[Zope3-checkins] SVN: Zope3/trunk/doc/security/SecurityTarget.tex - Completed security requirements rational

Christian Theune ct at gocept.com
Wed Apr 20 05:11:02 EDT 2005


Log message for revision 30050:
   - Completed security requirements rational
  

Changed:
  U   Zope3/trunk/doc/security/SecurityTarget.tex

-=-
Modified: Zope3/trunk/doc/security/SecurityTarget.tex
===================================================================
--- Zope3/trunk/doc/security/SecurityTarget.tex	2005-04-19 19:33:37 UTC (rev 30049)
+++ Zope3/trunk/doc/security/SecurityTarget.tex	2005-04-20 09:11:02 UTC (rev 30050)
@@ -1713,13 +1713,13 @@
     attributes \emph{\[permission grants and denials\]} to \emph{\[authorized
     grantors\]}.
 
-\item[FMT{\_}MSA.1.1.loginname]
+\item[FMT{\_}MSA.1.2.loginname]
     The TSF shall enforce the \emph{{[}formal security policy]} to restrict the
     ability to \emph{{[}query and modify]} the security attribute
     \emph{{[}login name]} to \emph{{[}authorized administrators and users
     authorized to modify their own authentication data]}.
 
-\item[FMT{\_}MSA.1.1.password]
+\item[FMT{\_}MSA.1.3.password]
     The TSF shall enforce the \emph{\[formal security policy\]} to restrict
     the ability to \emph{\[modify\]} the security attribute
     \emph{\[password\]} to \emph{\[authorized administrators and users authorized to
@@ -2094,12 +2094,8 @@
 
 
 
-\section{Security requirements for the non-IT environment}
 
-XXX I can't find any right here, maybe I should check cross-references, but it
-also looks like non-IT requirements are not mandatory.
 
-
 %___________________________________________________________________________
 
 
@@ -2703,19 +2699,53 @@
 
 \section{Security requirements rationale}
 
-- Table showing that all objectives are covered and no SFR doesn't belong to an objective
 
-% XXX do table \dots
+\begin{table}
+    \scriptsize
+    \begin{tabular}{rRRRRRRRR}
+        \toprule
+                            & O.IA & O.Delegation & O.Audit & O.Protect & O.Access & O.Integrity & O.Attributes & O.ManageRisk \\
+        \midrule
 
-\minisec{O.IA --- Identification and Authentication}
+FAU\_GEN.1                  &      &              & \oh     &           &          &             &              &              \\
+FAU\_GEN.2                  &      &              & \oh     &           &          &             &              &              \\
+FDP\_ACC.2                  &      & \oh          &         &           & \oh      &             &              &              \\
+FDP\_ACF.1                  &      &              &         &           &  \oh     &             &              &              \\
+FDP\_ETC.2                  &      &              &         &           &          &             &  \oh         &              \\                
+FDP\_ITC.1                  &      &              &         &           &          &             &  \oh         &              \\
+FDP\_ITC.2                  &      &              &         &           &          &             &     \oh      &              \\
+FDP\_RIP.1                  &      &              &         &           &          &             &      \oh     &              \\
+FDP\_ROL.2\_Transactions    &      &              &         &           &          &   \oh       &              &              \\
+FDP\_ROL.1\_Undo            &      &              &         &           &          &             &  \oh         &              \\
+FIA\_AFL\_z.1               &      &              &         &   \oh     &          &             &              &              \\
+FIA\_ATD.1                  & \oh  &  \oh         &   \oh   &           & \oh      &             &              &              \\
+FAU\_UAU.1                  & \oh  &              &         &           &          &             &              &              \\
+FAU\_UAU.5                  & \oh  &              &         &           &          &             &              & \oh          \\
+FAU\_UAU.6                  & \oh  &              &         &           &          &             &              & \oh          \\
+FIA\_USB.1                  & \oh  &              &         &           &          &             &              &              \\
+FMT\_MOF.1                  &      &              &         &  \oh      &          &             &              & \oh          \\
+FMT\_MSA.1                  & \oh  &  \oh         &         &           &          &             &              &              \\
+FMT\_MSA.3                  &      &              &         & \oh       &          &             &              &              \\
+FMT\_SMR.1                  &      &              &         &           &          &             &              &              \\
+FPT\_AMT.1                  &      &              &         & \oh       &          &             &              &              \\
+FPT\_RVM.1                  &      &              &         &           &  \oh     &             &              &              \\
+FPT\_FLS.1                  &      &              &         &  \oh      &          &   \oh       &              &              \\
+FPT\_SEP.1                  &      &              &         &   \oh     &          &             &              &   \oh        \\
+FPT\_STM.1                  &      &              &  \oh    &           &          &             &              &              \\
+ \bottomrule
+ \end{tabular}
+ \caption{Mapping of Security Objectives to Security Functional Requirements}
+\end{table}
 
+\subsection{O.IA --- Identification and Authentication}
+
     A central part of the security machinery within the TOE is the correct
     identification and authentification of users.
 
