's policy can be mapped to the TOE with the security functions provided by the TOE. For example an access control policy based on time dependent or content dependent rules would not satisfy the above mentioned policy. P.ACCOUNTABILITY The users of the system shall be held accountable for their actions within the system. 3.4 Assumptions This section indicates the minimum physical and procedural measures required to maintain security of the TOE. 3.4.1 Physical Aspects A.LOCATE The processing resources of the TOE will be located within controlled access facilities which will prevent unauthorized physical access. A.PROTECT The TOE hardware and software critical to security policy enforcement will be protected from unauthorized physical modification. Application Note: This includes the interfaces to the system, the System Management Workstation (SMW), the system management network including L0/L1 connections, and all attached devices. 3.4.2 Personnel Aspects A.MANAGE It is assumed that there are one or more competent individuals who are assigned to manage the TOE and the security of the information it contains. 2008­10­07 Cray / Novell / atsec Page 17 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ A.NO_EVIL_ADMIN The system administrative personnel are not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided by the administrator documentation. A.COOP Authorized users possess the necessary authorization to access at least some of the information managed by the TOE and are expected to act in a cooperating manner in a benign environment. A.UTRAIN Users are trained to use the security functionality provided by the system appropriately. A.UTRUST Users are trusted to accomplish some task or group of tasks within a secure IT environment by exercising complete control over their data. 3.4.3 Connectivity Aspects A.NET_COMP All network components (such as bridges and routers) are assumed to correctly pass data without modification. A.PEER Any other systems with which the TOE communicates are assumed to be under the same management control and operate under the same security policy constraints. There are no security requirements which address the need to trust external systems or the communications links to such systems. A.CONNECT All connections to peripheral devices and all network connections not using the secured protocols SSH v2 or SSL v3 reside within the controlled access facilities. Internal communication paths to access points such as terminals or other systems are assumed to be adequately protected. 2008­10­07 Cray / Novell / atsec Page 18 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 4 Security Objectives 4.1 Security Objectives for the TOE O.AUTHORIZATION The TOE must ensure that only authorized users gain access to the TOE and its resources. O.DISCRETIONARY_ACCESS The TSF must control access to resources based on identity of users. The TSF must allow authorized users to specify which resources may be accessed by which users. O.AUDITING The TSF must record the security relevant actions of users of the TOE. The TSF must present this information to authorized administrators. O.RESIDUAL_INFO The TOE must ensure that any information contained in a protected resource is not released when the resource is recycled. O.MANAGE The TSF must provide all the functions and facilities necessary to support administrative users that are responsible for the management of TOE security and must ensure that only administrative users are able to access such functionality. O.ENFORCEMENT The TSF must be designed and implemented in a manner which ensures that the organizational policies are enforced in the target environment. The TOE security policy is enforced in a manner which ensures that the organizational policies are enforced in the target environment, i.e., the integrity of the TSF is protected. O.COMPROT The TSF must be designed and implemented in a manner that allows for establishing a trusted channel between the TOE and another trusted IT product that protects the user data transferred over this channel from disclosure and undetected modification. 4.2 Security Objectives for the TOE Environment All security requirements listed in this section are targeted at the non-IT environment of the TOE. OE.ADMIN Those responsible for the administration of the TOE are competent and trustworthy individuals, capable of managing the TOE and the security of the information it contains. OE.CREDEN Those responsible for the TOE must ensure that user authentication data is stored securely and not disclosed to unauthorized individuals. In particular:  Procedures must be established to ensure that user passwords generated by an administrator during user account creation or modification are distributed in a secure manner, as appropriate for the purpose of the system.  The media on which authentication data is stored must not be physically removable from the system by other than administrative users.  Users must not disclose their passwords to other individuals. OE.INSTALL Those responsible for the TOE must establish and implement procedures to ensure that the hardware, software and firmware components that comprise the system are distributed, installed and configured in a secure manner. OE.PHYSICAL Those responsible for the TOE must ensure that those parts of the TOE critical to security policy are protected from physical attack which might compromise IT security objectives. OE.INFO_PROTECT Those responsible for the TOE must establish and implement procedures to ensure that information is protected in an appropriate manner. In particular:  DAC protections on security critical files (such as configuration files and authentication databases) shall always be set up correctly.  Network and peripheral cabling must be approved for the transmittal of the most sensitive data held by the system. Such physical links are assumed to be adequately protected against threats to the confidentiality and integrity of the data transmitted unless one of the secure protocols provided by the TOE is used for the communication with another trusted entity. 2008­10­07 Cray / Novell / atsec Page 19 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ This requires that users are trained to perform those tasks properly and trustworthy to not deliberately misuse their access to information and pass it on to somebody that does not have the right to access the information. OE.MAINTENANCE Administrative users of the TOE must ensure that any diagnostics facilities provided by the product are invoked at every scheduled preventative maintenance period. OE.RECOVER Those responsible for the TOE must ensure that procedures and/or mechanisms are provided to assure that after system failure or other discontinuity, recovery without a protection (i.e., security) compromise is obtained. OE.SOFTWARE_IN Those responsible for the TOE shall ensure that the system shall be configured so that only an administrative user can introduce new trusted software into the system. OE.SERIAL_LOGIN Those responsible for the TOE shall implement procedures to ensure that users clear the screen before logging off where serial login devices (e.g., VT100 terminals) are used. The following security objective applies in environments where specific threats to networked systems need to be countered. (Either physical protection measures or cryptographic controls may be applied to achieve this objective. The TOE provides some security functions that can be used to protect communication links, but the TOE does not enforce that those functions are used for all communication links. Communication links not protected by the functions provided as part of the TOE or communication links that need protection against interruption of communication have to be protected by security measures in the TOE environment.) OE.PROTECT Those responsible for the TOE must ensure that procedures and/or mechanisms exist to ensure that data transferred between servers is secured from disclosure, interruption or tampering (when using communication links not protected by the use of the SSL or SSH protocols. Note that interruption of communication is not prevented by the use of those protocols and if protection against interruption of communication is required, adequate protection in the TOE environment has to be established for all communication links!). 2008­10­07 Cray / Novell / atsec Page 20 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 5 Security Requirements 5.1 TOE Security Functional Requirements Most of the following security functional requirements are taken from the “Controlled Access Protection Profile”, Version 1.d [CAPP]. The requirement FMT_SMF.1 was added due to an added dependency in [CC]. The requirements FCS_CKM.1, FCS_CKM.2, FCS_COP.1, FDP_UCT.1, FDP_UIT.1, FMT_MSA.2, and FTP_ITC.1 represent TOE specific extensions to the requirements defined by [CAPP]. For easier comparison with [CAPP], the Application Notes and the Rationale presented in [CAPP] for each security functional requirement have been repeated in this Security Target. They have been marked as “Application Note (CAPP)” and “Rationale (CAPP)” to remind the reader where this text comes from. The Application Notes of [CAPP] mainly provide some guidance and requirements for the author of a Security Target. The reader can than easily see how those requirements have been addressed within this Security Target. [CAPP] has already performed some instantiations and even some refinements of the security functional requirements as defined in the Common Criteria. Those instantiations and refinements are marked in bold within each of the requirements. In addition this Security Target has instantiated and refined the requirements as stated in [CAPP]. Those instantiations and refinements that are specific for this Security Target are marked in bold, italic and blue. Security functional requirements in addition to those taken from [CAPP] are shown in green with TOE specific instantiations marked in green, bold and italic. 5.1.1 Security Audit (FAU) 5.1.1.1 Audit Data Generation (FAU_GEN.1) FAU_GEN.1.1 The TSF shall be able to generate an audit record of the auditable events listed in column “Event” of Table 5-1 (Auditable Events). This includes all auditable events for the basic level of audit, except FIA_UID.2’s user identity during failures. FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity, and the outcome (success or failure) of the event; b) The additional information specified in the “Details” column of Table 5-1 (Auditable Events). Application Note (CAPP) : For some situations it is possible that some events cannot be automatically generated. This is usually due to the audit functions not being operational at the time these events occur. Such events need to be documented in the Administrative Guidance, along with recommendation on how manual auditing should be established to cover these events. Rationale (CAPP): This component supports O.AUDITING by specifying the detailed, security relevant events and data that the audit mechanism must be capable of generating and recording. The “basic” level of auditing was selected as best representing the “mainstream” of contemporary audit practices used in the target environments. Table 5-1: Auditable Events Component Event Details (Event Names) FAU_GEN.1 Start­up and shutdown of the audit functions. Events DAEMON_START, DAEMON_END, generated by auditd FAU_GEN.2 None FAU_SAR.1 Reading of information from the audit records. syscall open (on the audit log files) FAU_SAR.2 Unsuccessful attempts to read information from the audit records. like FAU_SAR.1, but with negative results 2008­10­07 Cray / Novell / atsec Page 21 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ Component Event Details (Event Names) FAU_SAR.3 None FAU_SEL.1 All modifications to the audit configuration that occur while the audit collection functions are operating. Events DAEMON_CONFIG, DAEMON_RECONFIG (generated by auditd); syscalls open, link, unlink, rename, truncate (write access to configuration files) FAU_STG.1 None FAU_STG.3 Actions taken due to exceeding of a threshold. Event "log file is larger than max size" or “low on disk space” (generated by auditd); execution of administrator­specified alert action (such as file rotation, switch to single user mode, or system halt) based on the settings of the space_left_action and admin_space_left_action configuration parameters for auditd FAU_STG.4 Actions taken due to the audit storage failure. Event “no space left” or “error writing an event to disk” (generated by auditd); execution of administrator-specified alert action (such as switch to single user mode or system halt that terminates all programs capable of generating auditable events) based on the disk_full_action and disk_error_action configuration parameters for auditd FCS_CKM.1 None FCS_CKM.1 None FCS_CKM.1 None FCS_CKM.2 None FCS_CKM.2 None FCS_CKM.2 None FCS_CKM.2 None FCS_COP.1 None FCS_COP.1 None FCS_COP.1 None FDP_ACC.1 None FDP_ACF.1 All requests to perform an operation on an object covered by the SFP. syscalls chmod, chown, setxattr, removexattr, link, symlink, mknod, open, rename, truncate, unlink, rmdir, mount, umount, msgctl, msgget, semget, semctl, semop, shmget, shmctl; details include identity of object FDP_RIP.2 None Note 1 None FDP_UCT.1 None FDP_UIT.1 None FIA_ATD.1 None 2008­10­07 Cray / Novell / atsec Page 22 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ Component Event Details (Event Names) FIA_SOS.1 Rejection or acceptance by the TSF of any tested secret. Event USER_AUTH and USER_CHAUTHTOK (from PAM framework); details include origin of attempt (terminal or IP address as applicable) FIA_UAU.2 All use of the authentication mechanism. Event USER_AUTH and USER_CHAUTHTOK (from PAM framework) FIA_UAU.7 None FIA_UID.2 All use of the user identification mechanism, including the identity provided during successful attempts. Events USER_AUTH and USER_CHAUTHTOK (from PAM framework) FIA_USB.1 Success and failure of binding user security attributes to a subject (e.g. success and failure to create a subject). Event LOGIN (from PAM framework); syscalls fork, vfork and clone Failure: Events LOGIN (from PAM framework, failure status) FMT_MSA.1 All modifications of the values of security attributes. syscalls chmod, chown, setxattr, removexattr, msgctl, semctl, shmctl FMT_MSA.2 None FMT_MSA.3 Modifications of the default setting of permissive or restrictive rules. All modifications of the initial value of security attributes. syscalls umask, open FMT_MTD.1 Audit Trail All modifications to the values of TSF data. syscalls open, rename, link, unlink, truncate (of audit log files) FMT_MTD.1 Audit Events All modifications to the values of TSF data. syscalls open, link, rename, truncate, unlink (of audit config files); event “config change” FMT_MTD.1 User Attributes All modifications to the values of TSF data. audit text messages from “shadow-utils” suite, details include new value of the TSF data FMT_MTD.1 Authentication Data All modifications to the values of TSF data. audit text messages from “shadow-utils” suite including USER_CHAUTHTOK PAM messages; attempts to bypass trusted programs detected through audited syscalls open, rename, truncate, unlink FMT_REV.1 All attempts to revoke security attributes. audit text messages from “shadow-utils” suite; attempts to bypass trusted programs detected through audited syscalls open, rename, truncate, unlink, removexattr FMT_REV.1 All modifications to the values of TSF data. system calls chmod, chown, setxattr, removexattr, unlink, truncate, msgctl, semctl, shmctl FMT_SMF.1 None (covered by other management functions) 2008­10­07 Cray / Novell / atsec Page 23 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ Component Event Details (Event Names) FMT_SMR.1 Modifications to the group of users that are part of a role. audit text messages “group member added”, “group member removed”, “group administrators set”, “group members set” (from trusted programs in “shadow-utils” suite). FMT_SMR.1 Every use of the rights of a role. (Additional / Detailed) The user's actions result in audited syscalls and the use of trusted programs that are audited. Details include the login ID; the origin can be determined from the associated LOGIN record for this login ID and audit session ID. FPT_AMT.1 Execution of the tests of the underlying machine and the results of the test. Text messages generated by “amtu” program FPT_RVM.1 None FPT_SEP.1 None FPT_STM.1 Changes to the time. Event: syscalls settimeofday, adjtimex, clock_settime FTP_ITC.1 Set-up of trusted channel Event: syscall exec (of stunnel program) Application Note: The table lists the names of the events associated with the SFR. Details of the event specific data recorded with each event are defined in the audit design documentation. 5.1.1.2 User Identity Association (FAU_GEN.2) FAU_GEN.2.1 The TSF shall be able to associate each auditable event with the identity of the user that caused the event. Application Note (CAPP): There are some auditable events which may not be associated with a user, such as failed login attempts. It is acceptable that such events do not include a user identity. In the case of failed login attempts it is also acceptable not to record the attempted identity in cases where that attempted identity could be misdirected authentication data; for example when the user may have been out of sync and typed a password in place of a user identifier. Rationale (CAPP): O.AUDITING calls for individual accountability (i.e., “TOE users”) whenever security- relevant actions occur. This component requires every auditable event to be associated with an individual user. Application Note: The TOE maintains an “Audit Login ID” (auid), which is inherited by every new process spawned. This allows the TOE to identify the real originator of an event, regardless if he has changed his real and / or effective and filesystem user ID, for example by using the su command or executing a setuid or setgid program. 5.1.1.3 Audit Review (FAU_SAR.1) FAU_SAR.1.1 The TSF shall provide authorized administrators with the capability to read all audit information from the audit records: FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. Application Note (CAPP): The minimum information which must be provided is the same that which is required to be recorded in FAU_GEN.1.2. 2008­10­07 Cray / Novell / atsec Page 24 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ The intent of this requirement is that there exists a tool for administrator be able to access the audit trail in order to assess it. Exactly what manner is provided is an implementation decision, but it needs to be done in a way which allows the administrator to make effective use of the information presented. This requirement is closely tied to FAU_SAR.3 and FAU_SEL.1. It is expected that a single tool will exist within the TSF which will satisfy all of these requirements. Rationale (CAPP): This component supports the O.AUDITING and O.MANAGE objectives by providing the administrator with the ability to assess the accountability information accumulated by the TOE. 5.1.1.4 Restricted Audit Review (FAU_SAR.2) FAU_SAR.2.1 The TSF shall prohibit all users read access to the audit records, except those users that have been granted explicit read-access. Application Note (CAPP): By default, authorized administrators may be considered to have been granted read access to the audit records. The TSF may provide a mechanism which allows other users to also read audit records. Rationale (CAPP): This component supports the O.AUDITING objective by protecting the audit trail from unauthorized access. Application Note: DAC controls ensure that only administrative users have access to the audit records. 5.1.1.5 Selectable Audit Review (FAU_SAR.3) FAU_SAR.3.1 The TSF shall provide the ability to perform searches of audit data based on the following attributes: a) User identity; b) group identifier (real and effective); c) event type; d) outcome (success/failure); e) login from specific remote hostname; f) audit login id; g) process id. Application Note (CAPP): The ST must state the additional attributes that audit selectivity may be based upon (e.g., object identity, type of event), if any. Rationale (CAPP): This component supports both the O.AUDITING and O.MANAGE objectives, by providing a means for the administrator to assess the accountability information associated with an individual user. 5.1.1.6 Selective Audit (FAU_SEL.1) FAU_SEL.1.1 The TSF shall be able to include or exclude auditable events from the set of audited events based on the following attributes: a) User identity; b) system call number; c) directory or file name. Application Note (CAPP): The ST must state the additional attributes that audit selectivity may be based upon (e.g., object identity, type of event), if any. Rationale (CAPP): This component supports both the O.AUDITING and O.MANAGE objectives, by providing a means for the administrator to assess the accountability information associated with an individual user. Application Note: The TOE provides the administrator the ability to select the events to audit. This can be done by the administrator editing the filter configuration file of the audit daemon and 2008­10­07 Cray / Novell / atsec Page 25 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ then using the rcauditd script with the ‘reload’ parameter to notify the audit daemon of the change in the configuration. The audit daemon in turn notifies the kernel of the new auditing policy. 5.1.1.7 Guarantees of Audit Data Availability (FAU_STG.1) FAU_STG.1.1 The TSF shall protect the stored audit records from unauthorized deletion. FAU_STG.1.2 The TSF shall be able to prevent modifications to the audit records. Application Note (CAPP): On many systems, in order to reduce the performance impact of audit generation, audit records will be temporarily buffered in memory before they are written to disk. In these cases, it is likely that some of these records will be lost if the operation of the TOE is interrupted by hardware or power failures. The developer needs to document what the likely loss will be and show that it has been minimized. Rationale (CAPP): This component supports the O.AUDITING objective by protecting the audit trail from tampering, via deletion or modification of records in it. Further it ensures that it is as complete as possible. Application Note: This is achieved using the DAC controls. 5.1.1.8 Action in Case of Possible Audit Data Loss (FAU_STG.3) FAU_STG.3.1 The TSF shall generate an alarm to the authorized administrator if the audit trail exceeds a value defined in the /etc/auditd.conf file for the minimum space required for the file system the audit log file resides in. Application Note (CAPP): For this component, an “alarm” is to be interpreted as any clear indication to the administrator that the pre-defined limit has been exceeded. The ST author must state the pre-defined limit that triggers generation of the alarm. The limit can be stated as an absolute value, or as a value that represents a percentage of audit trail capacity (e.g., audit trail 75% full). If the limit is adjustable by the authorized administrator, the ST should also incorporate an FMT requirement to manage this function. Rationale (CAPP): This component supports the O.AUDITING and O.MANAGE objectives by providing the administrator with a warning that a pending failure due to the exhaustion of space available for audit information. Application Note: The alarm generated by the TOE is a syslog message. This message is generated when the audit trail capacity exceeds the limit defined in the auditd.conf file. This limit can be defined by the system administrator by editing the auditd.conf file and then reloading the audit configuration. 5.1.1.9 Prevention of Audit Data Loss (FAU_STG.4) FAU_STG.4.1 The TSF shall be able to prevent auditable events, except those taken by the authorized administrator, and no other actions, if the audit trail is full. Application Note (CAPP): The selection of “preventing” auditable actions if audit storage is exhausted is minimal functionality; providing a range of configurable choices (e.g., ignoring auditable actions and/or changing to a degraded mode) is allowable, as long as “preventing” is one of the choices. If configurable, then FMT_MOF.1 should be incorporated into the ST. Rationale (CAPP): This component supports the O.AUDITING and O.MANAGE objectives by providing the audit trail is complete with respect to non-administrative users while providing administrators with the ability to recover from the situation. Application Note: If the audit trail gets full, the audit daemon will execute an administrator defined action. The possible actions include a switch to single user mode or system halt; each of these will terminate all processes capable of generating auditable events. The system administrator can then back up the audit trail and make space available for the audit trail, then restart the TOE in multiuser mode. 2008­10­07 Cray / Novell / atsec Page 26 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 5.1.2 Cryptographic Support (FCS) 5.1.2.1 Cryptographic key generation (SSL: Symmetric algorithms) (FCS_CKM.1(1)) FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm as defined in the SSL v3 standard and specified cryptographic key sizes 128 bit (RC4), 168 bit (TDES), 128 bit (AES), 256 bit (AES) that meet the following: SSLv3 [SSLv3] section 6.2. Application Note: The OpenSSL library used by the TOE also supports SSL v2, but this is seen as being not part of the evaluated configuration. The evaluation will assess that the TOE provides a random number generator that is used for obtaining the random numbers for the pre-master key from which the master key will be derived during the SSL handshake protocol which is used for key distribution as specified in FCS_CKM.2(4). With respect to the strength of function, no assessment of the strength of the cryptographic algorithm itself and no analysis for potential weaknesses of keys with respect to the algorithm is performed. 5.1.2.2 Cryptographic key generation (SSH: Symmetric algorithms) (FCS_CKM.1(2)) FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm as defined in the SSH v2 standard [SSH- TRANS] and specified cryptographic key sizes 168 bit (TDES) that meet the following: generation of session keys as defined in the SSHv2 standard. Application Note: For details of the key generation / key negotiation process, see section 4.5, chapter 5 and chapter 6 of the SSH Transport Layer Protocol specification [SSH-TRANS] as published by the Secure Shell Charter of the Internet Engineering Task Force (IETF). The evaluation will assess that the keys are generated in accordance with the requirements defined in the SSH v2 standard. The key generation process will only be analyzed and rated with respect to the entropy of the input to the key generation process and with respect to the fact that any postprocessing of this input will maintain the entropy. 5.1.2.3 Cryptographic key generation (SSL: RSA) (FCS_CKM.1(3)) FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm ensuring that the probability of the generated parameters p and q for the RSA key are not prime is less than (2^-80) and specified cryptographic key sizes 1024 bit that meet the following: PKCS #1 v2.0. Application Note: The SSL v3 specification does not define how the RSA key pair is generated. This is up to the implementation. Almost all implementations of the SSL v3 standard have their own algorithm for RSA key pair generation (if they support cipher suites that use RSA), where the OpenSSL library, which implements the SSL functionality, follows the PKCS #1 standard. The evaluation will assess that the keys generated form a correct RSA key pair. The key generation process will only be analyzed and rated with respect to the entropy of the input to the key generation process and with respect to the primality tests and the probability of the numbers chosen to be prime. 5.1.2.4 Cryptographic key distribution (SSL: RSA public keys) (FCS_CKM.2(1)) FCS_CKM.2.1 The TSF shall distribute cryptographic keys in accordance with a specified cryptographic key distribution method digital certificates for public RSA keys that meets the following: certificate format as defined in the standard X.509 Version 3. Application Note: This requirement addresses the exchange of public RSA keys as part of the SSL client and server authentication. 2008­10­07 Cray / Novell / atsec Page 27 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 5.1.2.5 Cryptographic key distribution (SSH: Diffie­Hellman key negotiation) (FCS_CKM.2(2)) FCS_CKM.2.1 The TSF shall distribute cryptographic keys in accordance with a specified cryptographic key distribution method diffie-hellman-group1-sha1 that meets the following: Specification in [SSH-TRANS]. Application Note: The Diffie-Hellman protocol can be seen as a combined way to generate and distribute a shared session key between two communicating parties. So the Diffie-Hellman algorithm used by SSH is mentioned both in the key generation as well as in the key distribution security functional requirement. 