> This page is best viewed with JavaScript enabled! {#this-page-is-best-viewed-with-jav > ================================================= > > ::: {.center} > ![NIAP Logo](images/niaplogo.png)\ > Version: 2.2e\ > 2020-03-23\ > **National Information Assurance Partnership**\ > ::: > > ::: {.foreword} > Foreword {#foreword style="text-align: center"} > ======== > > 1 Acknowledgements {#s-ack .indexable data-level="1"} > ================== > > blah > > 2 Preface {#s-preface .indexable data-level="1"} > ========= > > 2.1 Objectives of Document {#s-ood .indexable data-level="2"} > -------------------------- > > Words > > 2.2 Scope of Document {#s-sod .indexable data-level="2"} > --------------------- > > Words > > 2.3 Intended Readership {#s-ir .indexable data-level="2"} > ----------------------- > > Words > > 2.4 Related Documents {#s-reldoc .indexable data-level="2"} > --------------------- > > Words > ::: > > Revision History {#revision-history style="page-break-before:always;"} > ---------------- > > Version Date Comment > --------- ------------ ------------------------------------------------------------ > 0.1 2014-09-05 Draft published for Public review > 0.2 2014-10-13 Internal draft in response to public review comments, for iT > 0.3 2014-10-17 Draft version released to accompany CCDB review of Supportin > 0.4 2015-01-26 Incorporated comments received from the CCDB review > 1.0 2015-02-27 Released for use > 1.1 2016-07-21 Updated draft published for public review > 2.0 2017-05-05 Released for use > 2.1 2018-09-24 Released for use > 2.2 2019-12-20 Released for use > 2.2e 2020-03-23 Released for use > > Contents > -------- > > ::: {#toc .toc} > [1Acknowledgements](#s-ack)[2Preface](#s-preface)[2.1Objectives of > Document](#s-ood)[2.2Scope of Document](#s-sod)[2.3Intended > Readership](#s-ir)[2.4Related > Documents](#s-reldoc)[3Introduction](#Introduction)[3.1PP > Overview](#s-ppoverview)[3.2TOE Use Cases](#s-usecases)[4Conformance > Claims](#Conformance_Claims)[5Introduction to Distributed > TOEs](#s-distributedTOEs)[5.1Supported Distributed TOE Use > Cases](#s-sdtuc)[5.2Unsupported Distributed TOE Use > Cases](#s-udtuc)[5.3Registration of Components of a Distributed > TOE](#s-compreg)[5.4Allocation of Requirements in Distributed > TOEs](#s-alloc)[6Security Problem > Description](#Security_Problem_Description)[6.1Threats](#Threats)[6.2Assumptions](#As > Security Policies](#OSPs)[7Security > Objectives](#Security_Objectives)[7.1Security Objectives for the > TOE](#SecurityObjectivesTOE)[7.2Security Objectives for the Operational > Environment](#SecurityObjectivesTOEorEnvironment)[7.3Security Objectives > Rationale](#SOR)[8Security > Requirements](#Security_Requirements)[8.1Conventions](#s-conventions)[8.2SFR > Architecture](#s-sfrarch)[8.3Security Functional > Requirements](#SFRs)[8.3.1Security Audit > (FAU)](#s-fau)[8.3.2Cryptographic Support > (FCS)](#s-fcs)[8.3.3Identification and Authentication > (FIA)](#s-fia)[8.3.4Security Management (FMT)](#s-fmt)[8.3.5Protection > of the TSF (FPT)](#s-fpt)[8.3.6TOE Access (FTA)](#s-fta)[8.3.7Trusted > Channel (FTP\_ITC)](#s-ftp)[8.3.8TOE Security Functional Requirements > Rationale](#obj-req-map)[8.4Security Assurance > Requirements](#Security_Assurance_Requirements)[8.4.1Class ASE: Security > Target](#ase)[8.4.2Class ADV: Development](#adv)[8.4.3Class AGD: > Guidance Documentation](#agd)[8.4.4Class ALC: Life-cycle > Support](#alc)[8.4.5Class ATE: Tests](#ate)[8.4.6Class AVA: > Vulnerability Assessment](#ava)[Appendix A - Optional > Requirements](#opt-app)[A.1Strictly Optional Requirements > ](#optional-reqs)[A.1.1Security Audit > (FAU)](#s-fau-optional)[A.1.2Communication > (FCO)](#s-fco-optional)[A.1.3Cryptographic Support > (FCS)](#s-fcs-optional)[A.1.4Identification and Authentication > (FIA)](#s-fia-optional)[A.1.5Protection of the TSF > (FPT)](#s-fpt-optional)[A.1.6Trusted Channel > (FTP\_ITC)](#s-ftp-optional)[A.2Objective Requirements > ](#objective-reqs)[A.3Implementation-dependent Requirements > ](#feat-based-reqs)[Appendix B - Selection-based Requirements > ](#sel-based-reqs)[B.1Security Audit > (FAU)](#s-fau-sel-based)[B.2Cryptographic Support > (FCS)](#s-fcs-sel-based)[B.3Identification and Authentication > (FIA)](#s-fia-sel-based)[B.4Security Management > (FMT)](#s-fmt-sel-based)[B.5Protection of the TSF > (FPT)](#s-fpt-sel-based)[Appendix C - Entropy Documentation and > Assessment](#satisfiedreqs)[Appendix D - > Glossary](#a-glossary)[D.1Terms](#glossary)[D.1.1Common Criteria > Terms](#cc-terms)[D.1.2Technical Terms](#tech-terms)[Appendix E - > Acronyms](#acronyms)[Appendix F - Bibliography](#appendix-bibliography) > ::: > > 3 Introduction {#Introduction .indexable data-level="1"} > ============== > > 3.1 PP Overview {#s-ppoverview .indexable data-level="2"} > --------------- > > words > > 3.2 TOE Use Cases {#s-usecases .indexable data-level="2"} > ----------------- > > Words > > 4 Conformance Claims {#Conformance_Claims .indexable data-level="1"} > ==================== > > Conformance Statement > : An [ST](#abbr_ST) must claim exact conformance to this > [PP](#abbr_PP), as defined in the [CC](#abbr_CC) and > [CEM](#abbr_CEM) addenda for Exact Conformance, Selection-based > [SFRs](#abbr_SFR), and Optional [SFRs](#abbr_SFR) (dated May 2017). > > CC Conformance Claims > : This [PP](#abbr_PP) is conformant to Parts 2 (extended) and 3 > (conformant) of Common Criteria Version 3.1, Revision 5. > > PP Claim > : This [PP](#abbr_PP) does not claim conformance to any Protection > Profile. > > Package Claim > : This [PP](#abbr_PP) does not claim conformance to any packages. > > 5 Introduction to Distributed TOEs {#s-distributedTOEs .indexable data-level="1"} > ================================== > > words > > 5.1 Supported Distributed TOE Use Cases {#s-sdtuc .indexable data-level="2"} > --------------------------------------- > > words > > 5.2 Unsupported Distributed TOE Use Cases {#s-udtuc .indexable data-level="2"} > ----------------------------------------- > > words > > 5.3 Registration of Components of a Distributed TOE {#s-compreg .indexable data-level > --------------------------------------------------- > > words > > 5.4 Allocation of Requirements in Distributed TOEs {#s-alloc .indexable data-level="2 > -------------------------------------------------- > > words > > 6 Security Problem Description {#Security_Problem_Description .indexable data-level=" > ============================== > > A Network Device has a network infrastructure role that it is designed > to provide. In doing so, the Network Device communicates with other > Network Devices and other network entities (i.e. entities not defined as > Network Devices because they do not have an infrastructure role) over > the network. At the same time, it must provide a minimal set of common > security functionality expected by all Network Devices. The security > problem to be addressed by a compliant Network Device is defined as this > set of common security functionality that addresses the threats that are > common to Network Devices, as opposed to those that might be targeting > the specific functionality of a specific type of Network Device. The set > of common security functionality addresses communication with the > Network Device, both authorized and unauthorized, the ability to perform > valid and secure updates, the ability to audit device activity, the > ability to securely store and utilize device and Administrator > credentials and data, and the ability to self-test critical device > components for failures. > > 6.1 Threats {#Threats .indexable data-level="2"} > ----------- > > T.NETWORK\_ATTACK > : An attacker is positioned on a communications channel or elsewhere > on the network infrastructure. Attackers may engage in > communications with applications and services running on or part of > the [OS](#abbr_OS) with the intent of compromise. Engagement may > consist of altering existing legitimate communications. > > T.NETWORK\_EAVESDROP > : An attacker is positioned on a communications channel or elsewhere > on the network infrastructure. Attackers may monitor and gain access > to data exchanged between applications and services that are running > on or part of the [OS](#abbr_OS). > > T.LOCAL\_ATTACK > : An attacker may compromise applications running on the > [OS](#abbr_OS). The compromised application may provide maliciously > formatted input to the [OS](#abbr_OS) through a variety of channels > including unprivileged system calls and messaging via the file > system. > > T.LIMITED\_PHYSICAL\_ACCESS > : An attacker may attempt to access data on the [OS](#abbr_OS) while > having a limited amount of time with the physical device. > > 6.2 Assumptions {#Assumptions .indexable data-level="2"} > --------------- > > A.PLATFORM > : The [OS](#abbr_OS) relies upon a trustworthy computing platform for > its execution. This underlying platform is out of scope of this > [PP](#abbr_PP). > > A.PROPER\_USER > : The user of the [OS](#abbr_OS) is not willfully negligent or > hostile, and uses the software in compliance with the applied > enterprise security policy. At the same time, malicious software > could act *as* the user, so requirements which confine malicious > subjects are still in scope. > > A.PROPER\_ADMIN > : The administrator of the [OS](#abbr_OS) is not careless, willfully > negligent or hostile, and administers the [OS](#abbr_OS) within > compliance of the applied enterprise security policy. > > 6.3 Organizational Security Policies {#OSPs .indexable data-level="2"} > ------------------------------------ > > P.ENTERPRISE > : If the [OS](#abbr_OS) is bound to a directory or management server, > the configuration of the [OS](#abbr_OS) software must be capable of > adhering to the enterprise security policies distributed by them. > > 7 Security Objectives {#Security_Objectives .indexable data-level="1"} > ===================== > > 7.1 Security Objectives for the TOE {#SecurityObjectivesTOE .indexable data-level="2" > ----------------------------------- > > O.ACCOUNTABILITY > : Conformant [OSes](#abbr_OS) ensure that information exists that > allows administrators to discover unintentional issues with the > configuration and operation of the operating system and discover its > cause. Gathering event information and immediately transmitting it > to another system can also enable incident response in the event of > system compromise. > > O.INTEGRITY > : Conformant [OSes](#abbr_OS) ensure the integrity of their update > packages. [OSes](#abbr_OS) are seldom if ever shipped without > errors, and the ability to deploy patches and updates with integrity > is critical to enterprise network security. Conformant > [OSes](#abbr_OS) provide execution environment-based mitigations > that increase the cost to attackers by adding complexity to the task > of compromising systems. > > O.MANAGEMENT > : To facilitate management by users and the enterprise, conformant > [OSes](#abbr_OS) provide consistent and supported interfaces for > their security-relevant configuration and maintenance. This includes > the deployment of applications and application updates through the > use of platform-supported deployment mechanisms and formats, as well > as providing mechanisms for configuration and application execution > control. > > O.PROTECTED\_STORAGE > : To address the issue of loss of confidentiality of credentials in > the event of loss of physical control of the storage medium, > conformant [OSes](#abbr_OS) provide data-at-rest protection for > credentials. Conformant [OSes](#abbr_OS) also provide access > controls which allow users to keep their files private from other > users of the same system. > > O.PROTECTED\_COMMS > : To address both passive (eavesdropping) and active (packet > modification) network attack threats, conformant [OSes](#abbr_OS) > provide mechanisms to create trusted channels for [CSP](#abbr_CSP) > and sensitive data. Both [CSP](#abbr_CSP) and sensitive data should > not be exposed outside of the platform. > > 7.2 Security Objectives for the Operational Environment {#SecurityObjectivesTOEorEnvi > ------------------------------------------------------- > > The following security objectives for the operational environment assist > the [OS](#abbr_OS) in correctly providing its security functionality. > These track with the assumptions about the environment. > > OE.PLATFORM > : The [OS](#abbr_OS) relies on being installed on trusted hardware. > > OE.PROPER\_USER > : The user of the [OS](#abbr_OS) is not willfully negligent or > hostile, and uses the software within compliance of the applied > enterprise security policy. Standard user accounts are provisioned > in accordance with the least privilege model. Users requiring higher > levels of access should have a separate account dedicated for that > use. > > OE.PROPER\_ADMIN > : The administrator of the [OS](#abbr_OS) is not careless, willfully > negligent or hostile, and administers the [OS](#abbr_OS) within > compliance of the applied enterprise security policy. > > 7.3 Security Objectives Rationale {#SOR .indexable,h2 data-level="2"} > --------------------------------- > > This section describes how the assumptions, threats, and organizational > security policies map to the security objectives. > > [Table [1]{.counter}]{#t-sec-obj-rat .ctr data-myid="t-sec-obj-rat" > data-counter-type="ct-Table"}: Security Objectives Rationale > > Threat, Assumption, or OSP > > Security Objectives > > Rationale > > [T.NETWORK\_​ATTACK](#T.NETWORK_ATTACK) > > [O.PROTECTED\_​COMMS](#O.PROTECTED_COMMS) > > The threat [T.NETWORK\_ATTACK](#T.NETWORK_ATTACK) is countered by > [O.PROTECTED\_COMMS](#O.PROTECTED_COMMS) as this provides for integrity > of transmitted data. > > [O.INTEGRITY](#O.INTEGRITY) > > The threat [T.NETWORK\_ATTACK](#T.NETWORK_ATTACK) is countered by > [O.INTEGRITY](#O.INTEGRITY) as this provides for integrity of software > that is installed onto the system from the network. > > [O.MANAGEMENT](#O.MANAGEMENT) > > The threat [T.NETWORK\_ATTACK](#T.NETWORK_ATTACK) is countered by > [O.MANAGEMENT](#O.MANAGEMENT) as this provides for the ability to > configure the [OS](#abbr_OS) to defend against network attack. > > [O.ACCOUNTABILITY](#O.ACCOUNTABILITY) > > The threat [T.NETWORK\_ATTACK](#T.NETWORK_ATTACK) is countered by > [O.ACCOUNTABILITY](#O.ACCOUNTABILITY) as this provides a mechanism for > the [OS](#abbr_OS) to report behavior that may indicate a network attack > has occurred. > > [T.NETWORK\_​EAVESDROP](#T.NETWORK_EAVESDROP) > > [O.PROTECTED\_​COMMS](#O.PROTECTED_COMMS) > > The threat [T.NETWORK\_EAVESDROP](#T.NETWORK_EAVESDROP) is countered by > [O.PROTECTED\_COMMS](#O.PROTECTED_COMMS) as this provides for > confidentiality of transmitted data. > > [O.MANAGEMENT](#O.MANAGEMENT) > > The threat [T.NETWORK\_EAVESDROP](#T.NETWORK_EAVESDROP) is countered by > [O.MANAGEMENT](#O.MANAGEMENT) as this provides for the ability to > configure the [OS](#abbr_OS) to protect the confidentiality of its > transmitted data. > > [T.LOCAL\_​ATTACK](#T.LOCAL_ATTACK) > > [O.INTEGRITY](#O.INTEGRITY) > > The objective [O.INTEGRITY](#O.INTEGRITY) protects against the use of > mechanisms that weaken the [TOE](#abbr_TOE) with regard to attack by > other software on the platform. > > [O.ACCOUNTABILITY](#O.ACCOUNTABILITY) > > The objective [O.ACCOUNTABILITY](#O.ACCOUNTABILITY) protects against > local attacks by providing a mechanism to report behavior that may > indicate a local attack is occurring or has occurred. > > [T.LIMITED\_​PHYSICAL\_​ACCESS](#T.LIMITED_PHYSICAL_ACCESS) > > [O.PROTECTED\_​STORAGE](#O.PROTECTED_STORAGE) > > The objective [O.PROTECTED\_STORAGE](#O.PROTECTED_STORAGE) protects > against unauthorized attempts to access physical storage used by the > [TOE](#abbr_TOE). > > [A.PLATFORM](#A.PLATFORM) > > [OE.PLATFORM](#OE.PLATFORM) > > The operational environment objective [OE.PLATFORM](#OE.PLATFORM) is > realized through [A.PLATFORM](#A.PLATFORM). > > [A.PROPER\_​USER](#A.PROPER_USER) > > [OE.PROPER\_​USER](#OE.PROPER_USER) > > The operational environment objective [OE.PROPER\_USER](#OE.PROPER_USER) > is realized through [A.PROPER\_USER](#A.PROPER_USER). > > [A.PROPER\_​ADMIN](#A.PROPER_ADMIN) > > [OE.PROPER\_​ADMIN](#OE.PROPER_ADMIN) > > The operational environment objective > [OE.PROPER\_ADMIN](#OE.PROPER_ADMIN) is realized through > [A.PROPER\_ADMIN](#A.PROPER_ADMIN). > > [P.ENTERPRISE](#P.ENTERPRISE) > > [O.MANAGEMENT](#O.MANAGEMENT) > > The organizational security policy [P.ENTERPRISE](#P.ENTERPRISE) is > enforced through the objective [O.MANAGEMENT](#O.MANAGEMENT) as this > objective represents how the enterprise and user assert management over > the [OS](#abbr_OS). > > 8 Security Requirements {#Security_Requirements .indexable data-level="1"} > ======================= > > This chapter describes the security requirements which have to be > fulfilled by the product under evaluation. Those requirements comprise > functional components from Part 2 and assurance components from Part 3 > of [\[CC\]](#bibCC). The following conventions are used for the > completion of operations: > > - **Refinement** operation (denoted by **bold text** or > ~~strikethrough text~~): is used to add details to a requirement > (including replacing an assignment with a more restrictive > selection) or to remove part of the requirement that is made > irrelevant through the completion of another operation, and thus > further restricts a requirement. > - **Selection** (denoted by *italicized text*): is used to select one > or more options provided by the \[[CC](#abbr_CC)\] in stating a > requirement. > - **Assignment** operation (denoted by [italicized > text]{.assignable-content}): is used to assign a specific value to > an unspecified parameter, such as the length of a password. Showing > the value in square brackets indicates assignment. > - **Iteration** operation: is indicated by appending the > [SFR](#abbr_SFR) name with a slash and unique identifier suggesting > the purpose of the operation, e.g. \"/EXAMPLE1.