3.1 Threat Environment
All threats and environmental threats refer to AIX (BAS mode) and Trusted AIX (LAS mode) unless otherwise stated. All threats and environmental threats for VIOS are explicitly marked as VIOS only. VIOS does not share threats or environmental threats with either AIX or Trusted AIX.
The threat agents and assets are defined by the protection profile and extended packages to which this document conforms and apply to AIX, Trusted AIX, and VIOS.
3.1.1 Threats countered by the TOE
[OSPP]_T.ACCESS.TSFDATA
A threat agent might read or modify TSF data without the necessary authorization when the data is stored or transmitted.
[OSPP]_T.ACCESS.USERDATA
A threat agent might gain access to user data stored, processed or transmitted by the TOE without being appropriately authorized according to the TOE security policy.
[OSPP]_T.ACCESS.TSFFUNC
A threat agent might use or modify functionality of the TSF without the necessary privilege to grant itself or others unauthorized access to TSF data or user data.
[OSPP]_T.ACCESS.COMM
A threat agent might access a communication channel that establishes a trust relationship between the TOE and another remote trusted IT system or masquerade as another remote trusted IT system.
[OSPP]_T.RESTRICT.NETTRAFFIC
A threat agent might get access to information or transmit information to other recipients via network communication channels without authorization for this communication attempt by the information flow control policy.
[OSPP]_T.IA.MASQUERADE
A threat agent might masquerade as an authorized entity including the TOE itself or a part of the TOE in order to gain unauthorized access to user data, TSF data, or TOE resources.
[OSPP]_T.IA.USER
A threat agent might gain access to user data, TSF data or TOE resources with the exception of public objects without being identified and authenticated.
[OSPP-AM]_T.ROLE.SNOOP
An attacker might obtain the rights granted to a role that was delegated to another user.
[OSPP-AM]_T.ROLE.DELEGATE
An attacker might delegate rights granted to a role that he does not possess or that he is not allowed to delegate.
[OSPP-IV]_T.ALTER.TSF
A threat agent might try to violate the integrity of the TSF code or TSF data in an undetectable way, resulting in a situation where security policies can be bypassed.
The threat that the integrity of the TSF code and TSF data loaded and executed before the integrity verification mechanism is active might be violated cannot be addressed by the TOE, but must be covered by the TOE environment. See A.PROTECT.INTEGRITY.
[OSPP-IV]_T.ALTER.USERDATA
A threat agent might try to violate the integrity of user data in an undetectable way, resulting in a situation where the TOE cannot reliably store user data.
[OSPP-LS]_T.DATA_NOT_SEPARATED
LAS mode only: The TOE might not adequately separate data on the basis of its sensitivity label, thereby allowing information to flow illicitly from or to users.
[OSPP-VIRT]_T.ACCESS.COMPENV
A threat agent might utilize or modify the runtime environment of other compartments in an unauthorized manner.
[OSPP-VIRT]_T.INFOFLOW.COMP
A threat agent might get access to information without authorization by the information flow control policy.
[OSPP-VIRT]_T.COMM.COMP
A threat agent might access the data communicated between compartments or between a compartment and an external entity to read or modify the transferred data.
[ST]_T.ROLE.INCONSISTENT_DB
The RBAC-related databases may become inconsistent, corrupt, or inaccessible either intentionally via a threat agent or unintentionally via a malfunction or administrative error.
[ST]_T.VIOS.ACCESS.TSFDATA
A threat agent might read or modify TSF data without the necessary authorization when the data is stored or transmitted.
[ST]_T.VIOS.ACCESS.TSFFUNC
VIOS only: A threat agent might use or modify functionality of the TSF without the necessary privilege to grant itself or others unauthorized access to TSF data or user data.
[ST]_T.VIOS.IA.MASQUERADE
VIOS only: A threat agent might masquerade as an authorized entity including the TOE itself or a part of the TOE in order to gain unauthorized access to user data, TSF data, or TOE resources.
[ST]_T.VIOS.IA.USER
VIOS only: A threat agent might gain access to user data, TSF data or TOE resources with the exception of public objects without being identified and authenticated.
[ST]_T.VIOS.NET.UNPROTECTED
VIOS only: A VIOS Ethernet device driver acting on behalf of a group of LPAR partitions may try to access a VIOS Ethernet adapter device driver intended for a different VIOS Ethernet device driver (or vice versa).
[ST]_T.VIOS.VOL.UNPROTECTED
VIOS only: A VIOS SCSI device driver acting on behalf of an LPAR partition may try to access logical volumes or physical volumes that are not assigned to device driver.
3.1.2 Threats countered by the Operational Environment
[OSPP-IV]_TE.MODIFY_ENVIRONMENT
An external entity might try to violate security policies by manipulating the TOE environment;
for example, by (directly or indirectly) installing a device driver that uses hardware functions (e.g., direct memory access) to access or violate the integrity of TSF data or TSF functions.
[ST]_TE.LPAR.ACCESS
A threat agent in a different logical partition might access resources assigned to the TOE's logical partition.
3.2 Assumptions
3.2.1 Environment of use of the TOE
All assumptions refer to AIX (BAS mode) and Trusted AIX (LAS mode) unless otherwise stated. All assumptions for VIOS are explicitly marked as VIOS only. VIOS does not share assumptions with either AIX or Trusted AIX.
3.2.1.1 Physical
[OSPP]_A.PHYSICAL
It is assumed that the IT environment provides the TOE with appropriate physical security, commensurate with the value of the IT assets protected by the TOE.