5.1.2.6 Cryptographic key distribution (SSH: DSS public keys) (FCS_CKM.2(3)) FCS_CKM.2.1 The TSF shall distribute cryptographic keys in accordance with a specified cryptographic key distribution method digital certificates for public DSS keys that meets the following: ssh-dss key format as defined in: [SSH-TRANS]. 5.1.2.7 Cryptographic key distribution (SSL: Symmetric keys) (FCS_CKM.2(4)) FCS_CKM.2.1 The TSF shall distribute cryptographic keys in accordance with a specified cryptographic key distribution method Secure Socket Layer handshake using RSA encrypted exchange of pre-master secrets that meets the following: SSL Version 3 [SSLv3]. Application Note: This requirement addresses the exchange of SSL pre-master secrets as part of the SSL handshake protocol which are used to derive the master secrets used for the encryption and decryption operations. 5.1.2.8 Cryptographic operation (RSA) (SSL: FCS_COP.1(1)) FCS_COP.1.1 The TSF shall perform digital signature generation and digital signature verification in accordance with a specified cryptographic algorithm RSA and cryptographic key sizes 1024 bit that meet the following: [SSLv3]. Application Note: This requirement addresses the RSA digital signature generation and verification operations using the RSA algorithm as required by the SSL session establishment protocol (provided a cipher suite including RSA is used). Note that the details of the signature format such as the use of the PKCS#1 block type 1 and block type 2 are defined in the SSL Version 3 standard. 5.1.2.9 Cryptographic operation (SSL: Symmetric operations) (FCS_COP.1(2)) FCS_COP.1.1 The TSF shall perform encryption and decryption in accordance with a specified cryptographic algorithm RC4, TDES and AES and cryptographic key sizes 128 bit (RC4), 168 bit (TDES), 128 bit (AES) and 256 bit (AES) that meet the following: SSL Version 3 [SSLv3] and the following cipher suites: SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, as defined in the SSL v3 standard and TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA as defined in [TLS-AES]. 5.1.2.10 Cryptographic operation (SSH: Symmetric operations) (FCS_COP.1(3)) FCS_COP.1.1 The TSF shall perform encryption and decryption in accordance with a specified cryptographic algorithm TDES and cryptographic key sizes 168 bit (TDES) that meet the following: SSH Transport Layer Protocol [SSH-TRANS] and the following cipher suite: 3des-cbc as defined in [SSH-TRANS]. 2008­10­07 Cray / Novell / atsec Page 28 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 5.1.3 User Data Protection (FDP) 5.1.3.1 Discretionary Access Control Policy (FDP_ACC.1) FDP_ACC.1.1 The TSF shall enforce the Discretionary Access Control Policy on processes acting on the behalf of users as subjects and file system objects (ordinary files, directories, symbolic links, device special files, UNIX Domain socket special files, named pipes), IPC objects (message queues, semaphores, shared memory segments) and all operations among subjects and objects covered by the DAC policy. Application Note CAPP): For most systems there is only one type of subject, usually called a process or task, which needs to be specified in the ST. Named objects are those objects which are used to share information among subjects acting on the behalf of different users, and for which access to the object can be specified by a name or other identity. Any object that meets this criterion but is not controlled by the DAC policy must be justified. The list of operations covers all operations between the above two lists. It may consist of a sublist for each subject-named object pair. Each operation needs to specify which type of access right is needed to perform the operation; for example read access or write access. Rationale (CAPP): This component supports the O.DISCRETIONARY_ACCESS objective by specifying the scope of control for the DAC policy. 5.1.3.2 Discretionary Access Control Functions (FDP_ACF.1) FDP_ACF.1.1 The TSF shall enforce the Discretionary Access Control Policy to objects based on the following: a) The filesystem user identity and group membership(s) associated with a subject; and b) The following access control attributes associated with an object: File system objects: POSIX ACLs and permission bits. (ACLs can be used to grant or deny access to the granularity of a single user or group using Access Control Entries. Those ACL entries include the standard UNIX permission bits. POSIX ACLs can be used for file system objects within the ext3 file system). Access rights for file system objects are: - read - write - execute (ordinary files) - search (directories) IPC objects: permission bits Access rights for IPC objects are: - read - write FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: File system objects within the ext3 file system: A subject must have search permission for every element of the pathname and the requested access for the object. A subject has a specific type access to an object if: 2008­10­07 Cray / Novell / atsec Page 29 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+  The subject has been granted access according to the ACL_USER_OBJ or ACL_OTHER type entry in the ACL of the object Or  The subject has been granted access by an ACL_USER, ACL_GROUP_OBJ or ACL_GROUP entry and the associated right is also granted by the ACL_MASK entry of the ACL if the ACL_MASK entry exists Or  The subject has been granted access by the ACL_GROUP_OBJ entry and no ACL_MASK entry exists in the ACL of the object. File system objects in other file systems: A subject must have search permission for every element of the pathname and the requested access for the object. A subject has a specific type access to an object if:  The subject has the filesystem userid of the owner of the object and the requested type of access is within the permission bits defined for the owner Or  The subject does not have the filesystem userid of the owner of the object but the filesystem group id identical to the file system objects group id and the requested type of access is within the permission bits defined for the group Or  The subject has neither the filesystem userid of the owner of the object nor is the filesystem group id identical to the file system object group id and requested type of access is within the permission bits defined for "world" IPC objects: Access permissions are defined by permission bits of the IPC object. The process creating the object defines the creator, owner and group based on the userid of the current process. Access of a process to an IPC object is allowed, if  the effective userid of the current process is equal to the userid of the IPC object creator or owner and the “owner” permission bit for the requested type of access is set Or  the effective userid of the current process is not equal to the userid of the IPC object creator or owner and the effective group id of the current process is equal to the group id of the IPC object and the “group” permission bit for the requested type of access is set Or  The “world” permission bit for the requested type of access is set for users that do not satisfy one of the first two conditions FDP_ACF.1.3 The TSF shall explicitly authorize access of subjects to objects based on the following additional rules: File System Objects: 2008­10­07 Cray / Novell / atsec Page 30 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ A process with a user ID of 0 is known as a root user process. These processes are generally allowed all access permissions. But if a root user process requests execute permission for a program (as a file system object), access is granted only if execute permission is granted to at least one user. IPC objects: A process with a user ID of 0 is known as a root user process. These processes are generally allowed all access permissions. FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the following rules:  Write access to file system objects other than device special files on a file system mounted as read-only is always denied  Write access to a file marked as immutable is always denied. Application Note (CAPP): A CAPP conformant TOE is required to implement a DAC policy, but the rules which govern the policy may vary between TOEs; those rules need to be specified in the ST. In completing the rule assignment above, the resulting mechanism must be able to specify access rules which apply to at least any single user. This single user may have a special status such as the owner of the object. The mechanism must also support specifying access to the membership of at least any single group. Conformant implementations include self/group/public controls and access control lists. A DAC policy may cover rules on accessing public objects; i.e., objects which are readable to all authorized users, but which can only be altered by the TSF or authorized administrators. Specification of these rules should be covered under FDP_ACF.1.3 and FDP_ACF.1.4. A DAC policy may include exceptions to the basic policy for access by authorized administrators or other forms of special authorization. These rules should be covered under FDP_ACF.1.3. The ST must list the attributes which are used by the DAC policy for access decisions. These attributes may include permission bits, access control lists, and object ownership. A single set of access control attributes may be associated with multiple objects, such as all objects stored on a single floppy disk. The association may also be indirectly bound to the object, such as access control attributes being associated with the name of the object rather than directly to the object itself. Rationale (CAPP): This component supports the O.DISCRETIONARY_ACCESS objective by defining the rules which will be enforced by the TSF. Application Note: Additional restrictions apply for specific objects in the procfs and sysfs pseudo file systems. Application Note: The Network File System (NFS) does not implement any access control policy. The NFS server passes all requests for access control decisions to the underlying physical filesystem (ext3) which enforces the access control rules, and the NFS client uses the result of that decision to control access. 5.1.3.3 Object Residual Information Protection (FDP_RIP.2) FDP_RIP.2.1 The TSF shall ensure that any previous information content of a resource is made unavailable upon the allocation of the resource to all objects. Application Note (CAPP): This requirement applies to all resources governed by or used by the TSF; it includes resources used to store data and attributes. It also includes the encrypted representation of information. Clearing the information content of resources on deallocation from objects is sufficient to satisfy this requirement, if unallocated resources will not accumulate new information until they are allocated again. Rationale (CAPP): This component supports the O.RESIDUAL_INFORMATION objective. 2008­10­07 Cray / Novell / atsec Page 31 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 5.1.3.4 Subject Residual Information Protection (Note 1) NOTE 1 The TSF shall ensure that any previous information content of a resource is made unavailable upon the allocation of the resource to all subjects. Application Note (CAPP): This requirement applies to all resources governed by or used by the TSF; it includes resources used to store data and attributes. It also includes the encrypted representation of information. Clearing the information content of resources on deallocation from subjects is sufficient to satisfy this requirement, if unallocated resources will not accumulate new information until they are allocated again. Rationale (CAPP): This component supports the O.RESIDUAL_INFORMATION objective. 5.1.3.5 Basic data exchange confidentiality (FDP_UCT.1) FDP_UCT.1.1 The TSF shall enforce the Discretionary Access Control Policy to be able to transmit and receive objects in a manner protected from unauthorized disclosure. Application Note: Confidentiality of data during transmission is ensured when the one of the secured protocols ssh or ssl are used. User processes are still bound by the discretionary access control policy with respect to the data they are able to transfer. The TOE is able act both as a server and a client for ssh and ssl connections. 5.1.3.6 Data exchange integrity (FDP_UIT.1) FDP_UIT.1.1 The TSF shall enforce the Discretionary Access Control Policy to be able to transmit and receive user data in a manner protected from modification and insertion errors. FDP_UIT.1.2 The TSF shall be able to determine on receipt of user data, whether modification or insertion has occurred. Application Note: Integrity of data during transmission is ensured when the one of the secured protocols ssh or ssl is used. User processes are still bound by the discretionary access control policy with respect to the data they are able to transfer. The TOE is able act both as a server and a client for ssh and ssl connections. 5.1.4 Identification and Authentication (FIA) 5.1.4.1 User Attribute Definition (FIA_ATD.1) FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users: a) User Identifier; b) Group Memberships; c) Authentication Data; d) Security-relevant Roles; and e) no other attributes Application Note (CAPP): The specified attributes are those that are required by the TSF to enforce the DAC policy, the generation of audit records, and proper identification and authentication of users. The user identity must be uniquely associated with a single individual user. Group membership may be expressed in a number of ways: a list per user specifying to which groups the user belongs, a list per group which includes which users are members, or implicit association between certain user identities and certain groups. A TOE may have two forms of user and group identities, a text form and a numeric form. In these cases there must be unique mapping between the representations. Rationale (CAPP): This component supports the O.AUTHORIZATION and O.DISCRETIONARY_ACCESS objectives by providing the TSF with the information about users needed to enforce the TSP. 2008­10­07 Cray / Novell / atsec Page 32 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ Application Note: “Authentication data” includes all data needed for successfully authenticating a user or changing the authentication token. This consists of the user’s password, password age, hashes of previously used passwords, and information about locked or expired accounts. 5.1.4.2 Strength of Authentication Data (FIA_SOS.1) FIA_SOS.1.1 The TSF shall provide a mechanism to verify that secrets meet the following: a) For each attempt to use the authentication mechanism, the probability that a random attempt will succeed is less than one in 1,000,000; b) For multiple attempts to use the authentication mechanism during a one minute period, the probability that a random attempt during that minute will succeed is less than one in 100,000; and c) Any feedback given during an attempt to use the authentication mechanism will not reduce the probability below the above metrics. Application Note (CAPP): The method of authentication is unspecified by the CAPP, but must be specified in a ST. The method which is used must be shown to have low probability that authentication data can be forged or guessed. For example, if a password mechanism is used a set of metrics needs to be specified and may include such things as minimum length of the password, maximum lifetime of a password, and the subjecting of possible passwords to dictionary attacks. The strength of whatever mechanism implemented must be subjected to strength of function analysis. (See AVA_SOF.1) Rationale (CAPP): This component supports the O.AUTHORIZATION objective by providing an authentication mechanism with a reasonable degree of certainty that only authorized users may access the TOE. 5.1.4.3 Authentication (FIA_UAU.2) FIA_UAU.2.1 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. Application Note (CAPP): The ST must specify the actions which are allowed by an unauthenticated user. The allowed actions should be limited to those things which aid an authorized user in gaining access to the TOE. This could include help facilities or the ability to send a message to authorized administrators. Rationale (CAPP): This component supports the O.AUTHORIZATION objective by specifying what actions unauthenticated users may perform. Application Note: Untrusted processes running on behalf of a normal user may use network functions to import and export data they have access to. This process may therefore export user data without authenticating or even knowing the identity of a user receiving such data. This is not considered to be a violation of the security policy with respect to identification and authentication and discretionary access control, since it is well-known that discretionary access control cannot control flow of information. An example of such an export function is a user process running a web-server on an unprivileged port. Still, this process is limited in its access by the security policy of the TOE. 5.1.4.4 Protected Authentication Feedback (FIA_UAU.7) FIA_UAU.7.1 The TSF shall provide only obscured feedback to the user while the authentication is in progress. Application Note (CAPP): Obscured feedback implies the TSF does not produce a visible display of any authentication data entered by a user, such as through a keyboard (e.g., echo the password on the terminal). It is acceptable that some indication of progress be returned instead, such as a period returned for each character sent. Some forms of input, such as card input based batch jobs, may contain human readable user passwords. The Administrator and User Guidance documentation for the product 2008­10­07 Cray / Novell / atsec Page 33 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ must explain the risks in placing passwords on such input and must suggest procedures to mitigate that risk. Rationale (CAPP): This component supports the O.AUTHORIZATION objective. Individual accountability cannot be maintained if the individual’s authentication data, in any form, is compromised. 5.1.4.5 Identification (FIA_UID.2) FIA_UID.2.1 The TSF shall require each user to identify itself before allowing any other TSF- mediated actions on behalf of that user. Application Note (CAPP): The ST must specify the actions which are allowed to an unidentified user. The allowed actions should be limited to those things which aid an authorized user in gaining access to the TOE. This could include help facilities or the ability to send messages to authorized administrators. The method of identification is unspecified by this PP, but should be specified in a ST and it should specify how this relates to user identifiers maintained by the TSF. Rationale (CAPP): This component supports the O.AUTHORIZATION objective by specifying what actions unidentified users may perform. 5.1.4.6 User­Subject Binding (FIA_USB.1) FIA_USB.1.1 The TSF shall associate the following user security attributes with subjects acting on the behalf of that user: a) The user identity which is associated with auditable events; b) The user identity or identities which are used to enforce the Discretionary Access Control Policy; c) The group membership or memberships used to enforce the Discretionary Access Control Policy; d) no other security attributes. FIA_USB.1.2 The TSF shall enforce the following rules on the initial association of user security attributes with subjects acting on the behalf of a user: a) Upon successful identification and authentication, the login user ID, the real user ID, the filesystem user ID and the effective user ID shall be those specified in the user entry for the user that has authenticated successfully. b) Upon successful identification and authentication, the real group ID, the filesystem group ID and the effective group ID shall be those specified via the group membership attribute in the user entry. FIA_USB.1.3 The TSF shall enforce the following rules governing changes to the user security attributes associated with subjects acting on the behalf of a user: a) The effective and filesystem user ID of a user can be changed by the use of an executable with the setuid bit set. In this case the program is executed with the effective and filesystem user ID of the program owner. Access rights are then evaluated using the filesystem user ID of the program owner. The real and login user ID remain unchanged. b) The effective, filesystem and real user ID of a user can be changed by the su command. In this case the real, filesystem and effective user ID of the user is changed to the user specified in the su command (provided authentication is successful). The login user ID remains unchanged. c) The filesystem and effective group ID of a user can be changed by the use of an executable with the setgid bit set. In this case the program is executed with the filesystem and effective group ID of the program owner. Access rights are then evaluated using the filesystem group ID of the program owner. 2008­10­07 Cray / Novell / atsec Page 34 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ Application Note (CAPP): The DAC policy and audit generation require that each subject acting on the behalf of users have a user identity associated with the subject. This identity is normally the one used at the time of identification to the system. The DAC policy enforced by the TSF may include provisions for making access decisions based on a user identity which differs from the one used during identification. The ST must state, in FIA_USB.1.1, how this alternate identity is associated with a subject and justify why the individual user associated with this alternate identity is not compromised by the mechanism used to implement it. Depending on the TSF’s implementation of group membership, the associations between a subject and groups may be explicit at the time of identification or implicit in a relationship between user and group identifiers. The ST must specify this association. Like user identification, an alternate group mechanism may exist, and parallel requirements apply. Rationale (CAPP): This component supports the O.DISCRETIONARY_ACCESS and O.AUDITING objectives by binding user identities to subjects acting on their behalf. 5.1.5 Security Management (FMT) 5.1.5.1 Management of Object Security Attributes (FMT_MSA.1) FMT_MSA.1.1 The TSF shall enforce the Discretionary Access Control Policy to restrict the ability to modify the access control attributes associated with a named object to administrative users and the owner of the object. For IPC objects the original creator of the object also has the ability to modify the access control attributes. Application Note (CAPP): The ST must state the components of the access rights that may be modified, and must state any restrictions that may exist for a type of authorized user and the components of the access rights that the user is allowed to modify. The ability to modify access rights must be restricted in that a user having access rights to a named object does not have the ability to modify those access rights unless granted the right to do so. This restriction may be explicit, based on the object ownership, or based on a set of object hierarchy rules. Rationale (CAPP): This component supports the O.DISCRETIONARY_ACCESS objective by providing the means by which the security attributes of objects are managed by a site. 5.1.5.2 Secure security attributes (FMT_MSA.2) FMT_MSA.2.1 The TSF shall ensure that only secure values are accepted for security attributes. Application Note: This requirement is included as a dependency from the security functional requirements FCS_CKM.1, FCS_CKM.2 and FCS_COP.1. The assessment with respect to this requirement in the evaluation of this TOE does not include any assessment of the cryptographic strength of the keys generated or used. Instead the assessment with respect to this requirement just includes an assessment that the TOE protects those keys from unauthorized access, disclosure or tampering. 5.1.5.3 Static Attribute Initialization (FMT_MSA.3) FMT_MSA.3.1 The TSF shall enforce the Discretionary Access Control Policy to provide restrictive default values for security attributes that are used to enforce the Discretionary Access Control Policy. FMT_MSA.3.2 The TSF shall allow the administrative users and the owner of the object to specify alternative initial values to override the default values when an object or information is created. Application Note (CAPP): A CAPP-conformant TOE must provide protection by default for all objects at creation time. This may be done through the enforcing of a restrictive default access control on newly created objects or by requiring the user to explicitly specify the desired access controls on the object at its creation. In either case, there shall be no window 2008­10­07 Cray / Novell / atsec Page 35 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ of vulnerability through which unauthorized access may be gained to newly created objects. Rationale (CAPP): This component supports the O.DISCRETIONARY_ACCESS objective by requiring that objects are properly protected starting from the instant that they are created. Application Note: The term SFP in FMT_MSA.3.1 in Volume 2 of the Common Criteria is printed in italics but is not as one would expected stated as "[assignment: SFP]". It is assumed that such an assignment was intended by the authors of the CC and has therefore been performed here. 5.1.5.4 Management of the Audit Trail (FMT_MTD.1) FMT_MTD.1.1 The TSF shall restrict the ability to create, delete, and clear the audit trail to authorized administrators. Application Note (CAPP): The selection of “create, delete, and clear” functions for audit trail management reflect common management functions. These functions should be considered generic; any other audit administration functions that are critical to the management of a particular audit mechanism implementation should be specified in the ST. Rationale (CAPP): The component supports the O.AUDITING and O.MANAGE objectives by ensuring that the accountability information is not compromised by destruction of the audit trail. Application Note: This requirement is implemented using the discretionary access control features of the TOE to protect the files holding the audit trail. 5.1.5.5 Management of Audited Events (FMT_MTD.1) FMT_MTD.1.1 The TSF shall restrict the ability to modify or observe the set of audited events to authorized administrators. Application Note (CAPP): The set of audited events are the subset of auditable events which will be audited by the TSF. The term set is used loosely here and refers to the total collection of possible ways to control which audit records get generated; this could be by type of record, identity of user, identity of object, etc. It is an important aspect of audit that users not be able to effect which of their actions are audited, and therefore must not have control over or knowledge of the selection of an event for auditing. Rationale (CAPP): This component supports the O.AUDITING and O.MANAGE objectives by providing the administrator with the ability to control the degree to which accountability is generated. Application Note: This requirement is implemented using the discretionary access control features of the TOE to protect the audit configuration files. 5.1.5.6 Management of User Attributes (FMT_MTD.1) FMT_MTD.1.1 The TSF shall restrict the ability to initialize and modify the user security attributes, other than authentication data, to authorized administrators. Application Note (CAPP): This component only applies to security attributes which are used to maintain the TSP. Other user attributes may be specified in the ST, but control of those attributes is not within the scope of the CAPP. Rationale (CAPP): This component supports the O.MANAGE objective by providing the administrator with the means to manage who are authorized users and what attributes are associated with each user. 5.1.5.7 Management of Authentication Data (FMT_MTD.1) FMT_MTD.1.1 The TSF shall restrict the ability to initialize the authentication data to authorized administrators. 2008­10­07 Cray / Novell / atsec Page 36 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ FMT_MTD.1.1 The TSF shall restrict the ability to modify the authentication data to the following: a) authorized administrators; and b) users authorized to modify their own authentication data Application Note (CAPP): User authentication data refers to information that users must provide to authenticate themselves to the TSF. Examples include passwords, personal identification numbers, and fingerprint profiles. User authentication data does not include the users identity. The ST must specify the authentication mechanism that makes use of the user authentication data to verify a user’s identity. This component does not require that any user be authorized to modify their own authentication information; it only states that it is permissible. It is not necessary that requests to modify authentication data require reauthentication of the requester’s identity at the time of the request. Rationale (CAPP): This component supports the O.AUTHORIZATION and O.MANAGE objectives by ensuring integrity and confidentiality of authentication data. Application Note: The TOE restricts the password change operation to administrators only. There are no non-admin users who are authorized to modify their own authentication information. 