\" > > The individual security functional requirements are specified in the > sections below. [SFRs](#abbr_SFR) in this section are mandatory > [SFRs](#abbr_SFR) that any conformant [TOE](#abbr_TOE) must meet. Based > on selections made in these [SFRs](#abbr_SFR) it will also be necessary > to include some of the selection-based [SFRs](#abbr_SFR) in Appendix B. > Additional optional [SFRs](#abbr_SFR) may also be adopted from those > listed in Appendix A. > > For a distributed [TOE](#abbr_TOE), the [ST](#abbr_ST) author should > reference Table 1 for guidance on how each [SFR](#abbr_SFR) should be > met. The table details whether [SFRs](#abbr_SFR) should be met by all > [TOE](#abbr_TOE) components, by at least one [TOE](#abbr_TOE) component > or whether they are dependent upon the feature being implemented by the > [TOE](#abbr_TOE) component. The [ST](#abbr_ST) for a distributed > [TOE](#abbr_TOE) must include a mapping of [SFRs](#abbr_SFR) to each of > the components of the [TOE](#abbr_TOE). (Note that this deliverable is > examined as part of the ASE\_TSS.1 and [AVA\_VAN.1](#AVA_VAN.1) > Evaluation Activities as described in \[SD, 5.1.2\] and \[SD, 5.6.1.1\] > respectively. > > The Evaluation Activities defined in \[SD\] describe actions that the > evaluator will take in order to determine compliance of a particular > [TOE](#abbr_TOE) with the [SFRs](#abbr_SFR). The content of these > Evaluation Activities will therefore provide more insight into > deliverables required from [TOE](#abbr_TOE) Developers. > > 8.1 Conventions {#s-conventions .indexable data-level="2"} > --------------- > > The conventions used in descriptions of the [SFRs](#abbr_SFR) are as > follows: > > 8.2 SFR Architecture {#s-sfrarch .indexable data-level="2"} > -------------------- > > Insert section 6.2 here. > > 8.3 Security Functional Requirements {#SFRs .indexable data-level="2"} > ------------------------------------ > > ### 8.3.1 Security Audit (FAU) {#s-fau .indexable data-level="3"} > > ::: {#FAU_GEN.1 .comp} > #### FAU\_GEN.1 Audit data generation > > ::: {.element} > ::: {#FAU_GEN.1.1 .reqid} > [FAU\_GEN.1.1](#FAU_GEN.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall \[**selection**: *Dummy*, *Other*\] > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FAU_GEN.2 .comp} > #### FAU\_GEN.2 User identity association > > ::: {.element} > ::: {#FAU_GEN.2.1 .reqid} > [FAU\_GEN.2.1](#FAU_GEN.2.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FAU_STG_EXT.1 .comp} > #### FAU\_STG\_EXT.1 Protected Audit Event Storage > > ::: {.element} > ::: {#FAU_STG_EXT.1.1 .reqid} > [FAU\_STG\_EXT.1.1](#FAU_STG_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ### 8.3.2 Cryptographic Support (FCS) {#s-fcs .indexable data-level="3"} > > ::: {#FCS_CKM.1 .comp} > #### FCS\_CKM.1 Cryptographic Key Generation (Refinement) > > ::: {.element} > ::: {#FCS_CKM.1.1 .reqid} > [FCS\_CKM.1.1](#FCS_CKM.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FCS_CKM.2 .comp} > #### FCS\_CKM.2 Cryptographic Key Establishment (Refinement) > > ::: {.element} > ::: {#FCS_CKM.2.1 .reqid} > [FCS\_CKM.2.1](#FCS_CKM.2.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FCS_CKM.4 .comp} > #### FCS\_CKM.4 Cryptographic Key Destruction > > ::: {.element} > ::: {#FCS_CKM.4.1 .reqid} > [FCS\_CKM.4.1](#FCS_CKM.4.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FCS_COP.1/DataEncryption .comp} > #### FCS\_COP.1/DataEncryption Cryptographic Operation (AES Data Encryption/Decryptio > > ::: {.element} > ::: {#FCS_COP.1.1/DataEncryption .reqid} > [FCS\_COP.1.1/DataEncryption](#FCS_COP.1.1/DataEncryption){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FCS_COP.1/SigGen .comp} > #### FCS\_COP.1/SigGen Cryptographic Operation (Signature Generation and Verification > > ::: {.element} > ::: {#FCS_COP.1.1/SigGen .reqid} > [FCS\_COP.1.1/SigGen](#FCS_COP.1.1/SigGen){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FCS_COP.1/Hash .comp} > #### FCS\_COP.1/Hash Cryptographic Operation (Hash Algorithm) > > ::: {.element} > ::: {#FCS_COP.1.1/Hash .reqid} > [FCS\_COP.1.1/Hash](#FCS_COP.1.1/Hash){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FCS_COP.1/KeyedHash .comp} > #### FCS\_COP.1/KeyedHash Cryptographic Operation (Keyed Hash Algorithm) > > ::: {.element} > ::: {#FCS_COP.1.1/KeyedHash .reqid} > [FCS\_COP.1.1/KeyedHash](#FCS_COP.1.1/KeyedHash){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FCS_RBG_EXT.1 .comp} > #### FCS\_RBG\_EXT.1 Random Bit Generation > > ::: {.element} > ::: {#FCS_RBG_EXT.1.1 .reqid} > [FCS\_RBG\_EXT.1.1](#FCS_RBG_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ### 8.3.3 Identification and Authentication (FIA) {#s-fia .indexable data-level="3"} > > ::: {#FIA_AFL.1 .comp} > #### FIA\_AFL.1 Authentication Failure Management (Refinement) > > ::: {.element} > ::: {#FIA_AFL.1.1 .reqid} > [FIA\_AFL.1.1](#FIA_AFL.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FIA_PMG_EXT.1 .comp} > #### FIA\_PMG\_EXT.1 Password Management > > ::: {.element} > ::: {#FIA_PMG_EXT.1.1 .reqid} > [FIA\_PMG\_EXT.1.1](#FIA_PMG_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FIA_UIA_EXT.1 .comp} > #### FIA\_UIA\_EXT.1 User Identification and Authentication > > ::: {.element} > ::: {#FIA_UIA_EXT.1.1 .reqid} > [FIA\_UIA\_EXT.1.1](#FIA_UIA_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FIA_UAU_EXT.2 .comp} > #### FIA\_UAU\_EXT.2 Password-based Authentication Mechanism > > ::: {.element} > ::: {#FIA_UAU_EXT.2.1 .reqid} > [FIA\_UAU\_EXT.2.1](#FIA_UAU_EXT.2.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FIA_UAU.7 .comp} > #### FIA\_UAU.7 Protected Authentication Feedback > > ::: {.element} > ::: {#FIA_UAU.7.1 .reqid} > [FIA\_UAU.7.1](#FIA_UAU.7.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ### 8.3.4 Security Management (FMT) {#s-fmt .indexable data-level="3"} > > ::: {#FMT_MOF.1/ManualUpdate .comp} > #### FMT\_MOF.1/ManualUpdate Management of Security Functions Behaviour > > ::: {.element} > ::: {#FMT_MOF.1.1/ManualUpdate .reqid} > [FMT\_MOF.1.1/ManualUpdate](#FMT_MOF.1.1/ManualUpdate){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FMT_MTD.1/CoreData .comp} > #### FMT\_MTD.1/CoreData Management of TSF Data > > ::: {.element} > ::: {#FMT_MTD.1.1/CoreData .reqid} > [FMT\_MTD.1.1/CoreData](#FMT_MTD.1.1/CoreData){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FMT_SMF.1 .comp} > #### FMT\_SMF.1 Specification of Management Functions > > ::: {.element} > ::: {#FMT_SMF.1.1 .reqid} > [FMT\_SMF.1.1](#FMT_SMF.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FMT_SMR.2 .comp} > #### FMT\_SMR.2 Restrictions on security roles > > ::: {.element} > ::: {#FMT_SMR.2.1 .reqid} > [FMT\_SMR.2.1](#FMT_SMR.2.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ### 8.3.5 Protection of the TSF (FPT) {#s-fpt .indexable data-level="3"} > > ::: {#FPT_SKP_EXT.1 .comp} > #### FPT\_SKP\_EXT.1 Protection of TSF Data (for reading of all pre-shared, symmetric > > ::: {.element} > ::: {#FPT_SKP_EXT.1.1 .reqid} > [FPT\_SKP\_EXT.1.1](#FPT_SKP_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FPT_APW_EXT.1 .comp} > #### FPT\_APW\_EXT.1 Protection of Administrator Passwords > > ::: {.element} > ::: {#FPT_APW_EXT.1.1 .reqid} > [FPT\_APW\_EXT.1.1](#FPT_APW_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FPT_STM_EXT.1 .comp} > #### FPT\_STM\_EXT.1 Reliable Time Stamps > > ::: {.element} > ::: {#FPT_STM_EXT.1.1 .reqid} > [FPT\_STM\_EXT.1.1](#FPT_STM_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FPT_TST_EXT.1 .comp} > #### FPT\_TST\_EXT.1 TSF Testing > > ::: {.element} > ::: {#FPT_TST_EXT.1.1 .reqid} > [FPT\_TST\_EXT.1.1](#FPT_TST_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FPT_TUD_EXT.1 .comp} > #### FPT\_TUD\_EXT.1 Trusted Update > > ::: {.element} > ::: {#FPT_TUD_EXT.1.1 .reqid} > [FPT\_TUD\_EXT.1.1](#FPT_TUD_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ### 8.3.6 TOE Access (FTA) {#s-fta .indexable data-level="3"} > > ::: {#FTA_SSL_EXT.1 .comp} > #### FTA\_SSL\_EXT.1 TSF-initiated Session Locking > > ::: {.element} > ::: {#FTA_SSL_EXT.1.1 .reqid} > [FTA\_SSL\_EXT.1.1](#FTA_SSL_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FTA_SSL.3 .comp} > #### FTA\_SSL.3 TSF-initiated Termination (Refinement) > > ::: {.element} > ::: {#FTA_SSL.3.1 .reqid} > [FTA\_SSL.3.1](#FTA_SSL.3.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FTA_SSL.4 .comp} > #### FTA\_SSL.4 User-initiated Termination (Refinement) > > ::: {.element} > ::: {#FTA_SSL.4.1 .reqid} > [FTA\_SSL.4.1](#FTA_SSL.4.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FTA_TAB.1 .comp} > #### FTA\_TAB.1 Default TOE Access Banners (Refinement) > > ::: {.element} > ::: {#FTA_TAB.1.1 .reqid} > [FTA\_TAB.1.1](#FTA_TAB.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ### 8.3.7 Trusted Channel (FTP\_ITC) {#s-ftp .indexable data-level="3"} > > ::: {#FTP_ITC.1 .comp} > #### FTP\_ITC.1 Inter-TSF Trusted Channel (Refinement) > > ::: {.element} > ::: {#FTP_ITC.1.1 .reqid} > [FTP\_ITC.1.1](#FTP_ITC.