SECURITY FUNCTIONAL REQUIREMENTS FOR THE IT ENVIRONMENT

5 IT SECURITY REQUIREMENTS

5.3 SECURITY FUNCTIONAL REQUIREMENTS FOR THE IT ENVIRONMENT

underlying operating system and third-party software, to provide some of the security features of the product. The security functional requirements for the IT environment consist of the following components from Part 2 of the CC, summarized in Table 2.

CC Part 2 Security Functional Components

Identifier Name

FAU_GEN.1^є Audit data generation FAU_SAR.1^є Audit review

FAU_SEL.1 Selective audit

FAU_STG.1 Protected audit trail storage FDP_IFC.1^є Information flow control FDP_IFF.1^є Simple security attributes

FDP_ITT.1 Basic internal transfer protection

FPT_ITT.1 Basic internal TSF data transfer protection FPT_RVM.1^є Non-bypassability of the TSP

FPT_SEP.1 TSF Domain Separation FPT_STM.1 Reliable time stamps

Doc No: 1517-011-D001 Version: 1.1 Date: 3 August 2006 Page 35 of 71

Table 2 - Summary of Security Requirements for the Environment

Є – Denotes the environment iteration for this component

FAU_GEN.1^є Audit data generation Hierarchical to: No other components.

FAU_GEN.1.1 The Environment shall be able to generate an audit record of the following auditable events:

a) Start-up and shutdown of the audit functions;

b) All auditable events for the [selection: not specified] level of audit;

and

c) [assignment: use of the Hercules® EVM Client Management Service, Patch Download Service or Vflash Service events in addition to the audit capabilities of the underlying operating system].

FAU_GEN.1.2 The Environment shall record within each audit record at least the following information:

a) Date and time of the event, type of event, subject identity, and the outcome (success or failure) of the event; and

b) For each audit event type, based on the auditable event definitions of the functional components included in the ST, [assignment: no other audit relevant information]

Dependencies: FPT_STM.1 Reliable time stamps

FAU_SAR.1^є Audit review

Hierarchical to: No other components.

Dependencies: FAU_GEN.1^є Audit data generation

This component will provide authorised users the capability to obtain and interpret the information. In case of human users this information needs to be in a human understandable presentation. In case of external IT entities the information needs to be unambiguously represented in an electronic fashion.

FAU_SAR.1.1 The Environment shall provide [assignment: all users] with the capability to read [assignment: log data retained by the Environment]

from the audit records.

FAU_SAR.1.2 The Environment shall provide the audit records in a manner suitable for the user to interpret the information.

Doc No: 1517-011-D001 Version: 1.1 Date: 3 August 2006 Page 36 of 71

FAU_SEL.1 Selective audit

Hierarchical to: No other components.

FAU_SEL.1.1 The Environment shall be able to include or exclude auditable events from the set of audited events based on the following attributes:

a) [selection: event type]

b) [assignment: client machine identification].

Dependencies: FAU_GEN.1^є Audit data generation FMT_MTD.1 Management of TSF data

FAU_STG.1 Protected audit trail storage Hierarchical to: No other components.

FAU_STG.1.1 The Environment shall protect the stored audit records from unauthorised deletion.

FAU_STG.1.2 The Environment shall be able to [selection, choose one of: prevent]

unauthorised modifications to the stored audit records in the audit trail.

Dependencies: FAU_GEN.1 Audit data generation

FDP_IFC.1^є Subset information flow control Hierarchical to: No other components.

FDP_IFC.1.1 The environment shall enforce the [assignment: SERVER_SFP] on [assignment: Hercules® EVM Servers and client machines when the client machine requests a remediation profile from a Hercules® EVM Server].

Dependencies: FDP_IFF.1 Simple security attributes

FDP_IFF.1^є Simple security attributes Hierarchical to: No other components.

Doc No: 1517-011-D001 Version: 1.1 Date: 3 August 2006 Page 37 of 71

FDP_IFF.1.1 The environment shall enforce the [assignment: SERVER_SFP] based on the following types of subject and information security attributes:

[assignment: (1) Identification and authentication of the client machine; and (2) format of client machine remediation status information].

FDP_IFF.1.2 The environment shall permit an information flow between a controlled subject and controlled information via a controlled

operation if the following rules hold: [assignment: For the transfer of a remediation signature from the Hercules® EVM Server to a client machine; (a) the requesting client machine has been identified as authorised by the server using either certificates or in the absence of certificates the IP Address, Domain Name or NETBIOS name; and (b) the format of the client machine remediation status information is recognized.

FDP_IFF.1.3 The environment shall enforce the [assignment: no additional information flow control SFP rules].

FDP_IFF.1.4 The environment shall provide the following [assignment: no additional SFP capabilities].

FDP_IFF.1.5 The environment shall explicitly authorise an information flow based on the following rules: [assignment: none].

FDP_IFF.1.6 The environment shall explicitly deny an information flow based on the following rules: [assignment: none].

Dependencies: FDP_IFC.1 Subset information flow control FMT_MSA.3 Static attribute initialisation

FDP_ITT.1 Basic internal transfer protection Hierarchical to: No other components.

FDP_ITT.1.1 The Environment shall enforce the [assignment: SERVER_SFP] to prevent the [selection: disclosure, modification] of user data when it is transmitted between physically-separated parts of the TOE.

Dependencies: FDP_IFC.1 Subset information flow control

FPT_ITT.1 Basic internal TSF data transfer protection Hierarchical to: No other components.

Doc No: 1517-011-D001 Version: 1.1 Date: 3 August 2006 Page 38 of 71

Dependencies: No dependencies.

FPT_ITT.1.1 The Environment shall protect TSF data from [selection: disclosure, modification] when it is transmitted between separate parts of the TOE.

FPT_RVM.1є Non-bypassability of the TSP Hierarchical to: No other components.

FPT_RVM.1.1 The TSF shall ensure that TSP enforcement functions are invoked and succeed before each function within the TSC is allowed to proceed.

Dependencies: No dependencies.

FPT_SEP.1 TSF domain separation Hierarchical to: No other components.

FPT_SEP.1.1 The Environment shall maintain a security domain for its own

execution that protects it from interference and tampering by untrusted subjects.

FPT_SEP.1.2 The Environment shall enforce separation between the security domains of subjects in the TSC.

Dependencies: No dependencies.

FPT_STM.1 Reliable time stamps Hierarchical to: No other components.

FPT_STM.1.1 The Environment shall be able to provide reliable time stamps for its own use.

Dependencies: No dependencies.

Doc No: 1517-011-D001 Version: 1.1 Date: 3 August 2006 Page 39 of 71

In document SECURITY TARGET CITADEL HERCULES ENTERPRISE VULNERABILITY MANAGEMENT (EVM) VERSION 4.1 (Page 38-43)