5.1.5.8 Revocation of User Attributes (FMT_REV.1) FMT_REV.1.1 The TSF shall restrict the ability to revoke security attributes associated with the users within the TSC to authorized administrators. FMT_REV.1.2 The TSF shall enforce the rules: a) The immediate revocation of security-relevant authorizations; and b) Revocations/modifications made by an authorized administrator to security attributes of a user such as the user identifier, user name, user group(s), user password or user login shell shall be effective the next time the user logs in. Application Note (CAPP): Many security-relevant authorizations could have serious consequences if misused, so an immediate revocation method must exist, although it need not be the usual method (e.g., The usual method may be editing the trusted users profile, but the change doesn’t take effect until the user logs off and logs back on. The method for immediate revocation might be to edit the trusted users profile and “force” the trusted user to log off.). The immediate method must be specified in the ST and in administrator guidance. In a distributed environment the developer must provide a description of how the “immediate” aspect of this requirement is met. Rationale (CAPP): This component supports the O.MANAGE objective by controlling access to data and functions which are not generally available to all users. Application Note: Like other UNIX type operating systems, the TOE does not enforce “immediate revocation” for user security attributes. To achieve this, the system administrator has to check if the user whose security attributes have been changed is currently logged in. If this is the case, the system administrator has to “force” the user to log off as indicated in the CAPP Application Note. 5.1.5.9 Revocation of Object Attributes (FMT_REV.1) FMT_REV.1.1 The TSF shall restrict the ability to revoke security attributes associated with objects within the TSC to users authorized to modify the security attributes by the Discretionary Access Control policy. FMT_REV.1.2 The TSF shall enforce the rules: a) The access rights associated with an object shall be enforced when an access check is made; and b) Access rights to file system and IPC objects are checked when the object is opened. Revocations of access rights for file system objects become effective the next time a user affected by the revocation tries to open a file system object. 2008­10­07 Cray / Novell / atsec Page 37 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ Application Note (CAPP): The DAC policy may include immediate revocation (e.g., Multics immediately revokes access to segments) or delayed revocation (e.g., most UNIX systems do not revoke access to already opened files). The DAC access rights are considered to have been revoked when all subsequent access control decisions by the TSF use the new access control information. It is not required that every operation on an object make an explicit access control decision as long as a previous access control decision was made to permit that operation. It is sufficient that the developer clearly documents in guidance documentation how revocation is enforced. Rationale (CAPP): This component supports the O.DISCRETIONARY_ACCESS objective by providing that specified access control attributes are enforced at some fixed point in time. Application Note: Like most other UNIX type operating systems, the TOE implements delayed revocation as indicated in the CAPP Application Note. 5.1.5.10 Specification of Management Functions (FMT_SMF.1) FMT_SMF.1.1 The TSF shall be capable of performing the following security management functions:  Object security attributes management  User attribute management  Authentication data management  Audit event management Application Note: This security functional requirement has been added due to changes in the [CC] that were introduced after the publication of [CAPP]. 5.1.5.11 Security Management Roles (FMT_SMR.1) FMT_SMR.1.1 The TSF shall maintain the roles: a) authorized administrator; b) users authorized by the Discretionary Access Control Policy to modify object security attributes; c) users authorized to modify their own authentication data; and d) no other roles FMT_SMR.1.2 The TSF shall be able to associate users with roles. Application Note (CAPP): A CAPP-conformant TOE only needs to support a single administrative role, referred to as the authorized administrator. If a TOE implements multiple independent roles, the ST should refine the use of the term authorized administrators to specify which roles fulfill which requirements. The CAPP specifies a number of functions which are required of or restricted to an authorized administrator, but there may be additional functions which are specific to the TOE. This would include any additional function which would undermine the proper operation of the TSF. Examples of functions include: ability to access certain system resources such as tape drives or vector processors, ability to manipulate the printer queues, and ability to run real-time programs. Rationale (CAPP): This component supports the O.MANAGE objective. Application Note: The role model supported by the TOE is a very simple one: the administrative user is root (extended to all members of the “trusted” group that may su to root). All other users of the system have the user role. The role of “users authorized to modify the their own authentication data” has no members. Only administrators are authorized to modify authentication data. 2008­10­07 Cray / Novell / atsec Page 38 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 5.1.6 Protection of the TOE Security Functions (FPT) 5.1.6.1 Abstract Machine Testing (FPT_AMT.1) FPT_AMT.1.1 The TSF shall run a suite of tests at the request of an authorized administrator to demonstrate the correct operation of the security assumptions provided by the abstract machine that underlies the TSF. Application Note (CAPP): In general this component refers to the proper operation of the hardware platform on which a TOE is running. The test suite needs to cover only aspects of the hardware on which the TSF relies to implement required functions, including domain separation. If a failure of some aspect of the hardware would not result in the TSF compromising the functions it performs, then testing of that aspect is not required. Rationale (CAPP): This component supports the O.ENFORCEMENT objective by demonstrating that the underlying mechanisms are working as expected. Application Note: Chapter 6 describes the tool. 5.1.6.2 Reference Mediation (FPT_RVM.1) FPT_RVM.1.1 The TSF shall ensure that the TSP enforcement functions are invoked and succeed before each function within the TSC is allowed to proceed. Application Note (CAPP): This element does not imply that there must be a reference monitor. Rather this requires that the TSF validates all actions between subjects and objects that require policy enforcement. Rationale (CAPP): This component supports O.ENFORCEMENT objective by ensuring that the TSP is not being bypassed. 5.1.6.3 Domain Separation (FPT_SEP.1) FPT_SEP.1.1 The TSF shall maintain a security domain for its own execution that protects it from interference and tampering by untrusted subjects. FPT_SEP.1.2 The TSF shall enforce separation between the security domains of subjects in the TSC. Application Note (CAPP): This component does not imply a particular implementation of a TOE. The implementation needs to exhibit properties that the code and the data upon which TSF relies are not alterable in ways that would compromise the TSF and that observation of TSF data would not result in failure of the TSF to perform its job. This could be done either by hardware mechanisms or hardware architecture. Possible implementations include multi-state CPU’s which support multiple task spaces and independent nodes within a distributed architecture. The second element can also be met in a variety of ways also, including CPU support for separate address spaces, separate hardware components, or entirely in software. The latter is likely in layered application such as a graphic user interface system which maintains separate subjects. Rationale (CAPP): This component supports O.ENFORCEMENT objectives by ensuring that a TSF exists within the TOE and that it can reliably carry out its functions. Application Note: The TOE enforces this requirement by using the address separation features provided by the Memory Management Units and the protection offered by a multi-state CPU. The TOE software can run on many different platforms. All those platforms provide a Memory Management Unit that enforces address space separation between trusted and untrusted subjects; and a multi-state CPU where modification to the address space definition, direct access to peripheral devices, and the CPU configuration itself can be restricted to a state reserved for a defined part of the TSF (the kernel). The TOE ensures that those features are used correctly to prohibit any untrusted subject from unallowed interference and tampering with the TSF. 2008­10­07 Cray / Novell / atsec Page 39 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 5.1.6.4 Reliable Time Stamps (FPT_STM.1) FPT_STM.1.1 The TSF shall be able to provide reliable time stamps for its own use. Application Note (CAPP): The generation of audit records depends on having a correct date and time. The ST needs to specify the degree of accuracy that must be maintained in order to maintain useful information for audit records. Rationale (CAPP): This component supports the O.AUDITING objective by ensuring that accountability information is accurate. Application Note: The TOE uses a hardware timer to maintain its own time stamp. This hardware timer is protected from tampering by untrusted subjects. The start value for this timer may be set by the system administrator, but the system administrator may also start a program that uses an external trusted time source to set this initial value. 5.1.6.5 Inter­TSF trusted channel (FTP_ITC.1) FTP_ITC.1.1 The TSF shall provide a communication channel between itself and a remote trusted IT product that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure. FTP_ITC.1.2 The TSF shall permit the TSF or the remote trusted IT product to initiate communication via the trusted channel. FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for when the communication uses the SSH v2 or SSL v3 protocol offered as services by the TOE. 5.1.6.6 Basic internal TSF data transfer protection (FPT_ITT.1) FPT_ITT.1.1 The TSF shall protect TSF data from modification when it is transmitted between separate parts of the TOE. 5.1.6.7 Internal TSF consistency (FPT_TRC.1) FPT_TRC.1.1 The TSF shall ensure that TSF data is consistent when replicated between parts of the TOE. FPT_TRC.1.2 When parts of the TOE containing replicated TSF data are disconnected, the TSF shall ensure the consistency of the replicated TSF data upon reconnection before processing any requests for Identification and Authentication (IA). Application Note: The TOE maintains a single copy of authentication data and makes this data available read- only for all login nodes. This automatically ensures consistency of the data. If the necessary network connection is disconnected, identification and authentication fails due to unavailability of the user database. 5.1.7 Strength of Function The claimed minimum strength of function is SOF-medium. Note: The security function within the TOE that uses a permutational or probabilistic mechanism is the authentication function that uses passwords. No strength of function analysis is performed for the cryptographic algorithms themselves which also excludes any analysis of the existence and characterization of cryptographically weak keys. This statement is made in compliance with part 1 of the CC and paragraph 422 of part 2 of the CEM. 5.2 TOE Security Assurance Requirements The target evaluation assurance level for the product is EAL3 [CC] augmented by ALC_FLR.1. 5.3 Security Requirements for the IT Environment No security functional requirements for the IT environment are applicable, because all security functions are completely implemented without any support from the IT environment. 2008­10­07 Cray / Novell / atsec Page 40 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 5.4 Security Requirements for the Non-IT Environment All the security objectives for the TOE environment address physical protection of the TOE or procedures that need to be obeyed by administrative users. 2008­10­07 Cray / Novell / atsec Page 41 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 6 TOE Summary Specification 6.1 Security Enforcing Components Overview 6.1.1 Introduction This chapter describes the security functions of the TOE that are subject to this evaluation. A large subset of the overall security related functions of the Cray UNICOS/lc Operating System has been included in this evaluation. Those functions provide the basic security for a system within a protected environment. They allow for identification and authentication of users, access control to files and IPC objects, auditing of security critical events and secure communication with other trusted systems. The TOE protects the security functions from unauthorized tampering and bypassing and allows only administrative users to manage the security functions. Normal users are only allowed to manage access control rights of the file system and IPC objects they own. Normal users are not allowed to modify their own password. Those functions are required as a basis for application level security functions and mechanisms and can be used to build application specific security policies. 6.1.2 Kernel Services The kernel includes the base kernel and some kernel modules. The base kernel includes support for system initialization, memory management, file and I/O management, process control, and Inter-Process Communications (IPC) services. Kernel modules are dynamically loadable modules that the kernel will load on demand and that execute with kernel privileges. Device drivers may be implemented as kernel modules. The kernel implements a virtual memory manager (VMM) that allocates a large, contiguous address space to each process running on a node of the system. This address space is spread across physical memory and optionally paging space on a secondary storage device. The nodes in the system each have separate kernels, memory managers, and address spaces. The process management component includes the software that is responsible for creating, scheduling, and terminating processes and process threads. Process management allows multiple processes to exist simultaneously on a node and to share usage of the node’s processor(s). A process is defined as a program in execution, that is, it consists of the program and the execution state of the program. Process management also provides services such as inter-process communications (IPC) and event notification. The base kernel implements:  named pipes  unnamed pipes  signals  semaphores  shared memory  message queues  Internet domain sockets  UNIX domain sockets The file and I/O software provides access to files and devices. The Virtual File System (VFS) provides a consistent view of multiple file system implementations. The evaluated configuration supports the file systems defined in section 2.4.1 ”File systems” of this document. 6.1.3 Non-Kernel TSF Services The non-kernel TSF services are:  Identification and Authentication services  Network application layer services  Configuration and management commands requiring root privileges 2008­10­07 Cray / Novell / atsec Page 42 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ Those services support the security functions implemented within the kernel and use the kernel interface for this purpose, but they are not themselves running in kernel mode. Those functions are included in the TSF as far as they are required for the security services of the TOE (Identification and Authentication services), while other services that are implemented as tools or commands for the use of the administrative user and where the kernel prohibits the use or misuse of those tools or commands, since they use kernel functions restricted to administrative users and attempted use by normal users is prohibited by the kernel. 6.1.4 Network Services The TOE is capable of providing the following types of services:  Local services to the user currently logged in to the local computer console.  Local services to previous users via deferred jobs, including jobs submitted using ALPS.  Local services to users who have accessed the local host via the network using protocols such as ftp or ssh.  Network services to clients on either the local host or on remote hosts. Network services are provided to clients via a client-server architecture. This client-server architecture refers to the division of the software that provides a service into a client portion, which makes requests, and a server portion, which carries out client requests (usually on a different computer). A service protocol acts as the interface between the client and server. The primary low-level network protocols are Internet Protocol (IP), Transmission Control Protocol (TCP), and User Datagram Protocol (UDP). IP is not user visible, but non-TSF processes may communicate with other hosts in a networked system using a reliable byte stream or unreliable datagrams, TCP and UDP respectively. The higher-level network services that are part of the TSF are built on TCP or UDP. The TCP based application protocols supporting user authentication and running on privileged ports are:  secure shell (SSH v2)  file transfer services (FTP) In addition the TOE supports secure socket layer (SSL v3) protocol, which can be used to securely tunnel higher layer protocols. This service is provided by a trusted process which can be used by applications to tunnel TCP based protocols using a single port. The tunnel actually provides the certificate based authentication of the server side of the tunnel and the confidentiality and integrity protection of the communication. 6.1.5 Security Policy Overview The TOE is a single Cray XT4 or Cray XT5 computer system consisting of nodes, each running an instance of the Cray UNICOS/lc Operating System software. Several of those systems may be interconnected via a local area network and exchange information using the network services. But one should keep in mind that the following statements hold:  Each node of each system in the network runs the Cray UNICOS/lc Operating System kernel.  Identification and authentication (I&A) is performed locally by each system. Each user is required to Login with a valid password and user identifier combination at the local system and also at any remote system where the user can enter commands to a shell program (using ssh). (After successful I&A on a login node, users may submit jobs on compute nodes using ALPS using their current authorization without additional I&A.) User ID and password for one human user are identical among all login nodes forming a system but may be different on different systems. User ID and password on one system are not known to other systems on the network and therefore a user ID is relevant only for the system where it is defined.  Discretionary access control (DAC) is performed locally by each of the systems and is based on user identity and group membership on this system. Each process has an identity (the user on whose behalf it is operating) and belongs to one or more groups. All named objects have an owning user, an owning group and a DAC attribute, which is a set of permission bits. In addition, file system objects optionally have extended permissions also known as an Access Control List (ACL). The ACL mechanism is a significant enhancement beyond traditional UNIX systems, and permits control of access based on lists of users and/or groups to whom specific permissions may be individually granted or denied.  Object reuse is performed locally within each system, without respect to other systems.  Interrupt handling is performed locally, without respect to other systems. 2008­10­07 Cray / Novell / atsec Page 43 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+  Privilege is based on the root identity. All privileged processes (setuid root programs and programs run under the root identity) start as processes with all privileges enabled. Unprivileged processes, which include setgid trusted processes, start and end with no privileges enabled. 6.1.6 TSF Structure The TSF is the portion of the system that is responsible for enforcing the system’s security policy. The TSF of the Cray UNICOS/lc Operating System consists of two major components: kernel software and trusted processes. All these components must operate correctly for the system to be trusted. Those functions are supported by the mechanisms of the underlying hardware which are used to protect the TSF from tampering by untrusted processes. The TOE hardware components support two execution states where kernel mode (or supervisor state) software runs with hardware privilege, and user mode (or problem state) software runs without hardware privilege. The TOE also provides two types of memory protection: segmentation and page protection. The memory protection features isolate critical parts of the kernel from user processes and ensure that segments in use by one process are not available to other processes. The two-state architecture and the memory protections form the basis of the argument for process isolation and protection of the TSF. The trusted processes include programs such as Linux administrative programs, scripts, shells, and standard Linux utilities that run with administrative privilege as a consequence of being invoked by a user with administrative privileges. Non-kernel TSF software also includes daemons that provide system services, such as networking, as well as setuid and setgid programs that can be executed by untrusted users. 6.1.7 TSF Interfaces Each subsection here summarizes a class of interfaces in the TOE operating system, and characterizes them in terms of the TSF boundary. The TSF boundary includes some interfaces, such as commands implemented by privileged processes, which are similar in style to other interfaces that are not part of the TSF boundary and thus not trusted. Some interfaces are part of the TSF boundary only when used in a privileged environment, such as an administrative user’s process, but not when used in a non-privileged environment, such as a normal user process. All interface classes are described in further detail in the next chapter, and the mechanisms in subsequent chapters. As this is only an introduction, no explicit forward references are provided. 6.1.7.1 User Interfaces The typical interface presented to a user is the command interpreter, or shell. The user types commands to the interpreter, and in turn, the interpreter invokes programs. The programs execute hardware instructions and invoke the kernel to perform services, such as file access or I/O to the user’s terminal. A program may also invoke other programs, or request services using an IPC mechanism. Before using the command interpreter, a user must log in. The command interpreter or shell as well as other programs operating on behalf of a user have the following interfaces:  CPU instructions, which a process uses to perform computations within the processor's registers and a process's memory areas. CPU instructions are interpreted by the hardware, which is part of the TOE; CPU instructions are therefore an interface to the TSF.  System calls (e.g. open, fork), through which a process requests services from the kernel, which are invoked using a special CPU instruction. System calls are the primary way for a program operating on behalf of a user to request services of the TOE including the security services. System calls related to security functions are therefore part of the TSF interface.  Directly-invoked trusted processes (e.g. passwd) which perform higher-level services, and are invoked with an exec system call that names an appropriate program which is part of the TSF, and replaces the current process's content with it; a limited number of those processes exist that perform security functions and are therefore part of the TSF interface.  Daemons, which accept requests stored in files or communicated via other IPC mechanisms, generally created through use of directly invoked processes (some trusted, some untrusted). A few daemons perform security functions and are therefore part of the TSF interface.  Network Services, (ssh, ftp, ssl). The network services interface operates at many different levels of abstraction. At the highest level, it provides a means for users on one host to request a virtual terminal connection on another host within the system. At a lower level, it allows a host on a networked system to request a specific service from another host within the system on behalf of a user. Examples of requested services include remote login into the TOE and obtaining a shell or transferring whole files. At the lowest level, it allows a subject on one host in the system to request a connection (i.e. TCP), or deliver data (i.e. 2008­10­07 Cray / Novell / atsec Page 44 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ UDP) to a listening subject. Network services usually consist of a client on the requestor’s side and a server (usually a daemon) running on the server’s side. Authentication (if required by the service) and access control use dedicated interfaces to the functions on the server side which are therefore part of the TSF interface. Note that for the TOE only ssh, ssl and ftp are seen as TSF, because they use privileged ports. ssh and ftp require user identification and authentication; and ssh and ssl provide confidentiality and integrity protection. Note: Users may start programs using unprivileged TCP/UDP ports, but those programs operate with the effective and filesystem userid of the calling user and are therefore restricted by the security policy of the TOE. Those user programs using unprivileged ports are not part of the TSF. 6.1.7.2 Operation and Administrator Interface The primary administrative interfaces to the TOE are the same as the interfaces for ordinary users; the administrative user logs into the system with a standard, untrusted identity and password, and after assuming the root identity uses standard Linux commands to perform administrative tasks. The crayadm user available on the boot node can be used to configure the service and compute node boot images. Direct root login is only allowed from the system console (to avoid a denial of service attack). The part of the administrative database (which is the set of all security relevant configuration files) that is used to configure and manage TSF is seen as part of the TSF interface. The administrative database is protected by the access control mechanisms of the TOE. It is therefore very important to set the access rights to the files of the administrative database such that non-administrative users are prohibited from modifying those files and have read access on a need-to-know basis only. Each login node in the system has its own copy of the administrative databases, and the TOE includes a mechanism to keep this data synchronized among login nodes. Note that each system in a network consisting of multiple systems has independent administrative databases and if synchronization between those TSF databases is required by the organization's security policy, it has to be done manually in the system environment. The TOE does not provide any function to synchronize TSF databases on different systems, only within nodes comprising a single system. 6.1.8 Secure and Non-Secure States The secure state for the TOE is defined as a system’s entry into multi-user mode with the administrative databases configured with the required access rights. At this point, the system accepts user logins and services network requests across the networked system. If these facilities are not available, the system is considered to be in a non- secure state. Although it may be operational in a limited sense and available for an administrative user to perform system repair, maintenance, and diagnostic activity, the TSF are not in full operation and is not necessarily protecting all system resources according to the security policy. 