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FTP_TRP.1/Admin .comp} > #### FTP\_TRP.1/Admin Trusted Path (Refinement) > > ::: {.element} > ::: {#FTP_TRP.1.1/Admin .reqid} > [FTP\_TRP.1.1/Admin](#FTP_TRP.1.1/Admin){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ### 8.3.8 TOE Security Functional Requirements Rationale {#obj-req-map .indexable dat > > The following rationale provides justification for each security > objective for the [TOE](#abbr_TOE), showing that the [SFRs](#abbr_SFR) > are suitable to meet and achieve the security objectives:\ > > [Table [2]{.counter}]{#t-obj_map .ctr data-myid="t-obj_map" > data-counter-type="ct-Table"}: [SFR](#abbr_SFR) Rationale > > Objective > > Addressed by > > Rationale > > [O.ACCOUNTABILITY](#O.ACCOUNTABILITY)\ > > [FAU\_GEN.1](#FAU_GEN.1) > > \'cause [FAU\_GEN.1](#FAU_GEN.1) is awesome > > FTP\_ITC\_EXT.1 > > Cause FTP reasons > > [O.INTEGRITY](#O.INTEGRITY)\ > > FPT\_SBOP\_EXT.1 > > For reasons > > FPT\_ASLR\_EXT.1 > > [ASLR](#abbr_ASLR) For reasons > > [FPT\_TUD\_EXT.1](#FPT_TUD_EXT.1) > > For reasons > > [FPT\_TUD\_EXT.2](#FPT_TUD_EXT.2) > > For reasons > > FCS\_COP.1/HASH > > For reasons > > FCS\_COP.1/SIGN > > For reasons > > FCS\_COP.1/KEYHMAC > > For reasons > > FPT\_ACF\_EXT.1 > > For reasons > > FPT\_SRP\_EXT.1 > > For reasons > > FIA\_X509\_EXT.1 > > For reasons > > [FPT\_TST\_EXT.1](#FPT_TST_EXT.1) > > For reasons > > FTP\_ITC\_EXT.1 > > For reasons > > FPT\_W\^X\_EXT.1 > > For reasons > > [FIA\_AFL.1](#FIA_AFL.1) > > For reasons > > FIA\_UAU.5 > > For reasons > > [O.MANAGEMENT](#O.MANAGEMENT)\ > > FMT\_MOF\_EXT.1 > > For reasons > > FMT\_SMF\_EXT.1 > > For reasons > > [FTA\_TAB.1](#FTA_TAB.1) > > For reasons > > FTP\_TRP.1 > > For reasons > > [O.PROTECTED\_​STORAGE](#O.PROTECTED_STORAGE)\ > > FCS\_STO\_EXT.1, [FCS\_RBG\_EXT.1](#FCS_RBG_EXT.1), FCS\_COP.1/ENCRYPT, > FDP\_ACF\_EXT.1 > > Rationale for a big chunk > > [O.PROTECTED\_​COMMS](#O.PROTECTED_COMMS)\ > > [FCS\_RBG\_EXT.1](#FCS_RBG_EXT.1), [FCS\_CKM.1](#FCS_CKM.1), > [FCS\_CKM.2](#FCS_CKM.2), FCS\_CKM\_EXT.4, FCS\_COP.1/ENCRYPT, > FCS\_COP.1/HASH, FCS\_COP.1/SIGN, FCS\_COP.1/[HMAC](#abbr_HMAC), > FDP\_IFC\_EXT.1, FIA\_X509\_EXT.1, [FIA\_X509\_EXT.2](#FIA_X509_EXT.2), > FTP\_ITC\_EXT.1 > > Rationale for a big chunk > > 8.4 Security Assurance Requirements {#Security_Assurance_Requirements .indexable data > ----------------------------------- > > The Security Objectives in [Section 7 Security > Objectives](#Security_Objectives){.dynref} were constructed to address > threats identified in [Section 6.1 Threats](#Threats){.dynref}. The > Security Functional Requirements ([SFRs](#abbr_SFR)) in [Section 8.3 > Security Functional Requirements](#SFRs){.dynref} are a formal > instantiation of the Security Objectives. The [PP](#abbr_PP) identifies > the Security Assurance Requirements ([SARs](#abbr_SAR)) to frame the > extent to which the evaluator assesses the documentation applicable for > the evaluation and performs independent testing.\ > This section lists the set of [SARs](#abbr_SAR) from [CC](#abbr_CC) part > 3 that are required in evaluations against this [PP](#abbr_PP). > Individual Assurance Activities to be performed are specified both in > [Section 8.3 Security Functional Requirements](#SFRs){.dynref} as well > as in this section.\ > The general model for evaluation of OSs against [STs](#abbr_ST) written > to conform to this [PP](#abbr_PP) is as follows:\ > After the [ST](#abbr_ST) has been approved for evaluation, the > [ITSEF](#abbr_ITSEF) will obtain the [OS](#abbr_OS), supporting > environmental [IT](#abbr_IT), and the administrative/user guides for the > [OS](#abbr_OS). The [ITSEF](#abbr_ITSEF) is expected to perform actions > mandated by the Common Evaluation Methodology ([CEM](#abbr_CEM)) for the > ASE and ALC [SARs](#abbr_SAR). The [ITSEF](#abbr_ITSEF) also performs > the Assurance Activities contained within [Section 8.3 Security > Functional Requirements](#SFRs){.dynref}, which are intended to be an > interpretation of the other [CEM](#abbr_CEM) assurance requirements as > they apply to the specific technology instantiated in the > [OS](#abbr_OS). The Assurance Activities that are captured in [Section > 8.3 Security Functional Requirements](#SFRs){.dynref} also provide > clarification as to what the developer needs to provide to demonstrate > the [OS](#abbr_OS) is compliant with the [PP](#abbr_PP). > > ### 8.4.1 Class ASE: Security Target {#ase .indexable data-level="3"} > > As per ASE activities defined in [\[CEM\]](#bibCEM). > > ### 8.4.2 Class ADV: Development {#adv .indexable data-level="3"} > > The information about the [OS](#abbr_OS) is contained in the guidance > documentation available to the end user as well as the [TSS](#abbr_TSS) > portion of the [ST](#abbr_ST). The [OS](#abbr_OS) developer must concur > with the description of the product that is contained in the > [TSS](#abbr_TSS) as it relates to the functional requirements. The > Assurance Activities contained in [Section 8.3 Security Functional > Requirements](#SFRs){.dynref} should provide the [ST](#abbr_ST) authors > with sufficient information to determine the appropriate content for the > [TSS](#abbr_TSS) section. > > ::: {#ADV_FSP.1 .comp} > #### ADV\_FSP.1 Basic Functional Specification (ADV\_FSP.1) > > The functional specification describes the [TSFI](#abbr_TSFI). It is not > necessary to have a formal or complete specification of these > interfaces. Additionally, because OSs conforming to this [PP](#abbr_PP) > will necessarily have interfaces to the Operational Environment that are > not directly invokable by [OS](#abbr_OS) users, there is little point > specifying that such interfaces be described in and of themselves since > only indirect testing of such interfaces may be possible. For this > [PP](#abbr_PP), the activities for this family should focus on > understanding the interfaces presented in the [TSS](#abbr_TSS) in > response to the functional requirements and the interfaces presented in > the AGD documentation. No additional "functional specification" > documentation is necessary to satisfy the assurance activities > specified. The interfaces that need to be evaluated are characterized > through the information needed to perform the assurance activities > listed, rather than as an independent, abstract list. > > #### Developer action elements: > > ::: {.element} > ::: {#ADV_FSP.1.1D .reqid} > [ADV\_FSP.1.1D](#ADV_FSP.1.1D){.abbr} > ::: > > ::: {.reqdesc} > The developer shall provide a functional specification. > ::: > ::: > > #### Content and presentation elements: > > ::: {.element} > ::: {#ADV_FSP.1.1C .reqid} > [ADV\_FSP.1.1C](#ADV_FSP.1.1C){.abbr} > ::: > > ::: {.reqdesc} > The developer shall provide a tracing from the functional specification > to the [SFRs](#abbr_SFR). > > ::: {.appnote} > [Application Note: ]{.note-header}[As indicated in the introduction to > this section, the functional specification is comprised of the > information contained in the AGD\_OPE and AGD\_PRE documentation. The > developer may reference a website accessible to application developers > and the evaluator. The assurance activities in the functional > requirements point to evidence that should exist in the documentation > and [TSS](#abbr_TSS) section; since these are directly associated with > the [SFRs](#abbr_SFR), the tracing in element > [ADV\_FSP.1](#ADV_FSP.1).2D is implicitly already done and no additional > documentation is necessary.]{.note} > ::: > ::: > ::: > > ::: {.element} > ::: {#ADV_FSP.1.2C .reqid} > [ADV\_FSP.1.2C](#ADV_FSP.1.2C){.abbr} > ::: > > ::: {.reqdesc} > The functional specification shall describe the purpose and method of > use for each [SFR](#abbr_SFR)-enforcing and [SFR](#abbr_SFR)-supporting > [TSFI](#abbr_TSFI). > ::: > ::: > > ::: {.element} > ::: {#ADV_FSP.1.3C .reqid} > [ADV\_FSP.1.3C](#ADV_FSP.1.3C){.abbr} > ::: > > ::: {.reqdesc} > The functional specification shall identify all parameters associated > with each [SFR](#abbr_SFR)-enforcing and [SFR](#abbr_SFR)-supporting > [TSFI](#abbr_TSFI). > ::: > ::: > > ::: {.element} > ::: {#ADV_FSP.1.4C .reqid} > [ADV\_FSP.1.4C](#ADV_FSP.1.4C){.abbr} > ::: > > ::: {.reqdesc} > The functional specification shall provide rationale for the implicit > categorization of interfaces as [SFR](#abbr_SFR)-non-interfering. > ::: > ::: > > ::: {.element} > ::: {#ADV_FSP.1.5C .reqid} > [ADV\_FSP.1.5C](#ADV_FSP.1.5C){.abbr} > ::: > > ::: {.reqdesc} > The tracing shall demonstrate that the [SFRs](#abbr_SFR) trace to > [TSFIs](#abbr_TSFI) in the functional specification. > ::: > ::: > > #### Evaluator action elements: > > ::: {.element} > ::: {#ADV_FSP.1.1E .reqid} > [ADV\_FSP.1.1E](#ADV_FSP.1.1E){.abbr} > ::: > > ::: {.reqdesc} > The evaluator shall confirm that the information provided meets all > requirements for content and presentation of evidence. > ::: > ::: > > ::: {.element} > ::: {#ADV_FSP.1.2E .reqid} > [ADV\_FSP.1.2E](#ADV_FSP.1.2E){.abbr} > ::: > > ::: {.reqdesc} > The evaluator shall determine that the functional specification is an > accurate and complete instantiation of the [SFRs](#abbr_SFR). > ::: > ::: > > ::: {.activity_pane .hide} > ::: {.activity_pane_header} > [[ Evaluation Activities ]{.activity_pane_label}[]{.toggler}](#) > ::: > > ::: {.activity_pane_body} > ::: {.component-activity-header} > [ADV\_FSP.1](#ADV_FSP.1) > ::: > > There are no specific assurance activities associated with these > [SARs](#abbr_SAR), except ensuring the information is provided. The > functional specification documentation is provided to support the > evaluation activities described in [Section 8.3 Security Functional > Requirements](#SFRs){.dynref}, and other activities described for AGD, > ATE, and AVA [SARs](#abbr_SAR). The requirements on the content of the > functional specification information is implicitly assessed by virtue of > the other assurance activities being performed; if the evaluator is > unable to perform an activity because there is insufficient interface > information, then an adequate functional specification has not been > provided. > ::: > ::: > ::: > > ### 8.4.3 Class AGD: Guidance Documentation {#agd .indexable data-level="3"} > > The guidance