[ST]_A.VIOS.PHYSICAL
VIOS only: It is assumed that the operational environment provides the TOE with appropriate physical security, commensurate with the value of the IT assets protected by the TOE.
3.2.1.2 Personnel
[OSPP]_A.MANAGE
The TOE security functionality is managed by one or more competent individuals. The system administrative personnel are not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided by the guidance documentation.
[OSPP]_A.AUTHUSER
Authorized users possess the necessary authorization to access at least some of the information managed by the TOE and are expected to act in a cooperating manner in a benign environment.
[OSPP]_A.TRAINEDUSER
Users are sufficiently trained and trusted to accomplish some task or group of tasks within a secure IT environment by exercising complete control over their user data.
[ST]_A.VIOS.MANAGE
VIOS only: The TOE security functionality is managed by one or more competent individuals.
The system administrative personnel are not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided by the guidance documentation.
[ST]_A.VIOS.AUTHUSER
VIOS only: Authorized users possess the necessary authorization to access at least some of the information managed by the TOE and are expected to act in a cooperating manner in a benign environment.
[ST]_A.VIOS.TRAINEDUSER
VIOS only: Users are sufficiently trained and trusted to accomplish some task or group of tasks within a secure operational environment by exercising complete control over their user data.
3.2.1.3 Procedural
[OSPP]_A.DETECT
Any modification or corruption of security-enforcing or security-relevant files of the TOE, user or the underlying platform caused either intentionally or accidentally will be detected by an administrative user.
[OSPP]_A.PEER.MGT
All remote trusted IT systems trusted by the TSF to provide TSF data or services to the TOE, or to support the TSF in the enforcement of security policy decisions are assumed to be under the same management control and operate under security policy constraints compatible with those of the TOE.
Application Note 1:
The operational environment must provide the X.509v3 certificates used by the TOE. Those certificates must comply with the cryptographic requirements specified in this ST.
Application Note 2:
Administrators must ensure that NAS (Kerberos Key Distribution Center (KDC)) provides password complexity support and failed login attempt abatement for NAS accounts that meet or exceed the password complexity requirements of the TOE.
Application Note 3:
NAS (Kerberos) must be configured to provide key generation sufficient to support the NFSv4 trusted client/server communications specified in section 7.2.2.14.8.
[OSPP]_A.PEER.FUNC
All remote trusted IT systems trusted by the TSF to provide TSF data or services to the TOE, or to support the TSF in the enforcement of security policy decisions are assumed to correctly implement the functionality used by the TSF consistent with the assumptions defined for this functionality.
[OSPP-IV]_A.PROTECT.INTEGRITY
It is assumed that the integrity of the following information is ensured:
● All TSF code, including the integrity verification functionality that is loaded and executed before the invocation of the integrity verification mechanism.
● All TSF data, including TSF data to perform integrity verification used by the TSF code loaded and executed before the invocation of the integrity verification mechanism.
[ST]_A.VIOS.DETECT
VIOS only: Any modification or corruption of security-enforcing or security-relevant files of the TOE, user or the underlying platform caused either intentionally or accidentally will be detected by an administrative user.
3.2.1.4 Connectivity
[OSPP]_A.CONNECT
All connections to and from remote trusted IT systems and between physically-separate parts of the TSF not protected by the TSF itself are physically or logically protected within the TOE environment to ensure the integrity and confidentiality of the data transmitted and to ensure the authenticity of the communication end points.
3.3 Organizational Security Policies
All OSPs refer to AIX (BAS mode) and Trusted AIX (LAS mode) unless otherwise stated. All OSPs for VIOS are explicitly marked as VIOS only. VIOS does not share OSPs with either AIX or Trusted AIX.
[OSPP]_P.ACCOUNTABILITY
The users of the TOE shall be held accountable for their security-relevant actions within the TOE.
[OSPP]_P.USER
Authority shall only be given to users who are trusted to perform the actions correctly.
[OSPP-AM]_P.APPROVE
Specific rights assigned to users and controlled by the TSF shall only be exercisable if approved by a second user.
[OSPP-LS]_P.CLEARANCE
LAS mode only: The system must limit information flow between protected resources and authorized users based on whether the user's sensitivity label is appropriate for the labeled information.
[OSPP-LS]_P.LABELED_OUTPUT
LAS mode only: The beginning and end of all paged, hardcopy output must be marked with sensitivity labels that properly represent the sensitivity label of the output.
[OSPP-LS]_P.RESOURCE_LABELS
LAS mode only: All resources accessible by subjects and all subjects must have associated labels identifying the sensitivity levels of data contained therein.
[OSPP-LS]_P.USER_CLEARANCE
LAS mode only: All users must have a clearance level identifying the maximum sensitivity levels of data they may access.
[ST]_P.DISK.OVERWRITE
Administrators shall be able to support information compartmentalization by preventing recovery of logically deleted information from physically and logically intact SCSI hard disk drives before they are re-used within the same system. Such hard disk drives will remain within the physical and logical protection domain of the TOE and will reside within the TSC.
[ST]_P.MANDATORY_INTEGRITY
The TOE shall be capable of distinguishing between levels of trustworthiness in terms of integrity, and the TOE shall prevent data from being modified by users operating at a lower level of trust.
[ST]_P.VIOS.USER
VIOS only: Authority shall only be given to users who are trusted to perform the actions correctly.