6.2 Description of the Security Enforcing Functions 6.2.1 Introduction This chapter describes how the security enforcing components of the TOE provide the security requirements identified in chapter 5. A high level description is provided for each group of security enforcing functions (SEF) providing a common feature or service, and stating how the functionality specified by the security enforcing function group is provided by the security enforcing components identified in this chapter. The security enforcing function groups identified in this chapter follow the description given in chapter 2:  Identification and Authentication  Audit  Discretionary Access Control  Object Reuse  Security Management  Secure Communication  TOE Protection 2008­10­07 Cray / Novell / atsec Page 45 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ The TOE security functions (TSF) are described with sufficient detail to provide a general understanding of those functions and how they work. A more detailed description of those functions and a mapping of the TSF to TOE subsystems is provided in the high level design documentation. References to components given in italics can be traced to manual pages or TOE sources for further information. Note also that some commands initiate trusted processes or are a local front end to a trusted process (e.g. ftp and the ftpd daemon, ssh and the sshd daemon). In these instances, a generic reference to the command is made. 6.2.2 Identification and Authentication (IA) User identification and authentication in the TOE includes all forms of interactive login (e.g., using the ssh or ftp protocols) as well as identity changes through the su command. These all rely on explicit authentication information provided interactively by a user. Identification and authentication of users is performed from a terminal where no user is logged on or when a user that is logged on starts a service that requires additional authentication. All those services use a common mechanism for authentication described in this chapter. They all use the administrative database. The administrative database is managed by administrative users only. Normal users are not allowed to modify their own passwords. This chapter also describes the authentication process for those network services that require authentication. Linux uses a suite of libraries called the “Pluggable Authentication Modules” (PAM) that allow an administrative user to choose how PAM-aware applications authenticate users. The following PAM modules are included in the evaluated configuration and implement security functions:  pam_unix.so (basic password based authentication, configured to use MD5)  pam_loginuid.so (set permanent audit login user ID, and ensure fail-secure behavior by refusing login in case the audit system is inoperative)  pam_wheel.so (to restrict the use of the su command to members of the “trusted” group)  pam_tally.so (to limit the number of consecutive unsuccessful authentication attempts)  pam_nologin.so (to check /etc/nologin)  pam_securetty.so (to restrict root access to specific terminals)  pam_passwdqc.so (for additional password checking)  cray_faillog.so (to limit the number of consecutive unsuccessful authentication attempts) In addition the following module may be used:  pam_rootok.so to avoid that an administrative user with the effective user ID of root has to re-enter the password for some commands that require user authentication (e.g., chage). 6.2.2.1 User Identification and Authentication Data Management (IA.1) The login nodes within a single system share a common set of users with their passwords and attributes. Compute nodes do not perform user identification and authentication, and service nodes other than login nodes are restricted to access by administrators only. Each system maintains its own set of users with their passwords and attributes. Although the same human user may have accounts on different systems interconnected by a network and running an instantiation of the TOE, those accounts and their parameter are not synchronized on different systems. As a result the same user may have different usernames, different user IDs, different passwords and different attributes on different machines within the networked environment. Existing mechanism for synchronizing this among networked systems are not subject to this evaluation. Each system within a network of systems maintains its own administrative database by making all administrative changes on the local system. System administration has to ensure that all machines within the network are configured in accordance with the requirements defined in this Security Target. In a single system, multiple login nodes share a single common copy of the user database including authentication information. This information is read-only on login nodes, and can only be modified by administrators on a boot node. Users are not allowed to change their passwords. Administrators can run the passwd program on a boot node to read the contents of /etc/shadow and to modify the /etc/shadow file for the user’s password entry, which is inaccessible to a non-privileged user process (IA1.1). Users are warned to change their passwords at login time if the password will expire soon, and are prevented from logging in if the password has expired (IA1.2). The password change by 2008­10­07 Cray / Novell / atsec Page 46 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ administrators is propagated to all login nodes within the system due to them using the same shadow file, mounted read-only served by the boot node via NFS. The file /etc/passwd contains the user’s name, the id of the user, an indicator if the password of the user is valid, the principal group id of the user, and other (not security relevant) information (IA1.3). The encrypted password of the user itself is not stored in this file but in the file /etc/shadow which can be protected against read access for ordinary users. This prohibits dictionary attacks on passwords in the passwd file as for example described in the paper of Ken Thomson and Bob Morris “Password Security - A Case History”. The file /etc/shadow contains the MD5 encrypted password, the userid, the time the password was last changed and some other information that is not subject to the security functions as defined in this Security Target (IA1.4). For a complete list of user attributes see the description of the function SM. An administrative user can define the following restrictions on the login process (defined in /etc/login.defs to be used by management tools; in the PAM configuration and the trusted databases /etc/shadow and /etc/security/opasswd to be used by the authentication process itself):  Maximum number of days a password may be used.  Minimum number of days allowed between password changes.  Minimum acceptable password length (defined in the parameter to pam_passwdqc.so).  Number of days a warning is given before a password expires.  Number of consecutive unsuccessful login retries.  Maximum number of attempts to change the password.  Number of old but recent passwords to be disallowed when changing the password for a user (password history) This allows the administrative user to define restrictions on authentication data such as the delay before another authentication attempt can be done, the minimum length of the password, checking the password against entries in a dictionary as well as the maximum life time of a password, and the number of unsuccessful login attempts allowed before the account is locked (IA1.5). Those restrictions are stored in the file /etc/login.defs. The administrative user can use those parameters to define a password policy such that the passwords satisfy the requirements defined in FIA_SOS.1. The time of the last successful login is recorded in /var/log/lastlog (IA1.6). In the evaluated configuration the above mentioned parameters need to be set in accordance with the following restrictions:  Maximum lifetime of a password: less than or equal to 60 days  Minimum lifetime of a password: 1 day  Minimum length of a password: 8 character  Number of days a warning is given before password expires: 7 days  Number of consecutive unsuccessful login retries: 5  Maximum number of attempts to change the password: 3  Password History Length: 7 (IA1.7) Note that the restrictions on permissible passwords are advisory only for administrators. An administrator is technically able to set an arbitrary password that does not follow the password rules, but is instructed by guidance documents to follow the rules. This function contributes to satisfy the security requirements FPT_ITT.1, FPT_TRC.1, FIA_ATD.1, FIA_SOS.1, FMT_MTD.1 “User Attributes” and FMT_SMF.1. 6.2.2.2 Common Authentication Mechanism (IA.2) The TOE includes a common authentication mechanism which is a subroutine used for all activities that create a user session, including all the interactive login activities, batch jobs, and authentication for the su command (IA2.1). 2008­10­07 Cray / Novell / atsec Page 47 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ The common mechanism includes the following checks and operations:  Check password authentication  Check password expiration  Check whether access should be denied due to too many consecutive authentication failures  Get user security characteristics (e.g., user and groups) The common I&A mechanism identifies the user based on the supplied user name, gets that user’s security attributes, and performs authentication against the user’s password. This function contributes to satisfy the security requirements FIA_UAU.2 and FIA_UID.2. 6.2.2.3 Interactive Login and Related Mechanisms (IA.3) The ssh and ftp as well as the su command used to change the real, filesystem and effective user ID of a user all use the same authentication mechanism in the evaluated configuration (IA3.1). It is of course up to the remote system to protect the user’s entry of a password correctly (e.g., provide only obscured feedback). As long as the remote system is also an evaluated version of the TOE, this is ensured by the security function of the TOE. This function contributes to satisfy the security requirements FIA_UAU.2, FIA_UID.2 and FIA_UAU.7. 6.2.2.4 User Identity Changing (IA.4) Users can change their identity (i.e., switch to another identity) using the su command (IA4.1). When switching identities, the real, filesystem and effective user ID and real, filesystem and effective group ID are changed to those of the user specified in the command (after successful authentication as this user) (IA4.2). The primary use of the su command within the TOE is to allow appropriately authorized individuals the ability to assume the root identity to perform administrative actions. In this system the capability to login as the root identity has been restricted to defined terminals only (IA4.3). In addition the use of the su command to switch to root has been restricted to users belonging to the “trusted” group (IA4.4). Users that don't have access to a terminal where root login is allowed and are not member of the trusted group will not be able to switch their real, filesystem and effective user ID to root even if they would know the authentication information for root. Note that when a user executes a program that has the setuid bit set, only the effective and the filesystem user ID is changed to that of the owner of the file containing the program while the real user ID remains that of the caller (IA4.5). The login ID is changed neither by the su command nor by executing a program that has the setuid or setgid bit set (IA4.6). The su command invokes the common authentication mechanism to validate the supplied authentication. This function contributes to satisfy the security requirement FIA_USB.1. 6.2.2.5 Login Processing (IA.5) At the login process the login, real, filesystem and effective user ID are set to the ID of the user that has logged in (IA5.1). With the su command the real, filesystem and effective user ID and the real, filesystem and effective group ID are changed, but the login ID remains unchanged. This function contributes to satisfy the security requirement FIA_USB.1. 6.2.3 Audit (AU) The Lightweight Audit Framework (LAF) is designed to be a CAPP compliant audit system for Linux. The subsystem allows configuring the events to be actually audited from the set of all events that are possible to be audited. Those events are configured in a specific configuration file and then the kernel is notified to build its own internal structure for the events to be audited. 6.2.3.1 Audit Configuration (AU.1) The system administrator can define the events to be audited from the overall events that LAF is able to audit using rules defined in the /etc/audit.rules audit configuration file using simple filter expressions (AU1.1). This allows for a flexible definition of the events to be audited and the conditions under which events are audited. The system administrator is also able to define a set of user IDs for which auditing is active (AU1.2) or alternatively a set of user IDs that are not audited (AU1.3). Changes to the audit configuration take effect when the audit daemon is notified about a change in the audit configuration (AU1.4). 2008­10­07 Cray / Novell / atsec Page 48 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ This notification can only be performed by an administrative user (using the rcauditd script with the ‘reload’ parameter) (AU1.5). The system administrator can select files to be audited by adding them to a watch list that is loaded into the kernel using the auditctl tool each time the audit system is started or reinitialized. The list allows the administrator to select an arbitrary audit tag value for each file which will be preserved as a searchable attribute in the audit log (AU1.6). The kernel interface for configuring these audit properties is usable only by root users (AU1.7). This function contributes to satisfy the security requirements FAU_SEL.1 and FMT_MTD.1 (Management of audited events). 6.2.3.2 Audit Processing (AU.2) Auditing is performed on a per process basis. A process can enable or disable auditing for itself by attaching or detaching itself to the audit subsystem provided it is running with root privileges (AU2.1). The attribute of being attached to the audit subsystem is inherited by all processes that are forked off from a process, which ensures that events generated by child processes are also audited (AU2.2). The kernel audits system calls in accordance with the rules defined in the audit.rules configuration file. Trusted processes can generate additional audit records and send them to the kernel (AU2.3). The login ID is associated with audit events ensuring that events can be easily associated with the ID a user used to log into the TOE (AU2.4). The events to be audited are forwarded by the kernel to an audit daemon, which writes the audit records to the audit trail. Each node within the system has its own instance of the audit daemon. If the file system space does not have sufficient space to store new audit records or a configurable space threshold is exceeded, the TOE switches into single user mode or is halted depending on the configuration of the audit daemon (AU2.5). This ensures that audit records do not get lost due to resource shortage and the administrator can backup and clear the audit trail to free disk space for new audit logs. The audit daemon appends audit records to a file whose name is specified in the audit configuration file (AU2.6). The audit configuration file can be used to execute administrator-specified notification actions when the free disk space available reaches an administrator-specified threshold (AU2.7). This is used to inform the system administrator that he needs to backup the current audit trail and make space available for additional audit records. In the case the system administrator does not perform this in time and the available disk space is exhausted, the audit daemon can be configured to switch to single user mode or to halt the node or the whole system (AU2.8). In that case the system administrator will need to backup and clear the audit trail in single user mode and then re-boot either the node or the TOE in secure multiuser mode. Access to audit data by normal users is prohibited by the discretionary access control function of the TOE, which is used to restrict the access to the audit trail and audit configuration files to the system administrator only. This function contributes to satisfy the security requirements FAU_SAR.2, FAU_STG.1, FAU_STG.3, FAU_STG.4 and FMT_MTD.1 (Management of the audit trail). 6.2.3.3 Audit Record Format (AU.3) An audit record consists of one or more lines of text containing fields in a “keyword=value” tagged format. The following information is contained in all audit record lines:  Type: indicates the source of the event, such as SYSCALL, FS_WATCH, USER, or LOGIN  Timestamp: Date and time the audit record was generated  Audit event ID: unique numerical event identifier  Audit login ID (“auid”), the user ID of the user authenticated by the system (regardless if the user has changed his real and / or effective user ID afterwards)  Effective user ID: the effective user ID of the process at the time the audit event was generated  Success or failure (where appropriate) (AU3.1) This information is followed by event specific data. In some cases, such as syscall event records involving file system objects, multiple text lines will be generated for a single event; these all have the same timestamp and audit event ID to permit easy correlation. Note: Although the TOE distinguishes between the effective and the filesystem user ID, those two are identical in all states of the TOE. 2008­10­07 Cray / Novell / atsec Page 49 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ The event specific data will always contain data indicating if the request that caused the event has been successful or not (AU3.2). The audit subsystem maintains a “Login ID” which is set when the user performs his initial login at a terminal or via a network connection (AU3.3). This Login ID is maintained for actions of this user until he terminates the session. This Login ID remains unchanged when the user performs a switch of the real and / or effective and filesystem user ID by the su command or by invoking a program that has the SUID bit set (AU3.4). This allows to trace all actions to the real user. This function contributes to satisfy the security requirements FAU_GEN.1 and FAU_GEN.2 6.2.3.4 Audit Post­Processing (AU.4) The TOE provides tools for managing ASCII files that can be used for post-processing of audit data. These tools include: ausearch reads the ASCII audit data (AU4.1) ausearch allows selective extraction of records from the audit trail using defined selection criteria (AU4.2) The audit records are listed in chronological order by default. The sort utility can be used together with ausearch to use a different sorting order (AU.4.3). This function contributes to satisfy the security requirements FAU_SAR.1 and FAU_SAR.3. 6.2.4 Discretionary Access Control (DA) This section outlines the general DAC policy in the TOE as implemented for resources where access is controlled by permission bits and POSIX ACLs; principally these are the objects in the file system. In all cases the policy is based on user identity (and in some cases on group membership associated with the user identity). To allow for enforcement of the DAC policy, all users must be identified and their identities authenticated. Details of the specific DAC policy applied to each type of resource are covered in the section “Discretionary Access Control: File System Objects” and the section “Discretionary Access Control: IPC Objects”. Note: Signals are not subject to discretionary access control as described in this section of the Security Target. The rules when a process is allowed to send a signal to another process are not seen as security relevant and therefore not listed in this Security Target. Note: The TOE is able to support a more complex Type Enforcement access control system using the SELinux subsystem. The evaluated configuration uses the targeted policy where all processes relevant to the evaluated configuration are part of the unconfined_t domain and not subject to any additional access restrictions beyond the DAC mechanisms described below. Use of SELinux features for access control is beyond the scope of the evaluation. The SELinux policy only adds additional restrictions on top of the standard DAC mechanisms, and will never permit an action that would not be allowed without SELinux active. 6.2.4.1 General DAC Policy (DA.1) The general policy enforced is that subjects (i.e., processes) are allowed only the accesses specified by the class- specific policies. Further, the ability to propagate access permissions is limited to those subjects who have that permission, as determined by the class-specific policies. Finally, a subject with a filesystem user ID of 0 is exempt from all restrictions and can perform any action desired (DA1.1). DAC provides the mechanism that allows users to specify and control access to objects that they own (DA1.2). DAC attributes are assigned to objects at creation time and remain in effect until the object is destroyed or the object attributes are changed (DA1.3). DAC attributes exist for, and are particular to, each type of object supported by the TOE. DAC is implemented with permission bits and, when specified, ACLs. A subject whose filesystem user ID matches the file owner ID can change the file attributes, the base permissions, and the extended permissions (except for read-only file systems, of course) (DA1.4). Changes to the file group are restricted to the owner and root (DA1.5). The new file group identifier must either be the current filesystem group identifier or one of the group identifiers in the concurrent group set (DA1.6). In addition, a subject whose filesystem user ID is 0 can make any desired changes to the file attributes, the base permissions, the extended permissions, and owning user of the file (see DA1.1). Permission bits are the standard UNIX DAC mechanism and are used on all TOE file system named objects (DA1.7). Individual bits are used to indicate permission for read, write, and execute access for the object’s owner, 2008­10­07 Cray / Novell / atsec Page 50 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ the object’s group, and all other users (i.e. world). The extended permission mechanism is supported only for file system objects within an ext3 file system and provides a finer level of granularity than do permission bits (DA1.8). Write access is in general not granted for files on a file system mounted as read-only (DA1.9). Write access is also denied for files that have the immutable attribute (DA1.10). NFS does not implement access control checks, the underlying physical filesystem (ext3) is responsible for access control decisions. ACLs are transparently available through NFS because the underlying filesystem supports them. This function contributes to satisfy the security requirements FDP_ACC.1 and FDP_ACF.1. 6.2.4.2 Permission Bits (DA.2) The TOE supports standard UNIX permission bits to provide one form of DAC for file system objects in all supported file systems. There are three sets of three bits that define access for three categories of users: the owning user, users in the owning group, and other users. The three bits in each set indicate the access permissions granted to each user category: one bit for read (r), one for write (w), and one for execute (x). Note that write access to file systems mounted as read only (e.g., DVD-ROM) is always rejected. Note also that access to specific objects in special file systems such as procfs may be restricted further regardless of the setting of the permission bits. Each subject’s access to an object is defined by some combination of these bits:  rwx symbolizing read/write/execute  r-x symbolizing read/execute  r-- symbolizing read  --- symbolizing null (DA2.1) When a process attempts to reference an object protected only by permission bits, the access is determined as follows:  Users with a filesystem user ID of 0 are able to read and write all files, ignoring the permission bits. Users with a filesystem user ID of zero are also able to execute any file if it is executable for someone.  If the filesystem user ID = object’s owning user ID and the owning user permission bits allow the type of access requested access is granted or denied with no further checks.  If the filesystem group ID, or any supplementary groups of the process = object’s owning group ID, and the owning group permission bits allow the type of access requested, access is granted or denied with no further checks.  If the process is neither the owner nor a member of an appropriate group and the permission bits for world allow the type of access requested, then the subject is permitted access.  If none of the conditions above are satisfied, and the process is not the root identity, then the access attempt is denied. (DA2.2) This function contributes to satisfy the security requirements FAU_SAR.2, FDP_ACC.1 and FDP_ACF.1. 6.2.4.3 Access Control Lists (DA.3) The TOE provides support for POSIX type ACLs for the ext3 file system allowing the definition of a fine grained access control on a user basis. (ACLs are also available when accessing the ext3 filesystem through NFS.) The semantics of those ACLs is summarized in this section. An ACL entry contains the following information: 1. A tag type that specifies the type of the ACL entry 2. A qualifier that specifies an instance of an ACL entry type 3. A permission set that specifies the discretionary access rights for processes identified by the tag type and qualifier (DA3.1) 6.2.4.3.1 ACL Tag Types The following tag types exist: 2008­10­07 Cray / Novell / atsec Page 51 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 1. ACL_GROUP an ACL entry of this type defines access rights for processes whose filesystem group ID or any supplementary group IDs match the one in the ACL entry qualifier 2. ACL_GROUP_OBJ an ACL entry of this type defines access rights for processes whose filesystem group ID or any supplementary group IDs match the group ID of the group of the file 3. ACL_MASK an ACL entry of this type defines the maximum discretionary access rights that can be granted to a process in the file group class 4. ACL_OTHER an ACL entry of this type defines access rights for processes whose attributes do not match any other entry in the ACL 5. ACL_USER an ACL entry of this type defines access rights for processes whose filesystem user ID matches the ACL entry qualifier 6. ACL_USER_OBJ an ACL entry of this type defines access rights for processes whose filesystem user ID matches the user ID of the owner of the file (DA3.2) 6.2.4.3.2 ACL Qualifier The qualifier is required for ACL entries of type ACL_GROUP and ACL_USER and contain either the user ID or the group ID for which the access rights defined in the entry shall apply (DA3.3). 6.2.4.3.3 ACL Permissions The permission that can be defined in an ACL entry are: read, write and execute/search (DA3.4). 6.2.4.3.4 Relation with File Permission Bits An ACL contains exactly one entry for each of the ACL_USER_OBJ, ACL_GROUP_OBJ, and ACL_OTHER tag types (called the “required ACL entries”) (DA3.5). An ACL may have between zero and a defined maximum number of entries of the type ACL_GROUP and ACL_USER (DA3.6). An ACL that has only the three required ACL entries is called a “minimum ACL”. ACLs with one or more ACL entries of type ACL_GROUP or ACL_USER are called an “extended ACL”. The standard UNIX file permission bits as described in the previous section are represented by the entries in the minimum ACL. The owner permission bits are represented by the entry of type ACL_USER_OBJ; the entry of type ACL_GROUP_OBJ represents the permission bits of the file’s group and the entry of type ACL_OTHER represents the permission bits of processes running with a filesystem user ID and filesystem group ID or supplementary group ID different from those defined in ACL_USER_OBJ and ACL_GROUP_OBJ entries (DA3.7). 6.2.4.3.5 ACL_MASK If an ACL contains an ACL_GROUP or ACL_USER type entry, then exactly one entry of type ACL_MASK is required in the ACL. Otherwise the entry of type ACL_MASK is optional (DA3.8). 6.2.4.3.6 Default ACLs A default ACL is an additional ACL which may be associated with a directory. This default ACL has no effect on the access to this directory. Instead the default ACL is used to initialize the ACL for any object that is created in this directory. If the new object created is a directory it inherits the default ACL from its parent directory (DA3.9). When an object is created within a directory and the ACL is not defined with the function creating the object, the new object inherits the default ACL of its parent directory as its initial ACL. 6.2.4.3.7 Access Check Evaluation Algorithm When a process attempts to reference an object protected by an ACL, it does so through a system call (e.g., open, exec). If the object has been assigned an ACL, access is determined as according to the algorithm below: 2008­10­07 Cray / Novell / atsec Page 52 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ ACCESS CHECK ALGORITHM A process may request read, write, or execute/search access to a file system object protected by an ACL. The access check algorithm determines whether access to the object will be granted. 