TSF Rationale

The following table maps the SFRs to the TOE summary description and provides pointers into the TSS where the implementation of the SFR is described.

Security Functional

Re-quirements Security Functions

FAU_GEN_SUB.1 Section 8.5.1 explains how audit records are generated. This section

1

2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

18

19 20

Security Functional

Re-quirements Security Functions

also explains the structure of the audit records.

FAU_GEN.2 Section 8.5.1 explains the information contained in the audit records.

Tools to export audit records in human-readable format are men-tioned in this section, too.

FAU_SAR.1 Section 8.4.1.2.1, subsection "AUDITOR and group-AUDITOR" ex-plains the auditor role. Section 8.4.3.1 exex-plains the options of the SETROPT command a user in the AUDITOR role may use. Section 8.5.4 describes the purpose of the audit dump programs that read audit records from the audit trail and store them in a data set where they can be assessed.

FAU_SEL.1 Sections 8.4.3.2 table 38 explain how the auditor role can configure the events that are audited using the RACF commands and the oper-ands reserved for users in the AUDITOR role. This section also ex-plain that the owner of a profile can define which events related to the profile are audited.

FCS_COP.1 Support for program signing and signature verification is explained in section 8.5.5

FDP_ACC.1(GRD) The general resource access control policy is described in sections 8.3.4.1 and 8.3.4.2.

FDP_ACC.1(UFS) The UNIX file system access control policy is explained in section 8.3.4.4.

FDP_ACC.1(IPC) The IPC object access control policy is described in section 8.3.4.5.

FDP_ACC.1(FLA) The RACF field level access control policy is explained in sections 8.4.2 and 8.4.3.2 in table 38.

FDP_ACF.1(GRD) The general resource access control policy is described in sections 8.3.4.1 and 8.3.4.2.

FDP_ACF.1(UFS) The UNIX file system access control policy is explained in section 8.3.4.4.

FDP_ACF.1 (IPC) The IPC object access control policy is described in section 8.3.4.5.

FDP_ACF.1 (FLA) The RACF field level access control policy is explained in sections 8.4.2 and 8.4.3.2 in table 38.

FDP_IFC.2 (Labeled

Se-curity Mode only) The labeled security access control policy is explained in section 8.3.3.

Security Functional

Re-quirements Security Functions

FDP_IFF.2 (Labeled

Se-curity Mode only) The labeled security access control policy is explained in section 8.3.3.

FIA_AFL.1 The system-wide attribute REVOKE for the number of failed consec-utive authentication attempts is explained in sections 8.4.1, table 28, and the section titled "User Revocation" and the section titled "User profiles" where the REVOKE attribute in a user profile is explained.

The effect of a user ID being revoked is described in section 8.2.1.

FIA_ATD.1(HU) User attributes for human users are defined in the user profile, which is described in section 8.4.1 in the subsection titled "User profiles".

FIA_ATD.1(LS) (Labeled

Security Mode only) Labels as users attributes are also described in section 8.4.1 in the subsection titled "User profiles".

FIA_SOS.1 The password and password phrase specifics are defined in section 8.2.2 where the options for the password and passphrase policy are defined in the subsections titled "Password Quality" and "Password Phrase Quality".

FIA_UAU.1 User authentication is explained in section 8.2.1.

FIA_UAU.5 Authentication using passwords and password phrases is explained in section 8.2.2.

Authentication using RACF Pass Tickets is explained in section 8.2.3.

Authentication using digital certificates is explained in section 8.2.4.

Authentication using Kerberos tickets is explained in section 8.2.5.

FIA_UAU.7 Section 8.2.1 describes the RACF interfaces that can be invoked for user authentication. The functions do provide any feedback to the caller while they are in progress.

FIA_UID.1 User identification is explained in 8.2.1.

FIA_USB.1(LS) (Labeled

Security Mode only) The user sensitivity level bound to subjects while the TOE operates in Labeled Security Mode is explained in 8.2.1 (under "some additional considerations").

FIA_USB.2 User subject binding for z/OS is explained in section 8.2.7 with re-spect to group processing and 8.2.8, which describes how RACF cre-ates an ACEE using the information from the user's profile.

FMT_MSA.1(GRD) Management of access control for the general resource access con-trol policy is explained in table 38 where the RACF commands and the restrictions on their usage is described. Access control to general resource profiles is managed by the PERMIT command.