documents will be provided with the [ST](#abbr_ST). > Guidance must include a description of how the [IT](#abbr_IT) personnel > verifies that the Operational Environment can fulfill its role for the > security functionality. The documentation should be in an informal style > and readable by the [IT](#abbr_IT) personnel. Guidance must be provided > for every operational environment that the product supports as claimed > in the [ST](#abbr_ST). This guidance includes instructions to > successfully install the [TSF](#abbr_TSF) in that environment; and > Instructions to manage the security of the [TSF](#abbr_TSF) as a product > and as a component of the larger operational environment. Guidance > pertaining to particular security functionality is also provided; > requirements on such guidance are contained in the assurance activities > specified with each requirement. > > ::: {#AGD_OPE.1 .comp} > #### AGD\_OPE.1 Operational User Guidance (AGD\_OPE.1) > > #### Developer action elements: > > ::: {.element} > ::: {#AGD_OPE.1.1D .reqid} > [AGD\_OPE.1.1D](#AGD_OPE.1.1D){.abbr} > ::: > > ::: {.reqdesc} > The developer shall provide operational user guidance. > > ::: {.appnote} > [Application Note: ]{.note-header}[The operational user guidance does > not have to be contained in a single document. Guidance to users, > administrators and application developers can be spread among documents > or web pages. Rather than repeat information here, the developer should > review the assurance activities for this component to ascertain the > specifics of the guidance that the evaluator will be checking for. This > will provide the necessary information for the preparation of acceptable > guidance.]{.note} > ::: > ::: > ::: > > #### Content and presentation elements: > > ::: {.element} > ::: {#AGD_OPE.1.1C .reqid} > [AGD\_OPE.1.1C](#AGD_OPE.1.1C){.abbr} > ::: > > ::: {.reqdesc} > The operational user guidance shall describe, for each user role, the > user-accessible functions and privileges that should be controlled in a > secure processing environment, including appropriate warnings. > > ::: {.appnote} > [Application Note: ]{.note-header}[User and administrator are to be > considered in the definition of user role.]{.note} > ::: > ::: > ::: > > ::: {.element} > ::: {#AGD_OPE.1.2C .reqid} > [AGD\_OPE.1.2C](#AGD_OPE.1.2C){.abbr} > ::: > > ::: {.reqdesc} > The operational user guidance shall describe, for each user role, how to > use the available interfaces provided by the [OS](#abbr_OS) in a secure > manner. > ::: > ::: > > ::: {.element} > ::: {#AGD_OPE.1.3C .reqid} > [AGD\_OPE.1.3C](#AGD_OPE.1.3C){.abbr} > ::: > > ::: {.reqdesc} > The operational user guidance shall describe, for each user role, the > available functions and interfaces, in particular all security > parameters under the control of the user, indicating secure values as > appropriate. > > ::: {.appnote} > [Application Note: ]{.note-header}[ This portion of the operational user > guidance should be presented in the form of a checklist that can be > quickly executed by [IT](#abbr_IT) personnel (or end-users, when > necessary) and suitable for use in compliance activities. When possible, > this guidance is to be expressed in the eXtensible Configuration > Checklist Description Format ([XCCDF](#abbr_XCCDF)) to support security > automation. Minimally, it should be presented in a structured format > which includes a title for each configuration item, instructions for > achieving the secure configuration, and any relevant rationale. ]{.note} > ::: > ::: > ::: > > ::: {.element} > ::: {#AGD_OPE.1.4C .reqid} > [AGD\_OPE.1.4C](#AGD_OPE.1.4C){.abbr} > ::: > > ::: {.reqdesc} > The operational user guidance shall, for each user role, clearly present > each type of security-relevant event relative to the user-accessible > functions that need to be performed, including changing the security > characteristics of entities under the control of the [TSF](#abbr_TSF). > ::: > ::: > > ::: {.element} > ::: {#AGD_OPE.1.5C .reqid} > [AGD\_OPE.1.5C](#AGD_OPE.1.5C){.abbr} > ::: > > ::: {.reqdesc} > The operational user guidance shall identify all possible modes of > operation of the [OS](#abbr_OS) (including operation following failure > or operational error), their consequences, and implications for > maintaining secure operation. > ::: > ::: > > ::: {.element} > ::: {#AGD_OPE.1.6C .reqid} > [AGD\_OPE.1.6C](#AGD_OPE.1.6C){.abbr} > ::: > > ::: {.reqdesc} > The operational user guidance shall, for each user role, describe the > security measures to be followed in order to fulfill the security > objectives for the operational environment as described in the > [ST](#abbr_ST). > ::: > ::: > > ::: {.element} > ::: {#AGD_OPE.1.7C .reqid} > [AGD\_OPE.1.7C](#AGD_OPE.1.7C){.abbr} > ::: > > ::: {.reqdesc} > The operational user guidance shall be clear and reasonable. > ::: > ::: > > #### Evaluator action elements: > > ::: {.element} > ::: {#AGD_OPE.1.1E .reqid} > [AGD\_OPE.1.1E](#AGD_OPE.1.1E){.abbr} > ::: > > ::: {.reqdesc} > The evaluator shall confirm that the information provided meets all > requirements for content and presentation of evidence. > ::: > ::: > > ::: {.activity_pane .hide} > ::: {.activity_pane_header} > [[ Evaluation Activities ]{.activity_pane_label}[]{.toggler}](#) > ::: > > ::: {.activity_pane_body} > ::: {.component-activity-header} > [AGD\_OPE.1](#AGD_OPE.1) > ::: > > Some of the contents of the operational guidance are verified by the > assurance activities in [Section 8.3 Security Functional > Requirements](#SFRs){.dynref} and evaluation of the [OS](#abbr_OS) > according to the [\[CEM\]](#bibCEM). The following additional > information is also required. If cryptographic functions are provided by > the [OS](#abbr_OS), the operational guidance shall contain instructions > for configuring the cryptographic engine associated with the evaluated > configuration of the [OS](#abbr_OS). It shall provide a warning to the > administrator that use of other cryptographic engines was not evaluated > nor tested during the [CC](#abbr_CC) evaluation of the [OS](#abbr_OS). > The documentation must describe the process for verifying updates to the > [OS](#abbr_OS) by verifying a digital signature -- this may be done by > the [OS](#abbr_OS) or the underlying platform. The evaluator will verify > that this process includes the following steps: Instructions for > obtaining the update itself. This should include instructions for making > the update accessible to the [OS](#abbr_OS) (e.g., placement in a > specific directory). Instructions for initiating the update process, as > well as discerning whether the process was successful or unsuccessful. > This includes generation of the hash/digital signature. The > [OS](#abbr_OS) will likely contain security functionality that does not > fall in the scope of evaluation under this [PP](#abbr_PP). The > operational guidance shall make it clear to an administrator which > security functionality is covered by the evaluation activities. > ::: > ::: > ::: > > ::: {#AGD_PRE.1 .comp} > #### AGD\_PRE.1 Preparative Procedures (AGD\_PRE.1) > > #### Developer action elements: > > ::: {.element} > ::: {#AGD_PRE.1.1D .reqid} > [AGD\_PRE.1.1D](#AGD_PRE.1.1D){.abbr} > ::: > > ::: {.reqdesc} > The developer shall provide the [OS](#abbr_OS), including its > preparative procedures. > > ::: {.appnote} > [Application Note: ]{.note-header}[As with the operational guidance, the > developer should look to the assurance activities to determine the > required content with respect to preparative procedures.]{.note} > ::: > ::: > ::: > > #### Content and presentation elements: > > ::: {.element} > ::: {#AGD_PRE.1.1C .reqid} > [AGD\_PRE.1.1C](#AGD_PRE.1.1C){.abbr} > ::: > > ::: {.reqdesc} > The preparative procedures shall describe all the steps necessary for > secure acceptance of the delivered [OS](#abbr_OS) in accordance with the > developer\'s delivery procedures. > ::: > ::: > > ::: {.element} > ::: {#AGD_PRE.1.2C .reqid} > [AGD\_PRE.1.2C](#AGD_PRE.1.2C){.abbr} > ::: > > ::: {.reqdesc} > The preparative procedures shall describe all the steps necessary for > secure installation of the [OS](#abbr_OS) and for the secure preparation > of the operational environment in accordance with the security > objectives for the operational environment as described in the > [ST](#abbr_ST). > ::: > ::: > > #### Evaluator action elements: > > ::: {.element} > ::: {#AGD_PRE.1.1E .reqid} > [AGD\_PRE.1.1E](#AGD_PRE.1.1E){.abbr} > ::: > > ::: {.reqdesc} > The evaluator shall confirm that the information provided meets all > requirements for content and presentation of evidence. > ::: > ::: > > ::: {.element} > ::: {#AGD_PRE.1.2E .reqid} > [AGD\_PRE.1.2E](#AGD_PRE.1.2E){.abbr} > ::: > > ::: {.reqdesc} > The evaluator shall apply the preparative procedures to confirm that the > [OS](#abbr_OS) can be prepared securely for operation. > ::: > ::: > > ::: {.activity_pane .hide} > ::: {.activity_pane_header} > [[ Evaluation Activities ]{.activity_pane_label}[]{.toggler}](#) > ::: > > ::: {.activity_pane_body} > ::: {.component-activity-header} > [AGD\_PRE.1](#AGD_PRE.1) > ::: > > As indicated in the introduction above, there are significant > expectations with respect to the documentation---especially when > configuring the operational environment