1. Write access to a file on a read-only file system will always be denied for file system objects other than device special files. 2. Write access to a file with the immutable attribute will always be denied. 3. If the filesystem user ID of the process matches the user ID of the file object owner, then if the ACL_USER_OBJ entry contains the requested permissions, access is granted, else access is denied. 4. else if the filesystem user ID of the process matches the qualifier of any entry of type ACL_USER, then if the matching ACL_USER entry and the ACL_MASK entry contain the requested permissions, access is granted, else access is denied. 5. else if the filesystem group ID or any of the supplementary group IDs of the process match the qualifier of the entry of type ACL_GROUP_OBJ or the qualifier of any entry of type ACL_GROUP, then if the ACL_MASK entry and any of the matching ACL_GROUP_OBJ or ACL_GROUP entries contain all the requested permissions, access is granted, else access is denied. 6. else if the ACL_OTHER entry contains the requested permissions, access is granted. 7. else access is denied. (DA3.10) This function contributes to satisfy the security requirement FDP_ACC.1 and FDP_ACF.1 6.2.4.3.8 DAC Revocation on File System Objects File system objects access checks are performed when the object is initially opened, and are not checked on each subsequent access. Changes to access controls (i.e., revocation) are effective with the next attempt to open the object (DA3.11). In cases where an administrative user determines that immediate revocation of access to a file system object is required, the administrative user can reboot the computer, resulting in a close on the object and forcing an open of the object on system reboot. 6.2.4.3.9 DAC: Directory The execute permission bit for directories governs the ability to name the directory as part of a pathname. A process must have search (execute) access in order to traverse the directory during pathname resolution (DA3.12). Directories may not be written directly, but only by creating, renaming, and removing (unlinking) objects within them. These operations are considered writes for the purpose of the DAC policy (DA3.13). 6.2.4.3.10 DAC: UNIX Domain Socket Special File UNIX domain socket files are treated as files in the TOE file system from the perspective of access control, with the exception that using the bind or connect system calls requires that the calling process must have write access to the socket file (DA3.14). 2008­10­07 Cray / Novell / atsec Page 53 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ UNIX domain sockets exist in the file system name space; the socket files can have both base mode bits and extended ACL entries (DA3.15). UNIX domain sockets consist of a socket special file (managed by the File System) and a corresponding socket structure (managed by IPC). The TOE controls access to the socket based upon the caller’s rights to the socket special file (DA3.16). 6.2.4.3.11 DAC: Named Pipes Named pipes are treated identically to any other file in the TOE file system from the perspective of access control. Therefore permission bits and extended permissions can be used (DA3.17). For this reason named pipes are listed as file system objects (although they are used for interprocess communication). Note that named pipes follow the rules for IPC objects if no ACLs are used (which probably is the normal case). 6.2.4.3.12 DAC: Device Special File The access control scheme described for file system objects is used for protection of character and block device special files (DA3.18). Most device special files are configured to allow read and write access by the root user, and read access by privileged groups. With the exception of terminal and pseudo-terminal devices and a few special cases (e.g., /dev/null and /dev/tty), devices are configured to be not accessible to normal users (DA3.19). The access mode of device files for ttys is changed during login time to read/write access of the user logging into the system; on logout, the access rights are reset to allow only access by root (DA3.20). This function contributes to satisfy the security requirement FDP_ACC.1, FDP_ACF.1, FMT_MSA.1, FMT_SMF.1, FMT_MSA.3 and FPT_SEP.1. This function contributes to satisfy the security requirements FDP_ACC.1, FDP_ACF.1, FMT_MSA.1, FMT_SMF.1, FMT_MSA.3, FIA_USB.1 and FPT_SEP.1. 6.2.4.4 Discretionary Access Control: IPC Objects (DA.4) 6.2.4.4.1 DAC: Shared Memory For shared memory segment objects (henceforth SMSs), access checks are performed when the SMS is initially attached, and are not checked on each subsequent access. Changes to access controls (i.e., revocation) are effective with the next attempt to attach to the SMS (DA4.1). In cases where an administrative user determines that immediate revocation of access to a SMS is required, the administrative user can reboot the computer, thus destroying the SMS and all access to it. If a process requests deletion of an SMS, it is not deleted until the last process that is attached to the SMS detaches itself (or equivalently, the last process attached to the SMS terminates) (DA4.2). The default access control on newly created SMSs is determined by the effective user ID and group ID of the process that created the SMS and the specific permissions requested by the process creating the SMS (DA4.3):  The owning user and creating user of a newly created SMS will be the effective user ID of the creating process (DA4.4).  The owning group and creating group of a newly created SMS will be the effective group ID of the creating process (DA4.5).  The creating process must specify the initial access permissions on the SMS, or they are set to null and the object is inaccessible until the owner sets them (DA4.6).  SMSs do not have ACLs as described above; they only have permission bits (DA4.7). Access permissions can be changed by any process with an effective user ID equal to the owning user ID or creating user ID of the SMS (DA4.8). Access permissions can also be changed by any process with an effective user ID of 0, also known as running with the root identity (DA4.9). 6.2.4.4.2 DAC: Message Queues For message queues, access checks are performed for each access request (e.g., to send or receive a message in the queue) (DA4.10). Changes to access controls (i.e., revocation) are effective upon the next request for access 2008­10­07 Cray / Novell / atsec Page 54 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ (DA4.11). That is, the change affects all future send and receive operations, except if a process has already made a request for the message queue and is waiting for its availability (e.g., a process is waiting to receive a message), in which case the access change is not effective for that process until the next request (DA4.12). If a process requests deletion of a message queue, it is not deleted until the last process that is waiting for the message queue receives its message (or equivalently, the last process waiting for a message in the queue terminates) (DA4.13). However, once a message queue has been marked as deleted, additional processes cannot perform messaging operations and it cannot be undeleted (DA4.14). The default access control on newly created message queues is determined by the effective user ID and group ID of the process that created the message queue and the specific permissions requested by the process creating the message queue:  The owning user and creating user of a newly created message queue will be the effective user ID of the creating process.  The owning group and creating group of a newly created message queue will be the effective group ID of the creating process.  The initial access permissions on the message queue must be specified by the creating process, or they are set to null and the object is inaccessible until the owner sets them.  Message queues do not use ACLs as described above; they only have permission bits. (DA4.15) Access permissions can be changed by any process with an effective user ID equal to the owning user ID or creating user ID of the message queue. Access permissions can also be changed by any process with an effective user ID of 0 (DA4.16). 6.2.4.4.3 DAC: Semaphores For semaphores, access checks are performed for each access request (e.g., to lock or unlock the semaphore) (DA4.17). Changes to access controls (i.e., revocation) are effective upon the next request for access (DA4.18). That is, the change affects all future semaphore operations, except if a process has already made a request for the semaphore and is waiting for its availability, in which case the access change is not effective for that process until the next request (DA4.19). In cases where an administrative user determines that immediate revocation of access to a semaphore is required, the administrative user can reboot the computer, thus destroying the semaphore and any processes waiting for it. This method is the described in the Evaluated Configuration Guide. Since a semaphore exists only within a single host in the network, rebooting the particular host where the semaphores is present is sufficient to revoke all access to that semaphore. If a process requests deletion of a semaphore, it is not deleted until the last process that is waiting for the semaphore obtains its lock (or equivalently, the last process waiting for the semaphore terminates) (DA4.20). However, once a semaphore has been marked as deleted, additional processes cannot perform semaphore operations and it cannot be undeleted (DA4.21). The default access control on newly created semaphores is determined by the effective user ID and group ID of the process that created the semaphore and the specific permissions requested by the process creating the semaphore (DA4.22):  The owning user and creating user of a newly created semaphore will be the effective user ID of the creating process.  The owning group and creating group of a newly created semaphore will be the effective group ID of the creating process.  The initial access permissions on the semaphore must be specified by the creating process, or they are set to null and the object is inaccessible until the owner sets them.  Semaphores do not have ACLs as described above; they only have permission bits (DA4.23). Access permissions can be changed by any process with an effective user ID equal to the owning user ID or creating user ID of the semaphore (DA4.24). Access permissions can also be changed by any process with an effective user ID of 0 (DA4.25). This function contributes to satisfy the security requirement FDP_ACC.1, FDP_ACF.1, FMT_MSA.1, FMT_SMF.1, and FMT_MSA.3. 2008­10­07 Cray / Novell / atsec Page 55 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 6.2.5 Object Reuse (OR) Object Reuse is the mechanism that protects against scavenging, or being able to read information that is left over from a previous subject’s actions. Explicit initialization is appropriate for most TSF-managed abstractions, where the resource is implemented by some TSF internal data structure whose contents are not visible outside the TSF: queues, datagrams, pipes, and devices. These resources are completely initialized when created, and have no information contents remaining. Explicit clearing is used in the TOE only for directory entries, because they are accessible in two ways: through TSF interfaces both for managing directories and for reading files. Because this exposes the internal structure of the resource, it must be explicitly cleared on release to prevent the internal state from remaining visible. Storage management is used in conjunction with explicit initialization for object reuse on files, and processes. This technique keeps track of how storage is used, and whether it can safely be made available to a subject. The following sections describe in detail how object reuse is handled for the different types of objects and data areas and how the requirements defined in FDP_RIP.2 are satisfied. 6.2.5.1 Object Reuse: File System Objects (OR.1) All file system objects (FSOs) available to general users are accessed by a common mechanism for allocating disk storage and a common mechanism for paging data to and from disk. This includes the Lustre and ext3 filesystems. Object reuse is irrelevant for the DVD/CD-ROM File System (ISO-9660) because it is a read-only file system and so it is not possible for a user to read residual data left by a previous user. File systems on other media (tapes, diskettes.) are irrelevant because of warnings in the Evaluated Configuration Guide not to mount file systems on these devices. Object reuse for the NFS file system is handled by the underlying physical filesystem (ext3). Object reuse in the tmpfs file system is handled by the memory management object reuse functions. When allocating new space for a file, the TOE uses the functions of the memory management which clear the memory before it is allocated. The other file systems listed in section 2.4.1 of this document represent specific kernel interfaces only, do not use physical storage media, and do not store arbitrary user data. For these reasons, object reuse of disk space is not applicable to them. Object reuse of supporting data structures such as directories and inodes is handled by the VFS layer. For this analysis, the term FSO refers not only to named file system objects (files, directories, device special files, named pipes, and UNIX domain sockets) but also to other abstractions that use file system storage (symbolic links and unnamed pipes). All of these except unnamed pipes have a directory entry that contains the last part of the pathname and an inode that controls access rights and points to the disk blocks used by the FSO. In general, file system objects are created with no contents. Directories and symbolic links are exceptions, and some of their content is specified at creation time (OR1.1). This function contributes to satisfy the security requirement FDP_RIP.2. 6.2.5.2 Object Reuse: IPC Objects (OR.2) Shared memory, message queues, and semaphores are initialized to all zeros at creation. These objects are of a finite size (shared memory segment is from one byte to the value defined in /proc/sys/kernel/shmmax, semaphore is one bit), and there is no way to grow the object beyond its initial size (OR2.1). No processing is performed when the objects are accessed or when the objects are released back to the pool. This function contributes to satisfy the security requirement FDP_RIP.2. 6.2.5.3 Object Reuse: Memory Objects (OR.3) A new process’s context is completely initialized from the process’s parent when the fork system call is issued. All program visible aspects of the process context are fully initialized. All kernel data structures associated with the new process are copied from the parent process, then modified to describe the new process, and are fully initialized (OR3.1). The Linux kernel zeroes each memory page before allocating it to a process. This pertains to memory in the program’s data segment and memory in shared memory segments (OR3.2). When a process requests more memory from the kernel, the memory is explicitly cleared before the process can gain access to it (OR3.3). This does not include memory that has been buffered by the library routines used by process. But this memory has already been 2008­10­07 Cray / Novell / atsec Page 56 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ allocated to the process by the kernel (cleared for object reuse at that time). Note that process internal memory management and buffering is not the subject of this Security Target. When the kernel performs a context switch from one thread to another, it saves the previous thread’s General Purpose Registers (GPRs) and restores the new thread’s GPRs, completely overwriting any residual data left in the previous thread’s registers (OR3.4). Floating Point Registers (FPRs) are saved only if a process has used them. The act of accessing an FPR causes the kernel to subsequently save and restore all the FPRs for the process, thus overwriting any residual data in those registers (OR3.5). Processes are created with all attributes taken from the parent. The process inherits its memory (text and data segments), registers, and file descriptors from its parent (OR3.6). When a process execs a new program, the text segment is replaced entirely. This function contributes to satisfy the security requirement FDP_RIP.2 and Note 1. 6.2.6 Security Management (SM) This section describes the functions for the management of security attributes that exist within the TOE. In addition to specific utilities mentioned in this section, administrators can use the vim editor to modify configuration files and scripts when the system does not supply a specific trusted program designed to do so. 6.2.6.1 Roles (SM.1) A simple role model is used for this evaluation that just supports two roles: administrative users and normal users (SM1.1). In the evaluated configuration, a user has the role of an administrative when he is allowed to su to root. Root itself will not be used as a userid that a user can directly log in to (except for login from the system console). So every administrative user has his/her own userid, which is used to log into the system. 6.2.6.1.1 Administrative Users Users that are allowed to su to root can perform administrative actions (provided they also know the password required to su to root). Users that don’t have the privilege to use su in their user profile cannot perform administrative actions even if they know the root password (SM1.2). 6.2.6.1.2 Normal Users Normal users cannot perform actions that require root privileges. They can only execute those setuid root programs they have access to (SM1.3). In the evaluated configuration this is restricted to those programs they need such as the ”ping” program. This function contributes to satisfy the security requirement FMT_SMR.1. 6.2.6.2 Access Control Configuration and Management (SM.2) Access control to objects is defined by the permission bits or by the Access Control Lists (for those objects that have access control lists associated with them). Default access permission bits are defined in the system configuration files that define the value of the access control bits for objects being created without explicit definition of the permission bits. The administrative user can define and modify those default values. Permissions can be changed by the object owner and an administrative user (SM2.1). When an object is created, the creator is the object owner (SM2.2). Object ownership can be transferred (SM2.3). In the case of IPC objects, the creator will always have the same right as the owner, even when the ownership has been transferred (SM2.4). This function contributes to satisfy the security requirements FMT_MSA.1, FMT_MSA.3, FMT_SMF.1 and FMT_REV.1 “Object Attributes”. 6.2.6.3 Management of User, Group and Authentication Data (SM.3) 6.2.6.3.1 Creating new Users An administrative user can create a new user and assigns a unique userid to this user. The initial password has to be defined using the passwd command. The new user will be disabled until the initial password is set (SM3.1). 2008­10­07 Cray / Novell / atsec Page 57 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ Attributes that can be set for each user are among others (a complete list can be found in the description of the useradd command and the description of the content of the files /etc/passwd and /etc/groups):  Administrative status of the user  List of groups the user belongs to  Home directory for this user Those attributes are stored in the file /etc/passwd and /etc/groups (for the list of all groups the user belongs to) and changes are propagated to all login nodes within the system. (SM3.2) 6.2.6.3.2 Modification of user attributes User attributes can be modified by an administrative user. Modifications of user attributes require the modification of the administration database that contains the user attributes (mainly /etc/passwd) (SM3.3). 6.2.6.3.3 Management of Authentication Data An administrative user has the capability to define rules and restrictions for passwords used to authenticate users. The parameters available are:  The number of days (since January 1, 1970) since the password was last changed.  The number of days before the password may be changed (0 indicates it may be changed at any time)  The number of days after which the password must be changed (99999 indicates user can keep his or her password unchanged for many, many years)  The number of days to warn the user of an expiring password (7 for a full week)  The number of days after the password expires that account is disabled (SM3.4) Users are not allowed to change their own password. Administrators can change user passwords using the passwd command. The password restrictions defined by the administrative user apply as warnings, the administrator is informed if the chosen password does not meet the requirements (SM3.5). This list of attributes satisfies those required by FIA_ATD.1. In addition this function contributes to satisfy the security requirements FIA_SOS.1, FMT_MTD.1 “User Attributes”, FMT_MTD.1 “Authentication Data”, FMT_SMF.1 and FMT_REV.1 “User Attributes”. 6.2.6.4 Management of Audit Configuration (SM.4) The TOE allows configuring the events to be audited. Those events are defined in a specific configuration file and then the rcaudidt script with the ‘reload’ parameter is used to notify the audit subsystem about modifications in the rules defining the events to be audited. The use of the /sbin/auditd command and the rcauditd script is restricted to administrative users. In addition, the TOE allows an administrative user to start or stop the audit subsystem (also using the rcauditd script to start the audit subsystem (using the ‘start” parameter) or stop the audit subsystem (using the ‘stop’ parameter) (SM4.1). The administrative user can define the events to be audited in the form of a set of rules using simple filter expressions (SM4.2). This function contributes to satisfy the security requirements FAU_GEN.1 and FAU_SEL.1 as well as FMT_MTD.1 (Management of the audit trail) and FMT_MTD.1 (Management of audited events). 6.2.6.5 Reliable Time Stamps (SM.5) The TOE maintains a reliable clock used to generate time stamps as required for the TOE itself and applications. The audit subsystem requires such a reliable time source for the date and time field in the header of each audit record. The clock uses timers provided by the hardware and interrupt routines that update the value of the clock maintained by the TOE. The initial value for this clock may be provided by a hardware clock that is part of the TOE hardware, by a trusted external time source (e.g., via the ntp protocol) or by the system administrator setting the initial value. Hardware time sources that are not found on the TOE hardware but are connected to the TOE hardware as auxiliary hardware and are part of the TOE environment. Only the system administrator is allowed to overwrite the value of the clock 2008­10­07 Cray / Novell / atsec Page 58 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ maintained by the TOE (e.g., to correct the value in case it has drifted over time due to some inaccuracy of the hardware timer used by the TOE) (SM5.1). This function contributes to satisfy the security requirement FPT_STM.1. 6.2.7 Secure Communication (SC) The TOE provides the ability to protect communication by cryptographic mechanism against disclosure and undetected unauthorized modification. The TOE supports two protocols (SSH v2 and SSL v3) that provide protection of communication against the above mentioned threats. Note that communication using other protocols is not protected against those threats. Note also that the cryptography used in this product has not been FIPS certified nor has it been analyzed or tested to conform to cryptographic standards during this evaluation. All cryptography has only been asserted as tested by the vendor. The protocols SSH v2 and SSL v3 allow secure communication between the TOE and a remote trusted IT product (which may be another instantiation of the TOE itself) over an insecure network. Within the TOE the protocols are configured to allow the secure tunneling of TCP-based protocols. The difference between the two possibilities for tunneling consists of the authentication involved. In the case of the SSH protocol the TOE supports establishing a secure connection allowing an application on a client system to set up the communication to the server-side system after successful user authentication. This allows users to get access to a shell from a remote system but also to perform actions such as secure file transfer where access to the files on the remote system is protected by the discretionary access control mechanism. In the case of the SSL protocol, the TOE would allow to set up a secure communication channel between a client and an untrusted application (e.g., a web server) on the server side. This would allow a client to access the web server without user authentication but (depending on the configuration of the SSL server) with the certificate-based authentication of the client system. 6.2.7.1 Secure Protocols (SC.1) The TOE offers two protocols that applications can use to securely communicate with another trusted IT product (provided this supports those protocols in the same way as the TOE does). Those protocols are the Secure Shell Protocol Version 2 (SSH v2) and the Secure Socket Layer Protocol Version 3 (SSL v3) (SC1.1). Both protocols are able to establish a secure channel between a client and a server process. The TOE supports both the client as well as the server processes for both of those protocols and therefore is able to initiate a connection as well as act as the receiver part. Both protocols provide the ability to “tunnel” an otherwise unprotected single port TCP-based protocol. 6.2.7.1.1 The Secure Shell Protocol The TOE provides the Secure Shell Protocol Version 2 (SSH v2) to allow users from a remote host to establish a secure connection and perform a logon to the TOE. The following table documents implementation details concerning the OpenSSH implementation’s compliance to the relevant standards. It addresses areas where the standards permit different implementation choices, such as optional features. Reference Description Implementation details [SSH-TRANS] 5. Compatibility With Old SSH Versions The OpenSSH implementation is capable of interoperating with clients and servers using the old 1.x protocol. That functionality is explicitly disabled in the evaluated configuration; it permits protocol version 2.0 exclusively. [SSH-TRANS] 6.2 Compression OpenSSH supports the OPTIONAL “zlib” compression method. [SSH-TRANS] 6.3 Encryption The ciphers supported in the evaluated configuration are detailed below. [SSH-AUTH] 7. Public Key Authentication Method: “publickey” This REQUIRED authentication method is supported by the OpenSSH implementation but disabled in the evaluated configuration; it permits password authentication exclusively. [SSH-AUTH] 8. Password Authentication Method: “password” This SHOULD authentication method is supported by OpenSSH and is the only authentication method used in the evaluated configuration. 2008­10­07 Cray / Novell / atsec Page 59 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ [SSH-AUTH] 8. Password change request and setting new password The OpenSSH implementation does not support the optional password change mechanism in the evaluated configuration. Passwords can only be changed by administrators. [SSH-AUTH] 9. Host-Based Authentication: “hostbased” This OPTIONAL authentication method is disabled in the evaluated configuration. The TOE supports the following security functions of the SSH v2 protocol: 1. Establishing a secure communication channel using the following cryptographic functions provided by the SSH v2 protocol: o Encryption using three key Triple DES in CBC mode (3des-cbc as defined in section 4.3 of [SSH-TRANS]) (SC1.2) o Diffie-Hellman key exchange (diffie-hellman-group1-sha1 as defined in section 6.1 of [SSH-TRANS]) (SC1.3) o The keyed hash function hmac-sha1 for integrity protection as defined in section 4.4 of [SSH-TRANS] (which refers to [HMAC] for the exact definition of the algorithm) (SC1.4). Note: The protocol supports more cryptographic algorithms than the ones listed above. The other algorithms are not covered by this evaluation and should be disabled or not used when running the evaluated configuration. 2. Performing user authentication using the standard password-based authentication method the TOE provides for users (Password Authentication Method as defined in chapter 5 of [SSH-TRANS]) (SC1.5). Note: The protocol also supports other authentication methods (e.g., certificate-based authentication) but those are not within the scope of this Security Target. This Security Target requires password-based authentication, and therefore the SSH server should be configured to accept this authentication method only. 3. Checking the integrity of the messages exchanged and closing down the connection in case an integrity error is detected (SC1.6). 