Security Functional

Re-quirements Security Functions

FMT_MSA.1(UFS) Management of access control for the UNIX file system access con-trol policy is described in section 8.4.3 in the section titled "Manage-ment of z/OS UNIX file system objects and IPC objects" where the RACF interfaces for the management of the UNIX file system access policy and IPC access policy are described.

FMT_MSA.1(IPC) Management of access control for the IPC access control policy is described in section 8.4.3 in the section titled "Management of z/OS UNIX file system objects and IPC objects" where the RACF inter-faces for the management of the UNIX file system access policy and IPC access policy are described.

FMT_MSA.1(FLA) Management of the RACF profile field level access control policy is performed via the management of profiles in the FIELD class and de-fining access to those profiles using the PERMIT command. The management of access control lists for general resource class pro-files therefore applies here.

FMT_MSA.1(LS) (Labeled Security Mode only)

Management of security labels being restricted to users with the SPECIAL attribute is described in section 8.3.3 as well as in table 38 which states that for the various commands that may set or alter a security label the user has to have the SPECIAL attribute to use this functionality.

FMT_MSA.3(GRD) Default values for the general resource access control policy are de-scribed in section 8.3.4.1. Default access of a user is defined by the UACC value in the profile protecting the resource, which has a value of "none" as the default.

FMT_MSA.3(UFS) Default values for the UNIX file system access control policy are de-scribed in section 8.3.4.3 which explains that access is denied unless it is given either by the ACLs or the permission bits.

FMT_MSA.3(IPC) The default values for this access control policy can not be managed.

FMT_MSA.3(FLA) The default values for this access control policy are defined by the UACC value for the profiles in the FIELD class which are managed by the functions of the RACF general resource class access control policy.

FMT_MSA.3(LS) (Labeled Security Mode only)

Default values for the security label are defined in the SECLABEL at-tribute in the resource profiles as explained in section 8.3.3 (and sub-sections) in the description of the resource profiles and in section 8.3.2.4 for z/OS UNIX objects

FMT_MTD.1(AE) Audit trail management is performed using the command options re-served for users in the AUDITOR or group-AUDITOR role as defined in table 38. Those are:

• SETROPTS options reserved for users with the AUDITOR

Security Functional

Re-quirements Security Functions

privilege

• GLOBALAUDIT keyword for ALTDSD and RALTER com-mands

• UAUDIT/NOUAUDIT keyword for the ALTUSER command FMT_MTD.1(SO) The SETROPTS command related management is described in

sec-tion 8.4.3.1 and in table 38.

FMT_MTD.1(UA) User security attribute management is explained in section 8.4.1.

FMT_MTD.1(RA) Management for re-enabling authentication is described in section 8.4.1 where the authority to reset a user's password is described in detail.

FMT_MTD.1(TH) Management of the threshold for unsuccessful authentication events is described in section 8.4.3.1 it is explained that this threshold can be set using the SETROPTS command.

FMT_MTD.1(AD) Management of authentication data is explained in sections 8.2.1 and 8.4.1.

FMT_MTD.1(RC) Management of RACF commands is explained in table 38.

FMT_MTD.1(DC) Management of digital certificates is explained in sections 8.2.4 and 8.4.1 where the RACDCERT command and the authorities required for the use of its parameter are described in detail.

FMT_REV.1(OSA) Revocation of object security attributes is explained in section 8.4.2 for the management of general resource profiles (and data set pro-files) as well as for the field-level access control are defined. Section 8.4.3, subsection titled "Management of z/OS UNIX file system ob-jects and IPC obob-jects" describes the interfaces used for the revoca-tion of object security attributes for z/OS UNIX file system objects and IPC objects.

FMT_REV.1(USR) Revocation of user security attributes is explained in section 8.4.1.

FMT_SMF.1 See SFRs FMT_MTD.1(x)

FMT_SMR.1 The roles are explained in section 8.4.1 in the subsection titled

"RACF Roles".

FPT_TDC.1(RA) The inter-TSF data consistency is given by the general structure of the profiles in the RACF database, which ensures that a RACF data-base is consistently interpreted when used by a remote system.

FPT_TDC.1(LS) see above. This applies also for security labels, which are part of the

Security Functional

Re-quirements Security Functions

(Labeled Security Mode

only) RACF profiles or part of the file security attributes of z/OS UNIX file system objects.