to support [OS](#abbr_OS) > functional requirements. The evaluator shall check to ensure that the > guidance provided for the [OS](#abbr_OS) adequately addresses all > platforms claimed for the [OS](#abbr_OS) in the [ST](#abbr_ST). > ::: > ::: > ::: > > ### 8.4.4 Class ALC: Life-cycle Support {#alc .indexable data-level="3"} > > At the assurance level provided for OSs conformant to this > [PP](#abbr_PP), life-cycle support is limited to end-user-visible > aspects of the life-cycle, rather than an examination of the > [OS](#abbr_OS) vendor's development and configuration management > process. This is not meant to diminish the critical role that a > developer's practices play in contributing to the overall > trustworthiness of a product; rather, it is a reflection on the > information to be made available for evaluation at this assurance level. > > ::: {#ALC_CMC.1 .comp} > #### ALC\_CMC.1 Labeling of the TOE (ALC\_CMC.1) > > This component is targeted at identifying the [OS](#abbr_OS) such that > it can be distinguished from other products or versions from the same > vendor and can be easily specified when being procured by an end user. > > #### Developer action elements: > > ::: {.element} > ::: {#ALC_CMC.1.1D .reqid} > [ALC\_CMC.1.1D](#ALC_CMC.1.1D){.abbr} > ::: > > ::: {.reqdesc} > The developer shall provide the [OS](#abbr_OS) and a reference for the > [OS](#abbr_OS). > ::: > ::: > > #### Content and presentation elements: > > ::: {.element} > ::: {#ALC_CMC.1.1C .reqid} > [ALC\_CMC.1.1C](#ALC_CMC.1.1C){.abbr} > ::: > > ::: {.reqdesc} > The [OS](#abbr_OS) shall be labeled with a unique reference. > > ::: {.appnote} > [Application Note: ]{.note-header}[Unique reference information > includes: ]{.note} > > - [OS](#abbr_OS) Name > - [OS](#abbr_OS) Version > - [OS](#abbr_OS) Description > - Software Identification ([SWID](#abbr_SWID)) tags, if available > ::: > ::: > ::: > > #### Evaluator action elements: > > ::: {.element} > ::: {#ALC_CMC.1.1E .reqid} > [ALC\_CMC.1.1E](#ALC_CMC.1.1E){.abbr} > ::: > > ::: {.reqdesc} > The evaluator shall confirm that the information provided meets all > requirements for content and presentation of evidence. > ::: > ::: > > ::: {.activity_pane .hide} > ::: {.activity_pane_header} > [[ Evaluation Activities ]{.activity_pane_label}[]{.toggler}](#) > ::: > > ::: {.activity_pane_body} > ::: {.component-activity-header} > [ALC\_CMC.1](#ALC_CMC.1) > ::: > > The evaluator will check the [ST](#abbr_ST) to ensure that it contains > an identifier (such as a product name/version number) that specifically > identifies the version that meets the requirements of the > [ST](#abbr_ST). Further, the evaluator will check the AGD guidance and > [OS](#abbr_OS) samples received for testing to ensure that the version > number is consistent with that in the [ST](#abbr_ST). If the vendor > maintains a web site advertising the [OS](#abbr_OS), the evaluator will > examine the information on the web site to ensure that the information > in the [ST](#abbr_ST) is sufficient to distinguish the product. > ::: > ::: > ::: > > ::: {#ALC_CMS.1 .comp} > #### ALC\_CMS.1 TOE CM Coverage (ALC\_CMS.1) > > Given the scope of the [OS](#abbr_OS) and its associated evaluation > evidence requirements, this component's assurance activities are covered > by the assurance activities listed for [ALC\_CMC.1](#ALC_CMC.1). > > #### Developer action elements: > > ::: {.element} > ::: {#ALC_CMS.1.1D .reqid} > [ALC\_CMS.1.1D](#ALC_CMS.1.1D){.abbr} > ::: > > ::: {.reqdesc} > The developer shall provide a configuration list for the [OS](#abbr_OS). > ::: > ::: > > #### Content and presentation elements: > > ::: {.element} > ::: {#ALC_CMS.1.1C .reqid} > [ALC\_CMS.1.1C](#ALC_CMS.1.1C){.abbr} > ::: > > ::: {.reqdesc} > The configuration list shall include the following: the [OS](#abbr_OS) > itself; and the evaluation evidence required by the [SARs](#abbr_SAR). > ::: > ::: > > ::: {.element} > ::: {#ALC_CMS.1.2C .reqid} > [ALC\_CMS.1.2C](#ALC_CMS.1.2C){.abbr} > ::: > > ::: {.reqdesc} > The configuration list shall uniquely identify the configuration items. > ::: > ::: > > #### Evaluator action elements: > > ::: {.element} > ::: {#ALC_CMS.1.1E .reqid} > [ALC\_CMS.1.1E](#ALC_CMS.1.1E){.abbr} > ::: > > ::: {.reqdesc} > The evaluator shall confirm that the information provided meets all > requirements for content and presentation of evidence. > ::: > ::: > > ::: {.activity_pane .hide} > ::: {.activity_pane_header} > [[ Evaluation Activities ]{.activity_pane_label}[]{.toggler}](#) > ::: > > ::: {.activity_pane_body} > ::: {.component-activity-header} > [ALC\_CMS.1](#ALC_CMS.1) > ::: > > The \"evaluation evidence required by the [SARs](#abbr_SAR)\" in this > [PP](#abbr_PP) is limited to the information in the [ST](#abbr_ST) > coupled with the guidance provided to administrators and users under the > AGD requirements. By ensuring that the [OS](#abbr_OS) is specifically > identified and that this identification is consistent in the > [ST](#abbr_ST) and in the AGD guidance (as done in the assurance > activity for [ALC\_CMC.1](#ALC_CMC.1)), the evaluator implicitly > confirms the information required by this component. Life-cycle support > is targeted aspects of the developer's life-cycle and instructions to > providers of applications for the developer's devices, rather than an > in-depth examination of the [TSF](#abbr_TSF) manufacturer's development > and configuration management process. This is not meant to diminish the > critical role that a developer's practices play in contributing to the > overall trustworthiness of a product; rather, it's a reflection on the > information to be made available for evaluation.\ > The evaluator will ensure that the developer has identified (in guidance > documentation for application developers concerning the targeted > platform) one or more development environments appropriate for use in > developing applications for the developer's platform. For each of these > development environments, the developer shall provide information on how > to configure the environment to ensure that buffer overflow protection > mechanisms in the environment(s) are invoked (e.g., compiler and linker > flags). The evaluator will ensure that this documentation also includes > an indication of whether such protections are on by default, or have to > be specifically enabled. The evaluator will ensure that the > [TSF](#abbr_TSF) is uniquely identified (with respect to other products > from the [TSF](#abbr_TSF) vendor), and that documentation provided by > the developer in association with the requirements in the [ST](#abbr_ST) > is associated with the [TSF](#abbr_TSF) using this unique > identification. > ::: > ::: > ::: > > ::: {#ALC_TSU_EXT.1 .comp} > #### ALC\_TSU\_EXT.1 Timely Security Updates > > This component requires the [OS](#abbr_OS) developer, in conjunction > with any other necessary parties, to provide information as to how the > end-user devices are updated to address security issues in a timely > manner. The documentation describes the process of providing updates to > the public from the time a security flaw is reported/discovered, to the > time an update is released. This description includes the parties > involved (e.g., the developer, carriers(s)) and the steps that are > performed (e.g., developer testing, carrier testing), including worst > case time periods, before an update is made available to the public. > > #### Developer action elements: > > ::: {.element} > ::: {#ALC_TSU_EXT.1.1D .reqid} > [ALC\_TSU\_EXT.1.1D](#ALC_TSU_EXT.1.1D){.abbr} > ::: > > ::: {.reqdesc} > The developer shall provide a description in the [TSS](#abbr_TSS) of how > timely security updates are made to the [OS](#abbr_OS). > ::: > ::: > > ::: {.element} > ::: {#ALC_TSU_EXT.1.2D .reqid} > [ALC\_TSU\_EXT.1.2D](#ALC_TSU_EXT.1.2D){.abbr} > ::: > > ::: {.reqdesc} > The developer shall provide a description in the [TSS](#abbr_TSS) of how > users are notified when updates change security properties or the > configuration of the product. > ::: > ::: > > #### Content and presentation elements: > > ::: {.element} > ::: {#ALC_TSU_EXT.1.1C .reqid} > [ALC\_TSU\_EXT.1.1C](#ALC_TSU_EXT.1.1C){.abbr} > ::: > > ::: {.reqdesc} > The description shall include the process for creating and deploying > security updates for the [OS](#abbr_OS) software. > ::: > ::: > > ::: {.element} > ::: {#ALC_TSU_EXT.1.2C .reqid} > [ALC\_TSU\_EXT.1.2C](#ALC_TSU_EXT.1.2C){.abbr} > ::: > > ::: {.reqdesc} > The description shall include the mechanisms publicly available for > reporting security issues pertaining to the [OS](#abbr_OS). > > ::: {.appnote} > [ Note: ]{.note-header}[ The reporting mechanism could include web > sites, email addresses, as well as a means to protect the sensitive > nature of the report (e.g., public keys that could be used to encrypt > the details of a proof-of-concept exploit). ]{.note} > ::: > ::: > ::: > > #### Evaluator action elements: > > ::: {.element} > ::: {#ALC_TSU_EXT.1.1E .reqid} > [ALC\_TSU\_EXT.1.1E](#ALC_TSU_EXT.1.1E){.abbr} > ::: > > ::: {.reqdesc} > The evaluator shall confirm that the information provided meets all > requirements for content and presentation of evidence. > ::: > ::: > > ::: {.activity_pane .hide} > ::: {.activity_pane_header} > [[ Evaluation Activities ]{.activity_pane_label}[]{.toggler}](#) > ::: > > ::: {.activity_pane_body} > ::: {.component-activity-header} > [ALC\_TSU\_EXT.1](#ALC_TSU_EXT.1) > ::: > > The evaluator will verify that the [TSS](#abbr_TSS) contains a > description of the timely security update process used by the developer > to create and deploy security updates. The evaluator will verify that > this description addresses the entire application. The evaluator will > also verify that, in addition to the [OS](#abbr_OS) developer's process, > any third-party processes are also addressed in the description. The > evaluator will also verify that each mechanism for deployment of > security updates is described.