6.2.7.1.2 The Secure Socket Layer Protocol The TOE provides the Secure Socket Layer Protocol Version 3 (SSL v3) for secure communication. In contrast to the Secure Shell protocol described above, the SSL protocol does not support user authentication as part of the protocol. The following table documents implementation details concerning the OpenSSL implementation’s compliance to the relevant standards. It addresses areas where the standards permit different implementation choices, such as optional features. Reference Description Implementation details [SSLv3] 5.5 Handshake protocol overview: certificates The evaluated configuration always uses server certificates. Use of client certificates is optional. [SSLv3] D.1 Temporary RSA keys Not applicable; the evaluated configuration does not limit the size of encryption keys to 512 bits. [SSLv3] D.2 Random Number Generation and Seeding OpenSSL uses data from the /dev/urandom device, a persistent entropy pool file, and volatile system statistics to seed the PRNG. [SSLv3] D.3 Certificates and authentication The evaluated configuration supports verification of certificate chains; the details are beyond the scope of this Security Target. [SSLv3] D.4 CipherSuites The ciphers supported in the evaluated configuration are listed below. [SSLv3] D.5 FORTEZZA The FORTEZZA hardware encryption system is not supported in the evaluated configuration. [SSLv3] E. Version 2.0 Backward Compatibility The OpenSSL implementation supports the backwards compatible protocol, but this is disabled in the evaluated configuration. It permits use of SSLv3 exclusively. 2008­10­07 Cray / Novell / atsec Page 60 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ [TLS-AES] CipherSuites The ciphers supported in the evaluated configuration are listed below. SSL can be used in the following ways:  users from a remote host can establish a secure channel to the TOE.  administrators can set up secure tunnels for other TCP-based protocols between a client and a server system. The protocols must satisfy the restrictions defined in the Evaluated Configuration Guide. On the client as well as on the server side, the stunnel program can be used to tunnel non-SSL aware daemons and protocols (like POP, IMAP, LDAP, etc) by having stunnel provide the encryption, requiring no changes to the daemon's code. Stunnel acts as a trusted wrapper that can be used by applications implementing otherwise non- secure protocols. Stunnel as part of the TSF will ensure that the user data transmitted by those applications over the network will be confidentiality and integrity protected by the SSL v3 protocol. For guidance on how to set up such a trusted channel and how to use it by applications, please see the Evaluated Configuration Guide [ECG]. The stunnel daemon supports the following cipher suites defined in the [SSLv3] protocol or [TLS-AES]: SSL_RSA_WITH_RC4_128_SHA SSL_RSA_WITH_3DES_EDE_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA (SC1.7) Other cypher suites as defined in [SSLv3] specification or [TLS-AES] are not supported in this Security Target and the TOE should be configured to not support other cipher suites. This implies that the following cryptographic algorithms from the OpenSSL library are used: 1. The RSA algorithm with 1024 bit modulus length. RSA is used for the exchange of the session key and for server authentication. RSA is implemented based on PKCS #1 v2.0. 2. RC4 with a key size of 128 bit (as one alternative for the symmetric encryption algorithm) 3. Triple DES with a key size of 168 bit 4. AES with a key size of 128 or 256 bit 5. SHA-1 (as the cryptographic hash function) An implication of the use of this cipher suite and its algorithms is the authentication of the SSL server site using digital certificates. The following table documents the implementation choices when following the PKCS #1 v2.0 (RFC 2437) standard. Reference Description Implementation details Section 7.2 Pseudorandom octets in EME-PKCS1-v1_5 to be generated independently Each octet is generated individually using the random number generator for padding when encrypting with the public key. When creating a signature (encrypting with the private key), padding is performed using the octet 0xFF. Section 7.2 Padding string in EME- PKCS1-v1_5 at least 8 octets long Padding size is defined with RSA_PKCS1_PADDING_SIZE and is 11 bytes (which may be decreased by 3 bytes in certain conditions) Section 10.2 Recommended Hash functions OpenSSL allows the use of MD2, MD5, SHA1 (for implementing the SSLv3 protocol, the SSLv3 combination of SHA1 and MD5 are used); RIPEMD160 is allowed to be used for signatures Note: The function to generate the RSA key pair used by the server is part of the TSF, but the generation of the certificate of the public key is regarded as an aspect of the IT environment. A widely accepted Certification Authority might be used to generate this certificate (allowing a wide community trusting this CA to validate the certificate). In a closed community it might also be sufficient to have one server within the community to act as a CA. The OpenSSL library provides the functions to set up such a CA, but those functions are not subject of this Security Target. 2008­10­07 Cray / Novell / atsec Page 61 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ This function contributes to satisfy the security requirements FCS_CKM.1 (1-3), FCS_CKM.2 (1-4), FCS_COP.1 (1-3), FDP_UCT.1, FDP_UIT.1, FMT_MSA.2 and FTP_ITC.1. 6.2.8 TSF Protection (TP) While in operation, the kernel software and data are protected by the hardware memory protection mechanisms described in the high level design and the hardware reference manuals for the underlying hardware. The memory and process management components of the kernel ensure a user process cannot access kernel storage or storage belonging to other processes (TP1.1). Non-kernel TSF software and data are protected by DAC and process isolation mechanisms. In the evaluated configuration, the reserved user ID root, or other reserved IDs equivalent to root, owns TSF directories and files, in general; files and directories containing internal TSF data (e.g., batch job queues) are also protected from reading by DAC permissions (TP1.2). The TSF including the hardware and firmware components are required to be physically protected from unauthorized access. The system kernel mediates all access to the hardware mechanisms themselves, other than program-visible CPU instruction functions and main storage defined by the kernel to be directly accessible by a user process. The boot image for each host with the evaluated TOE in the networked system is adequately protected. 6.2.8.1 TSF Invocation Guarantees (TP.1) All system protected resources are managed by the TSF. Because all TSF data structures are protected, these resources can be directly manipulated only by the TSF, through defined TSF interfaces. This satisfies the condition that the TSF must be "always invoked" to manipulate protected resources (TP1.3). Resources managed by the kernel software can only be manipulated while running in kernel mode (TP1.4). Processes run in user mode and can call functions of the kernel only as the result of an exception or interrupt (TP1.5). The hardware and the kernel software handle these events and ensure that the kernel is entered only at pre- determined locations and within pre-determined parameters. All kernel managed resources are protected such that only the kernel software is able to manipulate them. Trusted processes implement resources managed outside the kernel. The trusted processes and the data defining the resources are protected as described above, depending on the type of interface. For directly invoked trusted processes, the program invocation mechanism ensures that the trusted process always starts in a protected environment at a predetermined point (TP1.6). Other trusted process interfaces are started during system initialization and use well-defined protocol or file system mechanisms to receive requests (TP1.7). Some system calls or parameters of system calls are reserved for trusted processes. When called the kernel checks that the calling process runs with an effective userid of 0 (TP1.8). This function contributes to satisfy the security requirement FPT_RVM.1. 6.2.8.2 Kernel (TP.2) The TOE software consists of a privileged kernel and a variety of non-kernel components (trusted processes). The kernel operates on behalf of all processes (subjects). The kernel runs in the CPU’s privileged mode and has access to all system memory. All kernel software, including kernel extensions and kernel processes, execute with kernel privileges, but only defined subsystems within the kernel are part of the TSF. The kernel is entered by some event that causes a context switch such as a system call, I/ O interrupt, or a program exception condition. Upon entry the kernel determines the function to be performed, performs it, and when finished, performs another context switch to return to user processing (eventually on behalf of a different subject) (TP2.1). The kernel is shared by all processes, and manages system-wide shared resources. It presents the primary programming interface for the TOE in the form of system calls. Because the kernel is shared among all processes, any process running "in the kernel" (that is, running in privileged hardware state as the result of a context switch) is able to directly reference the data structures that implement shared resources. The major components of the kernel are memory management, process management, the file system, the system call interface, and the device drivers. This function contributes to satisfy the security requirement FPT_SEP.1. 2008­10­07 Cray / Novell / atsec Page 62 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 6.2.8.3 Kernel Modules (TP.3) The TOE supports dynamically loadable kernel modules that are loaded automatically on demand. Kernel modules are actually a part of the kernel that is not resident but loaded as part of the kernel when needed (TP3.1). Whenever a program wants the kernel to use a feature that is only available as a loadable module, and if the kernel hasn't got the module installed yet, the kernel will take care of the situation and make the best of it (TP3.2). This is what happens:  The kernel notices that a feature is requested that is not resident in the kernel.  The kernel uses modprobe to load a module that fits this symbolic description.  modprobe looks into its internal "alias" translation table to see if there is a match. This table can be reconfigured and expanded by having "alias" lines in "/etc/modprobe.conf".  modprobe is then asked to insert the module(s) that it has decided that the kernel needs. Every module will be configured according to the "options" lines in "/etc/modprobe.conf".  modprobe exits and tells the kernel that the request succeeded (or failed...)  The kernel uses the freshly installed feature just as if it had been configured into the kernel as a "resident" part. (TP3.3) In the TOE, kernel modules will be not be automatically removed from the kernel when they have not been used for a period of time. Removing them from the kernel needs to be done explicitly. This function contributes to satisfy the security requirement FPT_SEP.1. 6.2.8.4 Trusted Processes (TP.4) Trusted processes in the TOE are processes running in user mode but with root privileges. A trusted process is distinguished from other user processes by the ability to affect the security policy. Some trusted processes implement security policies directly (e.g., identification and authentication) but many are trusted simply because they operate in an environment that confers the ability to access TSF data (e.g., programs run by administrative users or during system initialization). Trusted processes have all the kernel interfaces available for their use, but are limited to kernel-provided mechanisms for communication and data sharing, such as files for data storage and pipes, sockets and signals for communication. The major functions implemented with trusted processes include user login (identification and authentication), batch processing, some network operations, system initialization, and system administration. The kernel will check for each system call that requires root privileges if the process that issued the call has those privileges (TP4.1). If not, the kernel will refuse to perform the system call. The kernel will also check for each access to an object protected by any DAC mechanism, if the process has the required access rights for the attempted type of access. Any program executed with root privileges has the ability to perform the actions of a trusted process. It is therefore important that a site operating a system strictly controls those programs and prohibits that those programs are modified or that programs from untrusted sources are executed with root privileges (TP4.2). Trusted processes are not part of the kernel and (except for those processes that perform system initialization and identification and authentication) not part of the TSF itself. Trusted processes provide a contribution to security management and identification and authentication. For identification and authentication, they contribute to satisfy the security functional requirements FIA_UAU.2, FIA_UAU.7 and FIA_UID.2. This function also contributes to FPT_SEP.1. 6.2.8.5 TSF Databases (TP.5) Table 6-4 identifies the primary TSF databases used in the TOE and their purpose. These are listed both as individual files (by pathname) or collections of files. With the exception of databases listed with the User attribute (which indicates that a user can read, but not write, the file), all of these databases shall only be accessible to administrative users. None of these databases shall be modifiable by a user other than an administrative user. 2008­10­07 Cray / Novell / atsec Page 63 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ Those databases are part of the file system and therefore the file system protection mechanisms of the TOE have to be used to protect those databases from unauthorized access. It is the task of the persons responsible for setting up and administrating the system to ensure that the access control features of the TOE are used throughout the lifetime of the system to protect those databases. Each host system (i.e. each entire Cray XT4 or XT5 computer system) within the TOE maintains its own TSF database. Synchronizing those databases among multiple systems (i.e. several different Cray XT4 or XT5 computer systems) is not performed in the evaluated configuration. If such synchronization is required by an organization, it is the responsibility of an administrative user of the TOE to achieve this either manually or with some automated assistance. Table 6-4 . Administrative Databases. This table summarizes administrative files used to configure the TSF. Please refer to the FSP mapping table [FSP] for more detail. Database Purpose /etc/rca_dispatcher.conf Describes the process started by rcad program at different run levels /etc/at.allow Defines users allowed to use the at command /etc/at.deny Defines users not allowed to use at command. Checked, if /etc/at.allow does not exist. If exists and empty and no "allow" file exists, all users are allowed to use the at command /etc/audit.rules defines filters for auditable event record generation /etc/auditd.conf configuration settings for audit subsystem operation (such as audit trace file location and disk space thresholds) /etc/cron.d/* contains programs to be scheduled by the cron daemon /etc/cron. {hourly,daily,weekly,monthly}/* contains programs to be scheduled by the cron daemon on a weekly, hourly, daily or monthly schedule /etc/crontab commands to be scheduled by the cron daemon /etc/ftpusers contains users not allowed to use the ftp command /etc/group Stores group names, supplemental GIDs, and group members for all system groups. /etc/hosts Contains hostnames and their address for hosts in the network. This file is used to resolve a hostname into an Internet address in the absence of a domain name server /etc/init.d/* System startup scripts /etc/inittab Describes the process started by init program at different run levels /etc/ld.so.conf File containing a list of colon, space, tab, newline, or comma separated directories in which to search for libraries for run-time link bindings /etc/localtime Defines the local time zone information used for date/time input and display /etc/login.defs Defines various configuration options for the login process /etc/modprobe.conf Configuration files for modprobe. Modprobe automatically loads or unloads a module while taking into account its dependencies. /etc/pam.d/* This directory contains the configuration of PAM. In it there is one configuration for each application that performs identification and authorization. Each of the configuration file contains the PAM /etc/passwd Stores user names, user IDs, primary group ID, user real name, home directory, shell for all system users. /etc/securetty Contains device names of tty lines on which root is allowed to login /etc/security/pam_pwcheck.conf Configuration for the password strength checking module /etc/security/pam_unix2.conf Configuration for the password authentication module /etc/shadow Defines user passwords in one-way encrypted form, plus additional characteristics /etc/ssh/sshd_config Contains ssh configuration parameter for the ssh server /etc/stunnel/*.conf Stunnel configuration files /etc/sysconfig/* Directory containing several configuration files for network services /etc/vsftpd.conf Contains configuration parameter for the vsftp server /etc/xinetd.conf Main configuration file for xinetd /etc/xinetd.d/* Subsidiary configuration files for xinetd, read from xinetd.conf 2008­10­07 Cray / Novell / atsec Page 64 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ Database Purpose /usr/lib/cracklib_dict.* Dictionaries for the password strength checking tool /var/log/faillog Contains the counter for the number of consecutive failed login attempts /var/log/lastlog Stores time and date of last successful login for each user. /var/spool/atjobs/* Directory to store jobs scheduled by the at daemon /var/spool/cron/tabs/root Crontab file for the root user /var/spool/cron/allow File containing users allowed to use crontab /var/spool/cron/deny File containing users not allowed to use crontab. Evaluated only if no /var/spool/cron/allow exists. If exists and empty and no "allow" file exists, all users are allowed to use crontab. These tables are not functions but they are part of the management of the TSF. As such they contribute to the system management security functional requirements FMT_MSA.3 and FMT_MTD.1 (User Attributes and Authentication Data) as well as FMT_SMF.1. 6.2.8.6 Internal TOE Protection Mechanisms (TP.6) All kernel software has access to all memory, and the ability to execute all instructions. In general, however, only memory containing kernel data structures is manipulated by kernel software. Parameters are copied to and from process storage (i.e., that accessible outside the kernel) by explicit internal mechanisms, and those interfaces only refer to storage belonging to the process that invoked the kernel (e.g., by a system call). Functions implemented in trusted processes are more strongly isolated than the kernel. Because there is no explicit sharing of data, as there is in the kernel address space, all communications and interactions between trusted processes take place explicitly through files and similar mechanisms. This encourages an architecture in which specific TSF functions are implemented by well-defined groups of processes. This function contributes to satisfy the security requirement FPT_SEP.1. 6.2.8.7 Testing the TOE Protection Mechanisms (TP.7) The TOE provides a tool for the system administrator that allows him to test the correct functions of the protection features of the underlying abstract machine. This tool performs tests on:  the main memory (to check for failures in the memory hardware) (TP7.1)  the processor (to check the functions of the memory management unit and the separation between user and kernel mode) (TP7.2)  I/O devices (to check for correct operation of some I/O devices including the hard disks and the firmware used to access the disks) (TP7.3) The tool generates a report on the tests performed and the results of those tests. The report is generated in human readable format and may be stored in a file or directed to a printer (TP7.4). This function contributes to satisfy the security requirement FPT_AMT.1. 6.3 Supporting functions not part of the TSF 6.3.1 User Processes The TSF primarily exist to support the activities of user processes. A user, or non-TSF, process has no special privileges or security attributes. The user process is isolated from interference by other user processes primarily through the CPU execution state and address protection mechanisms and the way they are used by the kernel, and also through the protections on TSF interfaces for process and file manipulation. User processes are by definition untrusted and therefore do not contribute to any security function. The TSF ensure that user processes are encapsulated in such a way that they are separated from the TSF and from processes (trusted and untrusted) running with different attributes, and will only be able to communicate with them using the defined TSF interfaces. User processes therefore do not contribute to any security function of the TOE. 2008­10­07 Cray / Novell / atsec Page 65 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 6.4 Assurance Measures The following table provides an overview, how the assurance measures of EAL3 augmented by ALC_FLR.1 are met by the TOE. Table 6-5: Mapping Assurance Requirements to Documentation Assurance Component Documentation describing how the requirements are met ACM_CAP.3 Configuration management procedures within Novell are highly automated using a process supported by an autobuild tool. ACM_SCP.1 Source code, generated binaries, documentation, test plan, test cases and test results are maintained under configuration management. ADO_DEL.1 The TOE software is delivered preinstalled on the hardware. ADO_IGS.1 Guidance for installation and system configuration is provided in the guidance documentation associated with the TOE. ADV_FSP.1 The functional specification for the TOE consists of the man pages that describe the system calls, the trusted commands, as well as a description of the security relevant configuration files. A table provided by the sponsor lists all system calls, trusted commands and security relevant configuration files with a mapping to their description in the overall documentation. ADV_HLD.2 A high level design of the security functions of the TOE is provided. This document provides an overview of the implementation of the security functions within the subsystems of the TOE and points to other existing documents for further details where appropriate. ADV_RCR.1 The correspondence information is provided as part of the functional specification (with the spreadsheet). An additional document providing the correspondence to the TOE Summary Specification has been provided to the evaluation facility. AGD_ADM.1 The Evaluated Configuration Guide and the Cray UNICOS/lc Operating System admin handbook plus a special README file contain the specifics for the secure administration of the evaluated configuration. AGD_USR.1 The Evaluated Configuration Guide and the Cray UNICOS/lc Operating System user handbook plus a special README file contain the specifics for the secure usage of the evaluated configuration. ALC_DVS.1 The Novell security procedures are defined and described in documents in provided by Novell. The Cray security procedures are defined and described in documents provided by Cray. ALC_FLR.1 The defect handling procedure Cray has in place for the development of the Cray UNICOS/lc Operating System requires the description of defects with their effects, security implications, fixes and required verification steps. ATE_COV.2 Detailed test plans are produced to test the functions of the TOE. Those test plans include an analysis of the test coverage, an analysis of the functional interfaces tested, and an analysis of the testing against the high level design. ATE_DPT.1 Testing at internal interfaces is defined and described in the test plan documents and the test case descriptions ATE_FUN.1 Testing has been performed on the platforms that are defined in the Security Target. Test results are documented such that the tests can be repeated. ATE_IND.2 All the required resources are provided to the evaluation facility to perform their own tests. The evaluation facility has performed and documented the tests they have created and performed as part of the evaluation technical report for testing. AVA_MSU.1 A Misuse Analysis is provided by the sponsor. AVA_SOF.1 The Strength of Function Analysis has been provided for the mechanism based on permutational or probabilistic algorithms as part of the developer's vulnerability analysis document. AVA_VLA.1 A vulnerability analysis has been provided that describes the sponsor's approach to identify vulnerabilities of the TOE as well as the results of the findings. 6.5 TOE Security Functions requiring a Strength of Function The TOE has the password-based security function for identification and authentication (IA) that is implemented by a probabilistic or permutational mechanism. The strength claimed for this function is SOF-medium. In addition the TOE uses cryptographic functions for the protection of communication links. The cryptographic algorithms used 2008­10­07 Cray / Novell / atsec Page 66 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ there are not subject to a strength of function analysis. Also the key generation process for the cryptographic algorithms supported by the TOE is not subject to a strength of function analysis. 2008­10­07 Cray / Novell / atsec Page 67 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 7 Protection Profile Claims 7.1 PP Reference This Security Target claims conformance with the “Controlled Access Protection Profile" (CAPP) Version 1.d, 8 October 1999. This Protection Profile was developed by the “Information System Security Organization" of the National Security Agency of the United States of America. This Protection Profile is listed on the TPEP web site of NSA as a “Certified Protection Profile”. This Protection Profile was also used as the basis of the evaluations of AIX 5.2, Sun Solaris 8 and HP-UX 11.11. 7.2 PP Tailoring One additional security functional requirement (FMT_SMF.1) that has been added to those defined in the CAPP. The reason is a change to the [CC], where the new family FMT_SMF is defined and dependencies from FMT_MSA.1 and FMT_MTD.1 to the new component FMT_SMF.1 have been added. To resolve those new dependencies, FMT_SMF.1 has been added as a security functional requirement in addition to those defined in the CAPP. Two SFRs (FIA_UAU.1 and FIA_UID.1) defined in the PP have been substituted by hierarchically superior ones (FIA_UAU.2 and FIA_UID.2). This does not affect the compliance to the Protection Profile. Since those components don't imply additional dependencies, the dependency analysis performed on the Protection Profile still applies. Other requirements (FPT_ITT.1, FPT_TRC.1, FCS_CKM.1, FCS_CKM.2, FCS_COP.1, FDP_UCT.1, FDP_UIT.1, FMT_MSA.2, and FTP_ITC.1) represent TOE-specific extensions to the requirements defined by [CAPP]. Security Functional Requirements have been refined where required by the Protection Profile. One security functional requirement (“Note 1”) is included in [CAPP] as an extension to the requirements defined in part 2 of the Common Criteria. Aspects of conformance of structure and content of Note 1 with the Common Criteria requirements for extensions to part 2 are addressed in the evaluation of the Protection Profile. They are therefore not discussed in this Security Target. Threats have been added (the Protection Profile only defines policies). One assumption on the TOE environment (A.NET_COMP) has been added to reflect the distributed nature of the TOE. One security objective for the TOE (O.COMPROT) has been added to reflect the objective of being able to establish an Inter-TSF trusted channel between the TOE and another trusted IT product. The following security objectives for the TOE environment have been added: OE.ADMIN OE.INFO_PROTECT OE.MAINTENANCE OE.RECOVER OE.SOFTWARE_IN OE.SERIAL_LOGIN OE.PROTECT Those objectives are required to cover the specific threats addressing the TOE environment. All objectives are related to physical and procedural security measures and therefore address the TOE non-IT environment. The assurance requirements of the Protection Profile are those defined in the Evaluation Assurance Level (EAL) 3 of the Common Criteria. This Security Target specifies Evaluation Assurance Level 3 augmented by ALC_FLR.1. Since the Evaluation Assurance Levels in the Common Criteria define a hierarchy, all assurance requirements of the Protection Profile are included in this Security Target. ALC_FLR.1, which has been added to the assurance requirements defined in the CAPP has no dependency on any other security functional requirement or security assurance requirement and is therefore an augmentation that has no effect on the security functional requirements or security assurance requirements stated in the Protection Profile. 