     This is covered by the activities:
 
     \begin{description}
-        \item[Asking for and validating a user's credentials]
+        \item[Asking for and validating a user's credentials:]
 
             The TOE holds information to uniquely identify a principal and its
             required credentials. (FIA\_ATD.1) 
@@ -2735,7 +2765,7 @@
             a web browser), the user will be asked to represent his credentials
             before performing any further operation. (FIA\_UAU.6)
 
-        \item[Binding users to the correct principals]
+        \item[Binding users to the correct principals:]
 
             The TOE allows users to interact with the system without presenting
             credentials by binding unauthenticated users to the ``Anonymous''
@@ -2746,29 +2776,35 @@
             the operation is bound to the user by selecting the correct
             principal. (FIA\_USB.1)
 
-        \item[Managing required security attributes]
+        \item[Managing required security attributes:]
 
             The TOE manages the required security attributes (permission grants
             and denials, credentials, \dots). Special permissions are required
             to read or write certain security attributes. (FMT\_MSA.1)
 
-        \item[Associating principals with the correct security attributes]
+        \item[Associating principals with the correct security attributes:]
 
             This is covered by FIA\_ATD.1 and FIA\_USB.1
 
     \end{description}
 
-\minisec{O.Delegation -- Securely delegate control}
+\subsection{O.Delegation  --- Securely delegate control}
 
-    - delegating a permission requires a grant for the meta permission
-    - having a meta permission allows to spell grants and denials for the meta permission and the permission
-    
-    FDP\_ITC.2
-    FDP\_ATD.1
-    FMT\_MSA.1
+    Changing permission grants and denials allows the delegation of permission
+    grants and denials to other users. Administrators that have grants for all
+    permissions introduce new users to the system by delegating the required
+    permissions to them (e.g. via roles, direct permission grants or denials).
 
-\minisec{O.Audit}
+    Delegating control is a normal operation performed on the TOEs objects. To
+    grant a permission special meta permissions are introduced that control the
+    ability to delegate a permission. (FMT\_ATD.1)
 
+    Those operations are securely managed because they are covered by the TSF
+    (FDP\_ACC.2) and follow special rules regarding the management of security
+    attributes. (FMT\_MSA.1)
+
+\subsection{O.Audit --- Provide a reliable security audit trail}
+
     The TOE shall provide functionality to generate audit data (FAU\_GEN.1,
     FAU\_GEN.2).
 
@@ -2776,7 +2812,7 @@
     logged (FPT\_STM.1) and connects all events with the relevant user
     attributes. (FIA\_ATD.1)
 
-\minisec{O.Protect -- Protect the TOE from tampering}
+\subsection{O.Protect --- Protect the TOE from external tampering}
 
     The TOE provides some effort to not allow an insecure situation that
     resulted from tampering with the system. Most situations have to be avoided
@@ -2808,7 +2844,7 @@
     external entities not to directly modify or call any security relevant
     attributes or functions. (FPT\_SEP.1)
 
-\minisec{O.Access --- Mediate every access to objects}
+\subsection{O.Access --- Mediate every access to objects}
 
     Mediating every access to an object through operations is another major
     objective to enforce the TSP. (FDP\_ACC.2)
@@ -2826,7 +2862,7 @@
     To ensure the non-bypassability of the TSP a special paradigm (security
     proxies) for accessing TOE objects from external entities. (FIA\_RVM.1)
     
-\minisec{O.Integrity}
+\subsection{O.Integrity --- Ensure faultless data}
 
     Providing an ACID compatible transaction management system that allows
     secure rollback from a failed transaction satisfies the objective to have
@@ -2835,7 +2871,7 @@
     The rollback is performed by the TOE automatically as soon as an error is
     encountered and not handled by any application logic.
 
-\minisec{O.Attributes}
+\subsection{O.Attributes --- Ensure consistent security attributes}
 
     To assure an enduring consistent state of all security attributes we
     enforce the security policy model upon any changes to security attributes.
@@ -2847,7 +2883,7 @@
     security attributes do not reference invalid identifiers. To allow the
     import of data with security attributes, FDP\_ETC.1 is required.
     
-\minisec{O.ManageRisk}
+\subsection{O.ManageRisk --- Provide choice of flexibility versus security}
 
     To manage the risk of using stronger authentication schemes for sensible
     operations in opposition of weaker authentication schemes for less sensible
@@ -2869,23 +2905,6 @@
 %___________________________________________________________________________
 
 
-
-\subsection{Choice of security functional requirements}
-
-XXX
-
-
-%___________________________________________________________________________
-
-
-
-\section{Justification for suitability of SFR - TOE security objectives}
-
-
-%___________________________________________________________________________
-
-
-
 \subsection{Choice of TOE security assurance requirements}
 
 The choice of assurance requirements is based on the analysis of the security
@@ -2898,7 +2917,6 @@
 %___________________________________________________________________________
 
 
-
 \section{Evaluation Assurance Level rationale:}
 
 XXX review this paragraph please.



More information about the Zope3-Checkins mailing list