\ > The evaluator will verify that, for each deployment mechanism described > for the update process, the [TSS](#abbr_TSS) lists a time between public > disclosure of a vulnerability and public availability of the security > update to the [OS](#abbr_OS) patching this vulnerability, to include any > third-party or carrier delays in deployment. The evaluator will verify > that this time is expressed in a number or range of days.\ > The evaluator will verify that this description includes the publicly > available mechanisms (including either an email address or website) for > reporting security issues related to the [OS](#abbr_OS). The evaluator > shall verify that the description of this mechanism includes a method > for protecting the report either using a public key for encrypting email > or a trusted channel for a website. > ::: > ::: > ::: > > ### 8.4.5 Class ATE: Tests {#ate .indexable data-level="3"} > > Testing is specified for functional aspects of the system as well as > aspects that take advantage of design or implementation weaknesses. The > former is done through the ATE\_IND family, while the latter is through > the AVA\_VAN family. At the assurance level specified in this > [PP](#abbr_PP), testing is based on advertised functionality and > interfaces with dependency on the availability of design information. > One of the primary outputs of the evaluation process is the test report > as specified in the following requirements. > > ::: {#ATE_IND.1 .comp} > #### ATE\_IND.1 Independent Testing -- Conformance (ATE\_IND.1) > > Testing is performed to confirm the functionality described in the > [TSS](#abbr_TSS) as well as the administrative (including configuration > and operational) documentation provided. The focus of the testing is to > confirm that the requirements specified in [Section 8.3 Security > Functional Requirements](#SFRs){.dynref} being met, although some > additional testing is specified for [SARs](#abbr_SAR) in [Section 8.4 > Security Assurance > Requirements](#Security_Assurance_Requirements){.dynref}. The Assurance > Activities identify the additional testing activities associated with > these components. The evaluator produces a test report documenting the > plan for and results of testing, as well as coverage arguments focused > on the platform/[OS](#abbr_OS) combinations that are claiming > conformance to this [PP](#abbr_PP). Given the scope of the > [OS](#abbr_OS) and its associated evaluation evidence requirements, this > component's assurance activities are covered by the assurance activities > listed for [ALC\_CMC.1](#ALC_CMC.1). > > #### Developer action elements: > > ::: {.element} > ::: {#ATE_IND.1.1D .reqid} > [ATE\_IND.1.1D](#ATE_IND.1.1D){.abbr} > ::: > > ::: {.reqdesc} > The developer shall provide the [OS](#abbr_OS) for testing. > ::: > ::: > > #### Content and presentation elements: > > ::: {.element} > ::: {#ATE_IND.1.1C .reqid} > [ATE\_IND.1.1C](#ATE_IND.1.1C){.abbr} > ::: > > ::: {.reqdesc} > The [OS](#abbr_OS) shall be suitable for testing. > ::: > ::: > > #### Evaluator action elements: > > ::: {.element} > ::: {#ATE_IND.1.1E .reqid} > [ATE\_IND.1.1E](#ATE_IND.1.1E){.abbr} > ::: > > ::: {.reqdesc} > The evaluator *shall confirm* that the information provided meets all > requirements for content and presentation of evidence. > ::: > ::: > > ::: {.element} > ::: {#ATE_IND.1.2E .reqid} > [ATE\_IND.1.2E](#ATE_IND.1.2E){.abbr} > ::: > > ::: {.reqdesc} > The evaluator shall test a subset of the [TSF](#abbr_TSF) to confirm > that the [TSF](#abbr_TSF) operates as specified. > > ::: {.appnote} > [Application Note: ]{.note-header}[The evaluator will test the > [OS](#abbr_OS) on the most current fully patched version of the > platform.]{.note} > ::: > ::: > ::: > > ::: {.activity_pane .hide} > ::: {.activity_pane_header} > [[ Evaluation Activities ]{.activity_pane_label}[]{.toggler}](#) > ::: > > ::: {.activity_pane_body} > ::: {.component-activity-header} > [ATE\_IND.1](#ATE_IND.1) > ::: > > The evaluator will prepare a test plan and report documenting the > testing aspects of the system, including any application crashes during > testing. The evaluator shall determine the root cause of any application > crashes and include that information in the report. The test plan covers > all of the testing actions contained in the [\[CEM\]](#bibCEM) and the > body of this [PP](#abbr_PP)'s Assurance Activities.\ > While it is not necessary to have one test case per test listed in an > Assurance Activity, the evaluator must document in the test plan that > each applicable testing requirement in the [ST](#abbr_ST) is covered. > The test plan identifies the platforms to be tested, and for those > platforms not included in the test plan but included in the > [ST](#abbr_ST), the test plan provides a justification for not testing > the platforms. This justification must address the differences between > the tested platforms and the untested platforms, and make an argument > that the differences do not affect the testing to be performed. It is > not sufficient to merely assert that the differences have no affect; > rationale must be provided. If all platforms claimed in the > [ST](#abbr_ST) are tested, then no rationale is necessary. The test plan > describes the composition of each platform to be tested, and any setup > that is necessary beyond what is contained in the AGD documentation. It > should be noted that the evaluator is expected to follow the AGD > documentation for installation and setup of each platform either as part > of a test or as a standard pre-test condition. This may include special > test drivers or tools. For each driver or tool, an argument (not just an > assertion) should be provided that the driver or tool will not adversely > affect the performance of the functionality by the [OS](#abbr_OS) and > its platform.\ > This also includes the configuration of the cryptographic engine to be > used. The cryptographic algorithms implemented by this engine are those > specified by this [PP](#abbr_PP) and used by the cryptographic protocols > being evaluated (IPsec, [TLS](#abbr_TLS)). The test plan identifies > high-level test objectives as well as the test procedures to be followed > to achieve those objectives. These procedures include expected results.\ > The test report (which could just be an annotated version of the test > plan) details the activities that took place when the test procedures > were executed, and includes the actual results of the tests. This shall > be a cumulative account, so if there was a test run that resulted in a > failure; a fix installed; and then a successful re-run of the test, the > report would show a "fail" and "pass" result (and the supporting > details), and not just the "pass" result. > ::: > ::: > ::: > > ### 8.4.6 Class AVA: Vulnerability Assessment {#ava .indexable data-level="3"} > > For the first generation of this protection profile, the evaluation lab > is expected to survey open sources to discover what vulnerabilities have > been discovered in these types of products. In most cases, these > vulnerabilities will require sophistication beyond that of a basic > attacker. Until penetration tools are created and uniformly distributed > to the evaluation labs, the evaluator will not be expected to test for > these vulnerabilities in the [OS](#abbr_OS). The labs will be expected > to comment on the likelihood of these vulnerabilities given the > documentation provided by the vendor. This information will be used in > the development of penetration testing tools and for the development of > future protection profiles. > > ::: {#AVA_VAN.1 .comp} > #### AVA\_VAN.1 Vulnerability Survey (AVA\_VAN.1) > > #### Developer action elements: > > ::: {.element} > ::: {#AVA_VAN.1.1D .reqid} > [AVA\_VAN.1.1D](#AVA_VAN.1.1D){.abbr} > ::: > > ::: {.reqdesc} > The developer shall provide the [OS](#abbr_OS) for testing. > ::: > ::: > > #### Content and presentation elements: > > ::: {.element} > ::: {#AVA_VAN.1.1C .reqid} > [AVA\_VAN.1.1C](#AVA_VAN.1.1C){.abbr} > ::: > > ::: {.reqdesc} > The [OS](#abbr_OS) shall be suitable for testing. > ::: > ::: > > #### Evaluator action elements: > > ::: {.element} > ::: {#AVA_VAN.1.1E .reqid} > [AVA\_VAN.1.1E](#AVA_VAN.1.1E){.abbr} > ::: > > ::: {.reqdesc} > The evaluator shall confirm that the information provided meets all > requirements for content and presentation of evidence. > ::: > ::: > > ::: {.element} > ::: {#AVA_VAN.1.2E .reqid} > [AVA\_VAN.1.2E](#AVA_VAN.1.2E){.abbr} > ::: > > ::: {.reqdesc} > The evaluator shall perform a search of public domain sources to > identify potential vulnerabilities in the [OS](#abbr_OS). > > ::: {.appnote} > [Application Note: ]{.note-header}[Public domain sources include the > Common Vulnerabilities and Exposures (CVE) dictionary for publicly-known > vulnerabilities. Public domain sources also include sites which provide > free checking of files for viruses.]