2008­10­07 Cray / Novell / atsec Page 68 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 8 Rationale The rationale section provides additional information and demonstrates that the security objectives and the security functions defined in the previous chapter are consistent and sufficient to counter the threats defined in chapter 2. 8.1 Security Objectives Rationale Thefollowingtablesprovideamappingof securityobjectivestotheenvironmentdefinedbythethreats,policies andassumptions,illustratingthateachsecurityobjectivecoversatleastonethreat,assumptionorpolicyandthat eachthreat,assumptionorpolicyiscoveredbyatleastonesecurityobjective. 8.1.1 Security Objectives Coverage Table 8-1: Mapping Objectives to threats and policies Objective Threat / Policy O.AUTHORIZATION T.UAUSER, P.AUTHORIZED_USERS O.DISCRETIONARY_ACCESS T.UAACCESS, P.NEED_TO_KNOW O.RESIDUAL_INFO P.NEED_TO_KNOW, T.UAACCESS O.MANAGE P.AUTHORIZED_USERS, P.NEED_TO_KNOW, T.UAUSER, O.ENFORCEMENT P.AUTHORIZED_USERS, P.NEED_TO_KNOW O.AUDITING P.ACCOUNTABILITY O.COMPROT T.COMPROT, P.NEED_TO_KNOW Table 8-2: Mapping objectives for the environment to threats, assumptions and policies Env. Objective Threat / Assumption / Policy OE.ADMIN A.MANAGE, A.NO_EVIL_ADMIN OE.CREDEN A.COOP OE.INSTALL TE.COR_FILE, A.MANAGE, A.NO_EVIL_ADMIN, A.PEER, A.NET_COMP OE.PHYSICAL A.LOCATE, A.PROTECT, A.CONNECT OE.INFO_PROTECT TE.COR_FILE, A.PROTECT, A.UTRAIN, A.UTRUST OE.MAINTENANCE TE.HWMF OE.RECOVER A.MANAGE, TE.HWMF, TE.COR_FILE OE.SOFTWARE_IN P.NEED_TO_KNOW OE.SERIAL_LOGIN A.CONNECT OE.PROTECT TE.COR_FILE, A.NET_COMP, A.CONNECT Table 8-3: Mapping threats to objectives Threat Objective T.UAUSER O.AUTHORIZATION, O.MANAGE T.UAACCESS O.DISCRETIONARY_ACCESS, O.RESIDUAL_INFO T.COMPROT O.COMPROT TE.HWMF OE.MAINTENANCE, OE.RECOVER TE.COR_FILE OE.PROTECT, OE.INSTALL, OE.INFO_PROTECT, OE.RECOVER Table 8-4: Mapping Assumptions to Objectives Assumption Objective A.LOCATE OE.PHYSICAL A.PROTECT OE.INFO_PROTECT, OE.PHYSICAL A.MANAGE OE.ADMIN, OE.INSTALL, OE.RECOVER 2008­10­07 Cray / Novell / atsec Page 69 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ Assumption Objective A.NO_EVIL_ADMIN OE.ADMIN, OE.INSTALL A.COOP OE.CREDEN A.UTRAIN OE.INFO_PROTECT A.UTRUST OE.INFO_PROTECT A.NET_COMP OE.PROTECT, OE.INSTALL A.PEER OE.INSTALL A.CONNECT OE.SERIAL_LOGIN, OE.PROTECT, OE.PHYSICAL Table 8-5: Mapping Policies to Objectives Policy Objective P.AUTHORIZED_USERS O.AUTHORIZATION, O.MANAGE, O.ENFORCEMENT P.NEED_TO_KNOW O.DISCRETIONARY_ACCESS, O.MANAGE, O.ENFORCEMENT, O.RESIDUAL_INFO, O.COMPROT, OE.SOFTWARE_IN P.ACCOUNTABILITY O.AUDITING 8.1.2 Security Objectives Sufficiency T.UAUSER: The threat of impersonation of an authorized user by an attacker is sufficiently diminished by O.AUTHORIZATION requiring proper authorization of users gaining access to the TOE. O.MANAGE ensures that only administrative users (which are assumed to be trustworthy) have the ability to add new users or modify the attributes of users. Together those objectives ensure that no unauthorized user can impersonate as an authorized user. T.UAACCESS: The threat of an authorized user of the TOE accessing information resources without permission from the user responsible for the resource is removed by O.DISCRETIONARY_ACCESS requiring access control for resources and the ability for authorized users to specify the access to their resources. This ensures that a user can access a resource only if the requested type of access has been granted by the user responsible for the management of access rights to the resource. In addition, O.RESIDUAL_INFO ensures that an authorized user cannot gain access to the information contained in a resource after the resource has been released to the system for reuse. T.COMPROT: The threat of user data being compromised or modified without being detected is removed by O.COMPROT requiring the ability to set up an Inter-TSF trusted channel between the TOE and another trusted IT product that protects user data being transferred over this channel from disclosure and undetected modification. TE.HWMF: The threat of losing data due to hardware malfunction is mitigated by OE.MAINTENANCE requiring the invocation of diagnostic tools during preventative maintenance periods. In addition OE.RECOVER requires the organizational procedures to be set up that are able to recover critical data and restart operation in a secure mode in the case that such a hardware malfunction happens. TE.COR_FILE: The threat of undetected loss of integrity of security enforcing or relevant files of the TOE is diminished by OE.INSTALL requiring procedures for secure distribution, installation and configuration of systems, thereby ensuring that the system has a secure initial state with the required protection of such files, OE.PROTECT requiring protection of transferred data in the network the TOE is connected to, and OE.INFO_PROTECT requiring procedures for the appropriate definition of access rights to protect those files when the system is up and running. OE.RECOVER ensures that the system is securely recovered, which includes the verification of the integrity of security enforcing or security relevant files as part of the recovery procedures. A.LOCATE: The assumption on physical protection of the processing resources of the TOE is covered by OE.PHYSICAL requiring physical protection. A.PROTECT: The assumption on physical protection of all hard- and software as well as the network and peripheral cabling is covered by the objectives OE.INFO_PROTECT demanding the approval of network and peripheral cabling and OE.PHYSICAL requiring physical protection. Note: Physical protection of the network components and cabling is required by A.PROTECT which may seem to be redundant to A.CONNECT. But A.CONNECT also addresses protection against passive wiretapping, which may be done without having physical access to a hardware component. A.MANAGE: The assumption on competent administrators is covered by OE.ADMIN requiring competent and trustworthy administrators and OE.INSTALL requiring procedures for secure distribution, installation and configuration of systems, as well as OE.RECOVER requiring the administrator to perform all the required actions to bring the TOE into a secure state after a system failure or discontinuity.. 2008­10­07 Cray / Novell / atsec Page 70 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ A.NO_EVIL_ADMIN: The assumption that administrators are neither careless nor willfully negligent or hostile is covered by OE.ADMIN requiring competent and trustworthy administrators and OE.INSTALL requiring procedures for secure distribution, installation and configuration of systems. A.COOP: The assumption on authorized users to act in a cooperating manner is covered by the objective OE.CREDEN requiring the safe storage and non-disclosure of authentication credentials. A.NET_COMP: The assumption on network components to not modify transmitted data is covered by the objective OE.PROTECT requiring procedures and/or mechanisms to ensure a safe data transfer between systems, as well as OE.INSTALL requiring proper installation and configuration of all parts of the networked system, thus including also components that are not part of the TOE. A.PEER: The assumption on the same management control and security policy constraints for systems with which the TOE communicates is covered by OE.INSTALL requiring procedures for secure distribution, installation and configuration of the networked system. A.CONNECT: The assumption on controlled access to peripheral devices and protected internal communication paths is covered by OE.SERIAL_LOGIN for the protection of attached serial login devices, OE.PROTECT for the protection of data transferred between systems, and OE.PHYSICAL requiring physical protection. A.UTRAIN: The assumption on trained users is covered by OE.INFO_PROTECT which requires that users are trained to protect the data belonging to them. A.UTRUST: The assumption on user to be trusted to protect data is covered by OE.INFO_PROTECT which requires that users are trusted to use the protection mechanisms of the TOE adequately to protect their data. P.AUTHORIZED_USERS: The policy demanding that users have to be authorized for access to the system is implemented by O.AUTHORIZATION and supported by O.MANAGE allowing the management of this functions and O.ENFORCEMENT ensuring the correct invocation of the functions. P.NEED_TO_KNOW: The policy to restrict access to and modification of information to authorized users which have a “need to know” for that information is implemented by O.DISCRETIONARY_ACCESS demanding an appropriate access control function that allows to define access rights down to the granularity of an individual user and O.COMPROT protecting user data during transmission to another trusted IT product.. It is supported by O.RESIDUAL_INFO ensuring that resources do not release such information during reuse and by OE.SOFTWARE_IN preventing users other than administrative users from installing new software that might affect the access control functionality. O.MANAGE allows administrative and normal users (for the files they own) to manage these functions, and O. ENFORCEMENT ensures that the functions are invoked and operate correctly. P.ACCOUNTABILITY: The policy to provide a means to hold users accountable for their activities is implemented by O.AUDITING providing the TOE with such functionality. 8.2 Security Requirements Rationale This section provides the rationale for the internal consistency and completeness of the security functional requirements defined in this Security Target. 8.2.1 Internal Consistency of Requirements This section describes the mutual support and internal consistency of the components selected for this Security Target. These properties are discussed for both functional and assurance components. The functional components were selected from CC components defined in part 2 of the Common Criteria. The use of component refinement was accomplished in accordance with CC guidelines. Functional requirement “Note 1” has been taken from the Controlled Access Protection Profile [CAPP] and the justification for this extension has been addressed in the evaluation of this protection profile. Multiple instantiation of identical or hierarchically-related components was used to clearly state the required functionality that exists in this Security Target. For internal consistency of the requirements we provide the following rationale: Audit The requirements for auditing have been completely derived from [CAPP]. The rationale for those requirements is: FAU_GEN.1 defines the events that the TOE is required to be able to audit. Those events are related to the other security functional requirements showing which event contributes to make users accountable for their actions with respect to the requirement. FAU_GEN.2 requires that the events are associated with the identity of the user that caused the event. Of course this can only be done if the user is known (which may not be the case for failed login attempts). 2008­10­07 Cray / Novell / atsec Page 71 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ FAU_SAR.1 ensures that authorized administrators are able to evaluate the audit records, while FAU_SAR.2 requires that no other users can read the audit records (since they may contain sensitive information). Taking into account that the amount of audit records gathered may be very large, FAU_SAR.3 requires that the TOE provides the ability to search the audit records for a set that satisfies defined attributes. To avoid that all possible audit records always are generated (which would result in an unacceptable overhead to the system performance and might easily fill up the available disk space), the TOE is required in FAU_SEL.1 to provide the possibility to restrict the events to be audited based on a set of defined attributes. Requirement FAU_STG.1 defines that audit records need to be protected from unauthorized deletion and modification to ensure their completeness and correctness. Requirement FAU_STG.3 addresses the aspect that the system detects a shortage in the disk space that can be used to store the audit trail. In this case, the administrator is informed about the potential problem and can take the necessary precautions to avoid a critical situation. FAU_STG.4 addresses the problem that the TOE might not be able to record further audit records (e.g., due to the shortage of some resources). Also in this case the TOE needs to ensure that such a situation cannot be misused by a user to bypass the auditing of critical activities. Otherwise a user might deliberately bring the TOE into a situation where it is no longer able to audit critical events, just to avoid that a critical action he performs is audited. Management of audit is addressed by FMT_MTD.1 for both the audit trail and audited events. Secure Communication The TOE provides two protocols that allow applications or users to securely communicate with other trusted IT products (which may be other instantiations of the TOE). Those protocols use cryptographic functions to ensure the confidentiality and integrity of the user data during transmission as required by FDP_UCT.1 (confidentiality) and FDP_UIT.1 (integrity). The two protocols – although based on the same library of cryptographic functions – use different cryptographic algorithms to provide the required protection. Both protocols provide the ability to establish an Inter-TSF trusted channel, as required by FTP_ITC.1. The secure generation of cryptographic passwords used for secure communications is addressed by FMT_MSA.2. Discretionary Access Control FDP_ACC.1 requires the existence of a Discretionary Access Control Policy for file system objects and Inter Process Communication objects. The rules of this policy are described in FDP_ACF.1. Management of access rights is defined in FMT_MSA.1 and FMT_REV.1. To be effective, a discretionary access control mechanism requires users to be properly identified and authenticated (as required by FIA_UID.2 and FIA_UAU.2), proper binding of subjects to users (as required by FIA_USB.1), reference mediation (as required by FPT_RVM.1) and domain separation (as required by FPT_SEP.1). The policy is also supported by the requirement for residual information protection (FDP_RIP.2), which prohibits that users access information they are not authorized to via residuals remaining in objects that they allocate. Identification and Authentication As stated above, Identification and Authentication is required for a useful discretionary access control based on the identity of individual users. FIA_UAU.2 and FIA_UID.2 require that users are authenticated before they can perform any action on the TOE. FIA_SOS.1 ensures that the mechanism used for authentication (passwords) has a minimum strength, and FIA_UAU.7 provides some level of protection against simple spoofing in the TOE environment. Since the TOE implements processes acting on behalf of the user, FIA_USB.1 ensures that those processes act within the limits defined for the user they are acting for (unless they are trusted to perform activities beyond the rights of the user). The TOE needs to ensure that authentication data is reliably replicated among login nodes. This is addressed by FPT_ITT.1 and FPT_TRC.1. Object Reuse As stated above, object reuse (as required by FDP_RIP.2 and Note 1) is a supporting function that prohibits easy access to information via residuals left in objects when they are re-allocated to another subject or object. This function supports the intention of the discretionary access control policy. Security Management The functions defined so far require several management functions as defined by FMT_SMF.1. The first one is the management of access rights (as defined by FMT_MSA.1 and FMT_REV.1 “Revocation of Object Attributes”). In addition, new objects are required to have default access rights, which are required by FMT_MSA.3. 2008­10­07 Cray / Novell / atsec Page 72 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ The second one is the management of users, which is defined in FMT_MTD.1 “Management of User Attributes” and FMT_REV.1 “Revocation of User Attributes”. Since passwords are used for authentication, the management of this authentication data is also required in FMT_MTD.1 “Management of Authentication Data”. Management of the audit subsystem is expressed by the requirements for the management of the audit trail (FMT_MTD.1 “Management of the Audit Trail”) and the management of the audit events (FMT_MTD.1 “Management of the Audit Events”). Audit trail management is supported by the requirements for the audit review (FAU_SAR.1, FAU_SAR.2 and FAU_SAR.3) as well as the requirements for the protection of the audit trail (FAU_STG.1, FAU_STG.3 and FAU_STG.4). Management of the audit events is supported by the ability to select the events to be audited (FAU_SEL.1). In addition, the TOE supports two roles (administrative user and normal user) which is expressed by FMT_SMR.1 Security management also comprises the management of reliable time stamps. Such time stamps are essential for correct time information within audit records. Times stamps are addressed by FPT_STM.1. TSF Protection The TOE needs to ensure that users are limited in their activities by the boundaries defined by the access control policy. To ensure this, the TSF need to check all access of users to protected objects (as required by FPT_RVM.1) and maintain a domain for its own execution that protects it from inference and tampering by any subject that is not part of the TSF. This is expressed with the requirement FPT_SEP.1. The TOE also needs to provide a tool that allows the administrator to check the integrity of the underlying hardware. Such ability is addressed by FPT_AMT.1. The following table shows how the security functional requirements map to the objectives defined for the TOE. Table 8-6: Mapping Objectives to Security Functional Requirements Objective Security Functional Requirement O.AUTHORIZATION User Attribute Definition (FIA_ATD.1) Strength of Authentication Data (FIA_SOS.1) Authentication (FIA_UAU.2) Protected Authentication Feedback (FIA_UAU.7) Identification (FIA_UID.2) User­Subject Binding (FIA_USB.1) Management of Authentication Data (FMT_MTD.1) Basic internal TSF data transfer protection (FPT_ITT.1) Internal TSF consistency (FPT_TRC.1) O.DISCRETIONARY_ACCESS Discretionary Access Control Policy (FDP_ACC.1) Discretionary Access Control Functions (FDP_ACF.1) User Attribute Definition (FIA_ATD.1) User­Subject Binding (FIA_USB.1) Management of Object Security Attributes (FMT_MSA.1) Static Attribute Initialization (FMT_MSA.3) Revocation of Object Attributes (FMT_REV.1) O.RESIDUAL_INFO Object Residual Information Protection (FDP_RIP.2) Subject Residual Information Protection (Note 1) O.MANAGE Selectable Audit Review (FAU_SAR.3) Management of Object Security Attributes (FMT_MSA.1) Static Attribute Initialization (FMT_MSA.3) Management of the Audit Trail (FMT_MTD.1) Management of Audited Events (FMT_MTD.1) Management of User Attributes (FMT_MTD.1) Management of Authentication Data (FMT_MTD.1) Revocation of User Attributes (FMT_REV.1) Specification of Management Functions (FMT_SMF.1) Security Management Roles (FMT_SMR.1) O.ENFORCEMENT Reference Mediation (FPT_RVM.1) Domain Separation (FPT_SEP.1) Abstract Machine Testing (FPT_AMT.1) O.AUDITING Audit Data Generation (FAU_GEN.1) User Identity Association (FAU_GEN.2) Audit Review (FAU_SAR.1) Restricted Audit Review (FAU_SAR.2) Selectable Audit Review (FAU_SAR.3) Selective Audit (FAU_SEL.1) Guarantees of Audit Data Availability (FAU_STG.1) Action in Case of Possible Audit Data Loss (FAU_STG.3) 2008­10­07 Cray / Novell / atsec Page 73 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ Objective Security Functional Requirement Protection of Audit Data Loss (FAU_STG.4) Management of the Audit Trail (FMT_MTD.1) Management of Audited Events (FMT_MTD.1) Reliable Time Stamps (FPT_STM.1) O.COMPROT Cryptographic Key Generation (FCS_CKM.1 (1­3)) Cryptographic Key Distribution (FCS_CKM.2 (1­4)) Cryptographic Operation (FCS_COP.1 (1­3)) Basic data exchange confidentiality (FDP_UCT.1) Data Exchange Integrity (FDP_UIT.1) Secure Security Attributes (FMT_MSA.2) Inter­TSF Trusted Channel (FTP_ITC.1) O.AUTHORIZATION The TSF must ensure that only authorized users gain access to the TOE and its resources. Users authorized to access the TOE have to use an identification and authentication process [FIA_UID.2, FIA_UAU.2]. To ensure authorized access to the TOE, authentication data is protected [FIA_ATD.1, FIA_UAU.7, FMT_MTD.1 "Management of Authentication Data"]. The strength of the authentication mechanism must be sufficient to ensure that unauthorized users cannot easily impersonate an authorized user [FIA_SOS.1]. Proper authorization for subjects acting on behalf of users is also ensured [FIA_USB.1]. Authentication data must be reliably replicated among login nodes [FPT_ITT.1, FPT_TRC.1]. O.DISCRETIONARY_ACCESS The TSF must control access to resources based on identity of users. The TSF must allow authorized users to specify which resources may be accessed by which users. Discretionary access control must have a defined scope of control [FDP_ACC.1]. The rules of the DAC policy must be defined [FDP_ACF.1]. The security attributes of objects used to enforce the DAC policy must be defined. The security attributes of subjects used to enforce the DAC policy must be defined [FIA_ATD.1, FIA_USB.1]. Authorized users must be able to control who has access to objects [FMT_MSA.1] and be able to revoke that access [FMT_REV.1 "Revocation of Object Attributes"]. Protection of named objects must be continuous, starting from object creation [FMT_MSA.3]. O.AUDITING The events to be audited must be defined [FAU_GEN.1] and must be associated with the identity of the user that caused the event [FAU_GEN.2]. An authorized administrator must be able to read the audit records [FAU_SAR.1], but other users must not be able to read audit information [FAU_SAR.2]. The administrative user must be able to search the audit events in the audit trail using defined criteria [FAU_SAR.3] and also must be able to define the events that are audited and the conditions under which they are audited [FAU_SEL.1]. All audit records must be provided with a reliable time stamp [FPT_STM.1]. The audit system must ensure that audit records are not deleted or modified [FAU_STG.1] and are not lost because of shortage of resources [FAU_STG.3 and FAU_STG.4]. The administrative user must be able to manage the audit trail [FMT_MTD.1 “Management of the audit trail”] and the audit events [FMT_MTD.1 “Management of the audit events”]. O.RESIDUAL_INFORMATION The TSF must ensure that any information contained in a protected resource is not released when the resource is recycled. Residual information associated with defined objects in the TOE must be purged prior to the reuse of the object containing the residual information [FDP_RIP.2] and before a resource is given to a subject [Note 1]. O.MANAGE The TSF must provide all the functions and facilities necessary to support the administrative users that are responsible for the management of TOE security. Aspects that need to be managed must be defined [FMT_SMF.1]. The TSF must provide for an administrative user to manage the TOE [FMT_SMR.1]. The administrative user must be able to examine audit data [FAU_SAR.3 “Selectable Audit Review”], administer the audit subsystem [FMT_MTD.1 “Management of the Audit Trail” and FMT_MTD.1 “Management of the Audit Events”], administer user accounts [FMT_MTD.1 "Management of User Attributes", FMT_MTD.1 "Management of Authentication Data", FMT_REV.1 "Revocation of User Attributes"], and administer object attributes [FMT_MSA.1 "Management of Object Security Attributes"]. In addition the default values for access control need to be defined [FMT_MSA.3]. 2008­10­07 Cray / Novell / atsec Page 74 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ O.ENFORCEMENT The TSF must be designed and implemented in a manner which ensures that the organizational policies are enforced in the target environment. The TSF must make and enforce the decisions of the TSP [FPT_RVM.1]. It must be protected from interference that would prevent it from performing its functions [FPT_SEP.1]. The correctness of this objective is further met through the assurance requirements defined in this Security Target. The TSF must provide the administrator with tools that allow checking the integrity of the underlying hardware [FPT_AMT.1]. This objective provides global support to other security objectives for the TOE by protecting the parts of the TOE which implement policies and ensures that policies are enforced. O.COMPROT The TSF must be able to establish an Inter-TSF trusted channel between itself and another trusted IT product [FTP_ITC.1] protecting the user data transferred from disclosure [FDP_UCT.1] and undetected modification [FDP_UIT.1]. This TSF uses cryptographic functions in the implementation that require securely generating keys [FCS_CKM.1], distributing keys [FCS_CKM.2] and performing the required cryptographic operations on the user data [FCS_COP.1]. Keys used must be secure enough such that they cannot be guessed [FMT_MSA.2] No security functions for the non-IT environment have been added, since the procedures that need to be implemented can (and probably will) be different for each site running the evaluated version of the Cray UNICOS/lc Operating System. Therefore no specific security functional requirements and security functions for the non-IT environment have been defined in this Security Target. Individual sites running the TOE should validate that the procedures and physical security measures they have put in place are sufficient to cover the security objectives defined for the environment of the TOE in this Security Target. Security requirements for the IT environment have been added to define the support required by the TOE from the underlying processor. As with every operating system that also runs untrusted software, some kind of separation mechanism must exists that prohibits the untrusted software from tampering with trusted software and TSF data. In the case of this TOE, the processor must supply a separation mechanism such that memory areas as well as hardware privileges required to directly access devices or memory management functions are protected from direct access by untrusted software. This is defined with an access control policy called “memory access control policy” that the underlying processor must support. This policy is expressed using FDP_ACC.1 and FDP_ACF.1 as well as FDP_MSA.3 from part 2 of the Common Criteria. 2008­10­07 Cray / Novell / atsec Page 75 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 8.2.2 Security Requirements Instantiation Rationale This section provides the rationale for the selections and instantiations made in the security requirements section for the security requirements taken from part 2 of the Common Criteria. A rationale is given only for those requirements where selections and instantiations in addition to the ones defined in [CAPP] are provided. For the selections and instantiations performed in [CAPP], refer to the rationale provided there. In FAU_GEN.1 the different events that the TOE is able to audit are defined with respect to the SFR they belong to. This list has been taken from [CAPP] and extended with the names of the events and with the SFR that are additional to the ones required by [CAPP]. In FAU_SAR.1 it is expressed that an authorized administrator is able to read all the audit data from the audit log and therefore is able to evaluate the information of the audit trail. In FAU_SAR.3 it is expressed that an authorized administrator is able to search the audit trail for events matching defined selection criteria, where the selection can be performed based on the list of attributes defined in the SFR. In FAU_STG.1 the requirement for preventing unauthorized modifications of the audit records is expressed. In FAU_STG.3 the requirement for timely notification of the authorized administrator about a potential shortage in the disk space for the audit trail is expressed, allowing the administrator to take the appropriate measures to overcome the situation before it gets critical. FCS_CKM.1 has multiple instantiations to reflect the requirements for the generation of symmetric and asymmetric keys to be used by the SSH and SSL protocols to set up and maintain a trusted channel between the TOE and another trusted IT product. FCS_CKM.2 has multiple instantiations to reflect the different ways for public key exchange, session key exchange, and Diffie-Hellman key agreement. FCS_COP.1 has multiple instantiations to define the different cryptographic algorithms used within the SSL and SSH protocol (with the cipher suites configured for the TOE, which are a subset of the cipher suites allowed in the standards defining those protocols). In FDP_ACC.1 the different objects that the TOE controls with a discretionary access control function are listed. FDP_ACF.1 gets somewhat complicated with expressing the different policies for discretionary access control for the different types of objects. It was decided to list the rules for file system objects and IPC objects separately because they differ significantly. In FDP_UCT.1 the requirement for the ability to protect user data from disclosure when being transferred and received is expressed. In FDP_UIT.1 the requirement for the ability to protect user data from unauthorized modification and insertion when being transferred and received is expressed. In FIA_ATD.1 nothing has been added as additional security attribute of users within the evaluated configuration of the Cray UNICOS/lc Operating System. Other attributes as for example stored in the file /etc/shadow are not seen as security attributes. In FIA_USB.1, the way the TOE associates the real, filesystem and effective user ID, is expressed. While the filesystem and effective user id and group id can change as the result of an su command or a program with the setuid or setgid attribute set, the login ID is maintained and allows tracing activities to the real user that originated them. In FMT_MSA.1 the ability of the authorized administrator and the owner to modify access rights for objects is expressed. In addition the special role of the owner in the case of IPC objects is expressed. In FMT_REV.1 “Revocation of User Attributes” the delayed revocation method has been added, since this is the standard way the TOE behaves. To get immediate revocation, the administrative user has to force the user to log off after he has made the modifications to the user’s attribute. In FMT_REV.1 “Revocation of Object Attributes” the TOE implementation of delayed revocation is defined. FMT_SMF.1 has been added to comply with [CC] and the dependencies defined there. The Security Target defines management requirements in FMT_MSA.1 and the four instantiations of FMT_MTD.1 for:  Audit trail management  Audit event management  User attribute management  Authentication data management Those aspects are listed in this security functional requirement. 2008­10­07 Cray / Novell / atsec Page 76 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ FMT_SMR.1 defines only the roles of administrative and normal users. FPT_AMT.1 expresses the ability of the authorized administrator to perform tests of the underlying abstract machine on his demand. In FTP_ITC.1 the ability to set up a trusted channel between the TOE and another trusted IT product is expressed where either the TOE or the other trusted IT product is allowed to initiate the communication over the trusted channel. FPT_ITT.1 defines the requirement that internal TOE communication as used for password replication is safe against modification. FPT_TRC.1 defines the requirement that the data used for identification and authentication is reliably replicated among login nodes. 8.2.3 Security Requirements Coverage The following table shows that each security functional requirement addresses at least one objective. Table 8-7: Mapping Security Functional Requirements to Objectives SFR Objectives FAU_GEN.1 O.AUDITING FAU_GEN.2 O.AUDITING FAU_SAR.1 O.AUDITING FAU_SAR.2 O.AUDITING FAU_SAR.3 O.AUDITING, O_MANAGE FAU_SEL.1 O.AUDITING FAU_STG.1 O.AUDITING FAU_STG.3 O.AUDITING FAU_STG.4 O.AUDITING FCS_CKM.1(1) O.COMPROT FCS_CKM.1(2) O.COMPROT FCS_CKM.1(3) O.COMPROT FCS_CKM.2(1) O.COMPROT FCS_CKM.2(2) O.COMPROT FCS_CKM.2(3) O.COMPROT FCS_CKM.2(4) O.COMPROT FCS_COP.1(1) O.COMPROT FCS_COP.1(2) O.COMPROT FCS_COP.1(3) O.COMPROT FDP_ACC.1 O.DISCRETIONARY_ACCESS FDP_ACF.1 O.DISCRETIONARY_ACCESS FDP_RIP.2 O.RESIDUAL_INFO Note 1 O.RESIDUAL_INFO FDP_UCT.1 O.COMPROT FDP_UIT.1 O.COMPROT FIA_ATD.1 O.AUTHORIZATION, O.DISCRETIONARY_ACCESS FIA_SOS.1 O.AUTHORIZATION FIA_UAU.2 O.AUTHORIZATION FIA_UAU.7 O.AUTHORIZATION FIA_UID.2 O.AUTHORIZATION FIA_USB.1 O.AUTHORIZATION, O.DISCRETIONARY_ACCESS FMT_MSA.1 O.DISCRETIONARY_ACCESS, O.MANAGE FMT_MSA.2 O.COMPROT FMT_MSA.3 O.DISCRETIONARY_ACCESS, O.MANAGE FMT_MTD.1 Audit Trail O.AUDITING, O.MANAGE FMT_MTD.1 Audited Events O.AUDITING, O.MANAGE FMT_MTD.1 User Attributes O.MANAGE FMT_MTD.1 Authentication Data O.AUTHORIZATION, O.MANAGE FMT_REV.1 O.MANAGE 2008­10­07 Cray / Novell / atsec Page 77 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ SFR Objectives User Attributes FMT_REV.1 Object Attributes O.DISCRETIONARY_ACCESS FMT_SMF.1 O.MANAGE FMT_SMR.1 O.MANAGE FPT_AMT.1 O.ENFORCEMENT FPT_RVM.1 O.ENFORCEMENT FPT_SEP.1 O.ENFORCEMENT FPT_STM.1 O.AUDITING FTP_ITC.1 O.COMPROT FPT_ITT.1 O.AUTHORIZATION FPT_TRC.1 O.AUTHORIZATION 8.2.4 Security Requirements Dependency Analysis The following table shows the dependencies between the different security functional requirements and if they are resolved in this Security Target. Table 8-9: Dependencies between Security Functional Requirements Security Functional Requirement Dependencies Resolved FAU_GEN.1 FPT_STM.1 Reliable time stamps Yes FAU_GEN.2 FAU_GEN.1 Audit data generation FIA_UID.1 Timing of identification Yes FAU_SAR.1 FAU_GEN.1 Audit data generation Yes FAU_SAR.2 FAU_SAR.1 Audit review Yes FAU_SAR.3 FAU_SAR.1 Audit review Yes FAU_SEL.1 FAU_GEN.1 Audit data generation FMT_MTD.1 Management of TSF data Yes FAU_STG.1 FAU_GEN.1 Audit data generation Yes FAU_STG.3 FAU_STG.1 Protected audit trail storage Yes FAU_STG.4 FAU_STG.1 Protected audit trail storage Yes FCS_CKM.1 [FCS_CKM.2 Cryptographic key distribution or FCS_COP.1 Cryptographic operation] FCS_CKM.4 Cryptographic key destruction FMT_MSA.2 Secure security attributes No (see comment below) FCS_CKM.2 [FDP_ITC.1 Import of user data without security attributes or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction FMT_MSA.2 Secure security attributes No (see comment below) FCS_COP.1 [FDP_ITC.1 Import of user data without security attributes, or FDP_ITC.2 Import of user data with security attributes, or FCS_CKM.1 Cryptographic key generation] FCS_CKM.4 Cryptographic key destruction FMT_MSA.2 Secure security attributes No (see comment below) FDP_ACC.1 FDP_ACF.1 Security attribute based access control Yes FDP_ACF.1 FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation Yes FDP_RIP.2 No dependencies. Yes Note 1 No dependencies Yes FDP_UCT.1 [FTP_ITC.1 Inter­TSF trusted channel, or FTP_TRP.1 Trusted path] [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] yes (FTP_ITC.1 and FDP_ACC.1) FDP_UIT.1 [FDP_ACC.1 Subset access control, or FDP_IFC.1 Subset information flow control] [FTP_ITC.1 Inter­TSF trusted channel, or FTP_TRP.1 Trusted path] yes (FTP_ITC.1 and FDP_ACC.1) FIA_ATD.1 No dependencies Yes 2008­10­07 Cray / Novell / atsec Page 78 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ Security Functional Requirement Dependencies Resolved FIA_SOS.1 No dependencies Yes FIA_UAU.2 FIA_UID.1 Timing of identification Yes FIA_UAU.7 FIA_UAU.1 Timing of authentication Yes FIA_UID.2 No dependencies Yes FIA_USB.1 FIA_ATD.1 User attribute definition Yes FMT_MSA.1 [FDP_ACC.1 Subset access control or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1Specification of management function Yes FMT_MSA.2 ADV_SPM.1 Informal TOE security policy model [FDP_ACC.1 Subset access control or FDP_IFC.1 Subset information flow control] FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles No (see remarks below) FMT_MSA.3 FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles FMT_SMF.1 1Specification of management function Yes FMT_MTD.1 Audit Trail FMT_SMR.1 Security Roles Yes FMT_MTD.1 Audit Events FMT_SMR.1 Security Roles Yes FMT_MTD.1 User Attributes FMT_SMR.1 Security roles Yes FMT_MTD.1 Authentication Data FMT_SMR.1 Security roles Yes FMT_REV.1 User Attributes FMT_SMR.1 Security roles Yes FMT_REV.1 Object Attributes FMT_SMR.1 Security roles Yes FMT_SMF.1 No dependencies Yes FMT_SMR.1 FIA_UID.1 Timing of identification Yes FPT_AMT.1 No dependencies Yes FPT_RVM.1 No dependencies Yes FPT_SEP.1 No dependencies Yes FPT_STM.1 No dependencies Yes FTP_ITC.1 No dependencies Yes FPT_TRC.1 FPT_ITT.1 Basic internal TSF data transfer protection Yes FPT_ITT.1 No dependencies Yes Comment The security functional requirements FCS_CKM.1, FCS_CKM.2 and FCS_COP.1 all have a dependency on FCS_CKM.4 (Cryptographic key destruction). The TOE does not explicitly implement a key destruction function. Key destruction is performed implicitly for the symmetric session keys used by the Object Reuse function, which ensures that memory used to temporarily store the symmetric session key is cleared before it is assigned to another subject or object. This applies for both main memory as well as disk space (the session keys might be written to disk space as part of the paging function of the TOE. They are not stored in ordinary files). With respect to the long-term public-private key pairs, the key destruction is performed by deleting the file containing the key. The Object Reuse function of the TOE ensures that the disk space previously allocated to the file storing those keys is cleared before it is assigned to another subject or object. The other dependencies of those security functional requirements are satisfied. The TOE does not import keys but generates all keys themselves as expressed in the security functional requirement FCS_CKM.1. Remarks The dependencies of FIA_UAU.2, FIA_UAU.7 and FMT_SMR.1 on FIA_UID.1 are resolved with the inclusion of FIA_UID.2, which is hierarchical to FIA_UID.1 2008­10­07 Cray / Novell / atsec Page 79 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ The multiple instantiations of FMT_MTD.1 and FMT_REV.1 have been included in this table, since a multiple instantiation of one security functional requirement may in some cases result in the requirement for multiple instantiations of depending requirements. This is not the case here, since they all rely on the same simple role model of the TOE. This table shows that no unresolved dependencies exist between security functional requirements. There are also no unresolved dependencies between security assurance requirements. This is because the evaluation assurance level EAL3 has been defined such that no unresolved dependencies exist. The additional assurance component ALC_FLR.1 has no dependencies and therefore there are no unresolved dependencies for assurance components. FMT_MSA.2 targets the random number generation mechanism used for calculating cryptographic keys. Since a random number generation is not a policy that can be modeled, the dependency to ADV_SPM.1 is unresolved. In addition, the seeding of the random number is not a management task, since the initial seeding is done automatically by the TOE. 8.2.5 Strength of function This Security Target claims an SOF rating SOF-medium. This claim applies for FIA_SOS.1, whereby it is stated that a ‘one off’ probability of guessing the password in 1,000,000 is given. The SFR is in turn consistent with the security objectives. A claim of SOF-medium is also consistent with the assumption of a non-hostile user community and the assumption on physical protection which prohibits that well-skilled, hostile attackers will get physical access to the TOE. 8.2.6 Evaluation Assurance Level This security target claims EAL3 augmented with ALC_FLR.1, which is seen appropriate for a controlled environment where attackers only have a low attack potential. 8.3 TOE Summary Specification Rationale 8.3.1 Security Functions Justification The following table shows that the IT security functions, as specified in the TOE summary specification, meet all security functional requirements for the TOE and work together to satisfy the TOE security functional requirements. Table 8-10: Mapping Security Functional Requirements to Security Functions SFR Security Functions (TOE Summary Specification) FAU_GEN.1 The audit events are generally defined in AU, explaining how the events are generated by the TOE. The System Administrator is able to define the events to be audited, which is described in SM. FAU_GEN.2 The concept of a “Login ID” that is kept for a user after his initial login is explained in AU. This allows tracing events to the user that caused them even if the user changes his real and / or effective and filesystem user ID (e.g., with the su command or with the execution of a suid program). FAU_SAR.1 The ability of the authorized administrator to read the audit trail and to convert the audit records into human readable format is explained in AU. FAU_SAR.2 The ability to restrict access to the audit trail to authorized users is addressed in AU and enforcement is realized by DA. FAU_SAR.3 The ability of the authorized administrator to search the audit trail for events matching defined search criteria is expressed in AU. FAU_SEL.1 The ability of the authorized administrator to define the events to be audited using predicates and logical expressions is described in AU and SM. FAU_STG.1 The use of the TOE’s discretionary access control policy to protect the audit trail and the audit configuration files from access by anybody other than an authorized administrator is defined in AU. FAU_STG.3 The ability to generate a syslog message when the disk space for auditing gets below a limit defined in the audit configuration file is described in AU. FAU_STG.4 The ability to stop processes trying to generate audit records in case the audit trail is full is described in AU. 2008­10­07 Cray / Novell / atsec Page 80 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ SFR Security Functions (TOE Summary Specification) FCS_CKM.1 The multiple instantiations of this security functional requirement are described in SC where the SSH v2 and SSL v3 protocols and the cipher suites supported by the evaluated configuration are defined together with the key generation functions used. FCS_CKM.2 The multiple instantiations of this security functional requirement are described in SC where the SSH v2 and SSL v3 protocols and the cipher suites supported by the evaluated configuration are defined together with the key exchange / key negotiation functions used. FCS_COP.1 The multiple instantiations of this security functional requirement are described in SC where the SSH v2 and SSL v3 protocols and the cipher suites supported by the evaluated configuration are defined with the cryptographic algorithms used by the cipher suites. FDP_ACC.1 The discretionary access control policy is based on DA defining permission bits for the subjects and objects, as there are file system objects and IPC objects. FDP_ACF.1 The discretionary access control is realized as described above by DA. There the individual mechanisms for access control depending on the object type are described in detail. FDP_RIP.2 Object residual information protection is realized by security functions for object reuse (OR) on file system objects, IPC objects, queuing system objects, and miscellaneous objects. Note 1 The object reuse performed before an object is re­assigned to another subject is described in OR. FDP_UCT.1 The description how the confidentiality of user data is protected when using the SSH v2 or SSL v3 protocol is described in SC. FDP_UIT.1 The description how the user data is protected from unauthorized modifications and insertions when using the SSH v2 or SSL v3 protocol is described in SC. FIA_ATD.1 Security attributes belonging to individual users are realized by the user I&A data management of IA. Management of user attributes is described in SM. FIA_SOS.1 The passwd function of IA is able to enforce the verification of secrets as required. System management commands can be used to define parameters that can be used to (hopefully) enhance the strength of the passwords chosen by the user. Password management including the possible parameter to enhance the strength of passwords are explained in SM. FIA_UAU.2 Authentication of each user before any action is realized by IA (common authentication mechanism and interactive login and related mechanisms). Authentication is initiated by a trusted process. Trusted processes are described in TP. FIA_UAU.7 The login mechanisms of IA provide only obscured feedback during authentication. Authentication feedback is managed by a trusted process. Trusted processes are described in TP. FIA_UID.2 Identification of each user before any action is realized together with authentication as in IA (see above). Identification is initiated by a trusted process. Trusted processes are described in TP. FIA_USB.1 The required binding between subjects and users is implemented by the su functionality of IA and login processing. There also the logoff process is described which releases the binding between subjects and users. FMT_MSA.1 The management of object security attributes is implemented by the access control configuration and management function SM, the objects are described in DA (file system objects and IPC objects). FMT_MSA.2 The acceptance of only secure values is related to the use of secure cryptographic keys. The key generation aspects are discussed in SC for the different cryptographic algorithms used. FMT_MSA.3 Restrictive default values for security attributes are defined for the objects when they are created. Default values can be defined by an administrative user for all object types and by the user for file system objects created under his control. (see above, i.e., SM and DA). Some default values are defined in TSF databases as defined in TP. FMT_MTD.1 Audit Trail The protection and management of the audit trail is described in AU as well as in SM. Tools available for converting the audit data to human 2008­10­07 Cray / Novell / atsec Page 81 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ SFR Security Functions (TOE Summary Specification) readable format, as well as the tool for searching the audit trail data are described. FMT_MTD.1 Audited Events The way an authorized administrator can select the events to be audited is defined in AU and SM. FMT_MTD.1 User Attributes User security attributes are protected as required by the user identification and authentication data management in IA and during the creation of new users in SM. User attributes are stored in TSF databases described in TP. FMT_MTD.1 Authentication Data Initialization of authentication data is restricted to administrative users during the creation of new users in SM. Authentication data (in encrypted form) and attributes are stored in TSF databases described in TP. Users are allowed to change their own authentication data within the limits defined by an administrative user. This is described in SM FMT_REV.1 User Attributes The revocation of user security attributes as required in FMT_REV.1 is realized by the user management functions of SM. FMT_REV.1 Object Attributes Revocation of object security attributes is realized by the access control configuration and management function of SM. FMT_SMF.1 Management of security functions is addressed in the following security functions: Object security attributes management: DA (File system objects and IPC objects). In addition the following management functions are defined: Audit trail management: AU and SM. Audit event management: AU and SM. User attribute management: SM. Authentication management: SM and IA. In addition, most of the management functions use the TSF databases (TP) to store management configurations. FMT_SMR.1 The required roles are maintained within the security management of the roles in function SM. FPT_AMT.1 The ability of the authorized administrator to test the functions of the underlying abstract machine are described in TP. FPT_RVM.1 The TSF invocation guarantee functionality in TP ensure that TSP enforcement functions are always invoked before functions in the TSC are allowed to proceed. FPT_SEP.1 The required domain separation for the TSF is realized by the kernel functionality itself, the kernel modules and trusted processes as described in TP, the discretionary access control mechanism described in DA, and the internal TOE protection mechanisms described in TP. FPT_STM.1 The function for the generation of a reliable time stamp is defined in SM. FTP_ITC.1 The function for setting up a trusted channel between the TOE and another trusted IT product using the SSH v2 or SSL v3 protocol is described in SC. FPT_ITT.1 The function for replicating identification and authentication data is defined in IA. FPT_TRC.1 The function for replicating identification and authentication data is defined in IA. This table shows how the security functions work together to satisfy the security functional requirements. Access control is defined by a discretionary access control policy in FDP_ACC.1 and FDP_ACF.1. A security domain is enforced by restricting access to security relevant objects to authorized users as stated in FPT_SEP.1. For the TOE there are two different types of objects with some differences in policies depending on the object type. All the dependencies on the management aspects have been resolved. The management of the two object types differs only slightly, where those differences are explained in FMT_MSA.1 and FMT_REV.1. Audit of events is performed to be able to hold users accountable for their activities. Generation of audit records including the login ID of the user is addressed by FAU_GEN.1 and FAU_GEN.2. The availability of the audit trail is addressed by FAU_STG.1, FAU_STG.3, and FAU_STG.4. The audit trail must be secured from unauthorized access as described in FAU_SAR.2. Review of the audit trail by the administrator is discussed in FAU_SAR.1 and FAU_SAR.3. The management of both the audit trail and the audited events is described in FMT_MTD.1 and FAU_SEL.1. 2008­10­07 Cray / Novell / atsec Page 82 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ Object reuse is a useful requirement to prohibit unwanted access to information via resources that have not been prepared for reuse. Since the TOE supports access control, object reuse makes sense. This is addressed in FDP_RIP.2. Secure communication is used to protect data in transit between the TOE and trusted IT against disclosure and undetected unauthorized modifications as described in FDP_UCT.1 and FDP_UIT.1. There needs to be a trusted channel between the TOE and other trusted IT as defined in FTP_ITC.1. The generation of cryptographic keys for the mechanisms involved is addressed by FCS_CKM.1; the distribution of such keys is discussed in FCS_CKM.2. The cryptographic algorithms used are detailed in FCS_COP.1. As described in FMT_MSA.2, only secure values are allowed for cryptographic keys. Identification and authentication is handled by FIA_ATD.1, FIA_SOS.1 FIA_UAU.2, FIA_UAU.7 FIA_UID.2 and FIA_USB.1 in a fairly conventional way. FIA_USB describes the way the effective and filesystem user ID and group ID can be changed. FPT_ITT.1 and FPT_TRC.1 address the requirement for reliably replicating authentication data among login nodes. In the management section the requirements for the management of User Attributes, Authentication Data, and Audit Configuration has been separated in this Security Target. Since they are clearly separated, they are not contradicting each other. Revocation for user attributes is described separately from revocation of object attributes in two instantiations of FMT_REV.1. This makes sense, since revocation is handled differently. The TOE supports only two different roles as expressed by FMT_SMR.1. No additional role is required by any other SFR, so the role model is consistent with the other requirements. FMT_SMF.1 has been included because of [CC] and covers the different management aspects addressed in detail in FMT_MSA.1 and the instantiations of FMT_MTD.1. FPT_RVM.1 is required to ensure that the security functions can not be bypassed. In addition FPT_SEP.1 ensures that untrusted programs cannot tamper with the TSF and cause them to operate in contradiction to the security policy of the TOE. FPT_AMT.1, FPT_RVM.1 and FPT_SEP.1 are therefore mutually supportive requirements to enable a sufficient self-protection of the TSF. As a summary, this shows that the security functional requirements are not contradicting each other and are mutually supportive. 8.3.2 Assurance Measures Justification The TOE summary specification in section 6.4 includes a justification that each TOE security assurance requirement is met by appropriate assurance measures. 8.3.3 Strength of function The password mechanism used for authentication is one mechanism in the TSF that is implemented by a permutational or probabilistic mechanism subject to a strength of function analysis within the evaluation of this TOE. For the password-based authentication mechanism of the security function IA.1, a minimum strength of SOF- medium is claimed. This is done in accordance with the SOF claim for the related security functional requirement FIA_SOS.1. This claim is consistent with the security objective O.AUTHORIZATION and the statement in section 3.2 which says that the TOE should “protect against threats of inadvertent or casual attempts to breach the system security”. A highly skilled and well-funded attacker is explicitly excluded from the threat scenario described in section 3.2. The SOF-medium claim does not apply to the cryptographic algorithms, including the cryptographic properties of the hash functions implemented in the TOE. Excluding cryptographic algorithms and related functions from the strength of function analysis is in compliance with the CEM remarks on ASE_REQ.1.15, para 422. Therefore, a strength of SOF-medium is consistent with the description of the TOE environment. 8.4 PP Claims Rationale The TOE is conformant to the Controlled Access Protection Profile CAPP, as referenced in [CAPP]. One additional security objective for the TOE (O.COMPROT) has been defined to reflect the ability of the TOE to connect with trusted IT products via trusted channels. Objectives for the TOE environment have been added to this ST in addition to the ones contained in CAPP to allow a more distinguished description of the TOE environment - this does not impact the conformance of this ST to the PP. All security functional requirements in this ST are inherited from the CAPP and the operations allowed / required by the PP are performed and indicated in bold letters. Two security functional components (FIA_UAU.1 and FIA_UID.1) have been replaced by hierarchical higher ones (FIA_UAU.2 and FIA_UID.2). In both cases the only difference is the fact that no interaction with the TOE is allowed without proper user identification and 2008­10­07 Cray / Novell / atsec Page 83 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ authentication. This does not modify any of the rationale provided in the PP. In addition, FMT_SMF.1 has been added to comply with the updated [CC] which defines dependencies of two security functional requirements (FMT_MSA.1 and FMT_MTD.1) included in the PP. To satisfy those requirements, the new security functional component FMT_SMF.1 has been added to the Security Target (anticipating that this security functional requirement will be added in an update to the Controlled Access Protection Profile). Additional SFRs for the TOE IT environment have been defined to cope with the more distinguished description of the TOE environment - this does not impact the conformance of this ST to the PP. 2008­10­07 Cray / Novell / atsec Page 84 of 85 © Cray, atsec 2008 Cray UNICOS/lc Operating System 2.1 Security Target CAPP/EAL3+ 9 Abbreviations ACL Access Control List ALPS Application Level Placement Scheduler ANSI American National Standards Institute CAPP Controlled Access Protection Profile CC Common Criteria CD Compact Disc CPU Central Processing Unit DAC Discretionary Access Control DVD Digital Versatile Disc FPR Floating Point Register FSO File System Object FTP File Transfer Protocol GPR General Purpose Register ID Identifier IEC International Electrotechnical Commission IEEE Institute of Electrical and Electronics Engineers IP Internet Protocol IPC Inter-Process Communication LAN Local Area Network ISO International Standards Organization MD5 Message Digest 5 MPP Massively Parallel Processing PAM Pluggable Authentication Module PDF Portable Data Format PP Protection Profile SLES SUSE Linux Enterprise Server SMW System Management Workstation SSH Secure Shell ST Security Target TCP Transmission Control Protocol TOE Target of Evaluation TSF TOE Security Functions UDP User Datagram Protocol VFS Virtual File System VMM Virtual Memory Manager 2008­10­07 Cray / Novell / atsec Page 85 of 85 © Cray, atsec 2008