{.note} > ::: > ::: > ::: > > ::: {.element} > ::: {#AVA_VAN.1.3E .reqid} > [AVA\_VAN.1.3E](#AVA_VAN.1.3E){.abbr} > ::: > > ::: {.reqdesc} > The evaluator shall conduct penetration testing, based on the identified > potential vulnerabilities, to determine that the [OS](#abbr_OS) is > resistant to attacks performed by an attacker possessing Basic attack > potential. > ::: > ::: > > ::: {.activity_pane .hide} > ::: {.activity_pane_header} > [[ Evaluation Activities ]{.activity_pane_label}[]{.toggler}](#) > ::: > > ::: {.activity_pane_body} > ::: {.component-activity-header} > [AVA\_VAN.1](#AVA_VAN.1) > ::: > > The evaluator will generate a report to document their findings with > respect to this requirement. This report could physically be part of the > overall test report mentioned in ATE\_IND, or a separate document. The > evaluator performs a search of public information to find > vulnerabilities that have been found in similar applications with a > particular focus on network protocols the application uses and document > formats it parses. The evaluator documents the sources consulted and the > vulnerabilities found in the report.\ > For each vulnerability found, the evaluator either provides a rationale > with respect to its non-applicability, or the evaluator formulates a > test (using the guidelines provided in ATE\_IND) to confirm the > vulnerability, if suitable. Suitability is determined by assessing the > attack vector needed to take advantage of the vulnerability. If > exploiting the vulnerability requires expert skills and an electron > microscope, for instance, then a test would not be suitable and an > appropriate justification would be formulated. > ::: > ::: > ::: > > Appendix A - Optional Requirements {#opt-app .indexable data-level="A"} > ================================== > > As indicated in the introduction to this [PP](#abbr_PP), the baseline > requirements (those that must be performed by the [TOE](#abbr_TOE)) are > contained in the body of this [PP](#abbr_PP). This appendix contains > three other types of optional requirements that may be included in the > [ST](#abbr_ST), but are not required in order to conform to this > [PP](#abbr_PP). However, applied modules, packages and/or use cases may > refine specific requirements as mandatory.\ > \ > The first type ([A.1 Strictly Optional > Requirements](#optional-reqs){.dynref}) are strictly optional > requirements that are independent of the [TOE](#abbr_TOE) implementing > any function. If the [TOE](#abbr_TOE) fulfills any of these requirements > or supports a certain functionality, the vendor is encouraged to include > the [SFRs](#abbr_SFR) in the [ST](#abbr_ST), but are not required in > order to conform to this [PP](#abbr_PP).\ > \ > The second type ([A.2 Objective Requirements](#objective-reqs){.dynref}) > are objective requirements that describe security functionality not yet > widely available in commercial technology. The requirements are not > currently mandated in the body of this [PP](#abbr_PP), but will be > included in the baseline requirements in future versions of this > [PP](#abbr_PP). Adoption by vendors is encouraged and expected as soon > as possible.\ > \ > The third type ([A.3 Implementation-dependent > Requirements](#feat-based-reqs){.dynref}) are dependent on the > [TOE](#abbr_TOE) implementing a particular function. If the > [TOE](#abbr_TOE) fulfills any of these requirements, the vendor must > either add the related [SFR](#abbr_SFR) or disable the functionality for > the evaluated configuration. > > A.1 Strictly Optional Requirements {#optional-reqs .indexable data-level="2"} > ---------------------------------- > > ### A.1.1 Security Audit (FAU) {#s-fau-optional .indexable data-level="3"} > > ::: {#FAU_STG.1 .comp} > #### FAU\_STG.1 Protected Audit Trail Storage > > ::: {.element} > ::: {#FAU_STG.1.1 .reqid} > [FAU\_STG.1.1](#FAU_STG.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FAU_STG_EXT.2/LocSpace .comp} > #### FAU\_STG\_EXT.2/LocSpace Protected Audit Event Storage > > ::: {.element} > ::: {#FAU_STG_EXT.2.1/LocSpace .reqid} > [FAU\_STG\_EXT.2.1/LocSpace](#FAU_STG_EXT.2.1/LocSpace){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FAU_STG_EXT.3/LocSpace .comp} > #### FAU\_STG\_EXT.3/LocSpace Action in Case of Possible Audit Data Loss > > ::: {.element} > ::: {#FAU_STG_EXT.3.1/LocSpace .reqid} > [FAU\_STG\_EXT.3.1/LocSpace](#FAU_STG_EXT.3.1/LocSpace){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ### A.1.2 Communication (FCO) {#s-fco-optional .indexable data-level="3"} > > ::: {#FCO_CPC_EXT.1 .comp} > #### FCO\_CPC\_EXT.1 Component Registration Channel Definition > > ::: {.element} > ::: {#FCO_CPC_EXT.1.1 .reqid} > [FCO\_CPC\_EXT.1.1](#FCO_CPC_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ### A.1.3 Cryptographic Support (FCS) {#s-fcs-optional .indexable data-level="3"} > > ::: {#FCS_DTLSC_EXT.2 .comp} > #### FCS\_DTLSC\_EXT.2 DTLS Client Support for Mutual Authentication > > ::: {.element} > ::: {#FCS_DTLSC_EXT.2.1 .reqid} > [FCS\_DTLSC\_EXT.2.1](#FCS_DTLSC_EXT.2.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FCS_DTLSS_EXT.2 .comp} > #### FCS\_DTLSS\_EXT.2 DTLS Server Support for Mutual Authentication > > ::: {.element} > ::: {#FCS_DTLSS_EXT.2.1 .reqid} > [FCS\_DTLSS\_EXT.2.1](#FCS_DTLSS_EXT.2.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FCS_TLSC_EXT.2 .comp} > #### FCS\_TLSC\_EXT.2 TLS Client Support for Mutual Authentication > > ::: {.element} > ::: {#FCS_TLSC_EXT.2.1 .reqid} > [FCS\_TLSC\_EXT.2.1](#FCS_TLSC_EXT.2.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FCS_TLSS_EXT.2 .comp} > #### FCS\_TLSS\_EXT.2 TLS Server Support for Mutual Authentication > > ::: {.element} > ::: {#FCS_TLSS_EXT.2.1 .reqid} > [FCS\_TLSS\_EXT.2.1](#FCS_TLSS_EXT.2.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ### A.1.4 Identification and Authentication (FIA) {#s-fia-optional .indexable data-le > > ::: {#FIA_X509_EXT.1/ITT .comp} > #### FIA\_X509\_EXT.1/ITT Certificate Validation > > ::: {.element} > ::: {#FIA_X509_EXT.1.1/ITT .reqid} > [FIA\_X509\_EXT.1.1/ITT](#FIA_X509_EXT.1.1/ITT){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ### A.1.5 Protection of the TSF (FPT) {#s-fpt-optional .indexable data-level="3"} > > ::: {#FPT_ITT.1 .comp} > #### FPT\_ITT.1 Basic internal TSF data transfer protection (Refinement) > > ::: {.element} > ::: {#FPT_ITT.1.1 .reqid} > [FPT\_ITT.1.1](#FPT_ITT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ### A.1.6 Trusted Channel (FTP\_ITC) {#s-ftp-optional .indexable data-level="3"} > > ::: {#FTP_TRP.1/Join .comp} > #### FTP\_TRP.1/Join Trusted Path (Refinement) > > ::: {.element} > ::: {#FTP_TRP.1.1/Join .reqid} > [FTP\_TRP.1.1/Join](#FTP_TRP.1.1/Join){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > A.2 Objective Requirements {#objective-reqs .indexable data-level="2"} > -------------------------- > > This [PP](#abbr_PP) does not define any Objective requirements. > > A.3 Implementation-dependent Requirements {#feat-based-reqs .indexable data-level="2" > ----------------------------------------- > > This [PP](#abbr_PP) does not define any Implementation-dependent > requirements. > > Appendix B - Selection-based Requirements {#sel-based-reqs .indexable data-level="A"} > ========================================= > > As indicated in the introduction to this [PP](#abbr_PP), the baseline > requirements (those that must be performed by the [TOE](#abbr_TOE) or > its underlying platform) are contained in the body of this > [PP](#abbr_PP). There are additional requirements based on selections in > the body of the [PP](#abbr_PP): if certain selections are made, then > additional requirements below must be included. > > B.1 Security Audit (FAU) {#s-fau-sel-based .indexable data-level="2"} > ------------------------ > > ::: {#FAU_GEN_EXT.1 .comp} > #### FAU\_GEN\_EXT.1 Security Audit Generation > > ::: {.statustag} > ***The inclusion of this selection-based component depends upon > selection in [FAU\_GEN.1.1](#FAU_GEN.1.1).*** > ::: > > ::: {.element} > ::: {#FAU_GEN_EXT.1.1 .reqid} > [FAU\_GEN\_EXT.1.1](#FAU_GEN_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FAU_STG_EXT.4 .comp} > #### FAU\_STG\_EXT.4 Protected Local Audit Event Storage for Distributed TOEs > > ::: {.statustag} > ***The inclusion of this selection-based component depends upon > selection in [FAU\_GEN.1.1](#FAU_GEN.1.1).*** > ::: > > ::: {.element} > ::: {#FAU_STG_EXT.4.1 .reqid} > [FAU\_STG\_EXT.4.1](#FAU_STG_EXT.4.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FAU_STG_EXT.5 .comp} > #### FAU\_STG\_EXT.5 Protected Remote Audit Event Storage for Distributed TOEs > > ::: {.statustag} > ***The inclusion of this selection-based component depends upon > selection in [FAU\_GEN.1.1](#FAU_GEN.1.1).*** > ::: > > ::: {.element} > ::: {#FAU_STG_EXT.5.1 .reqid} > [FAU\_STG\_EXT.5.1](#FAU_STG_EXT.5.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > B.2 Cryptographic Support (FCS) {#s-fcs-sel-based .indexable data-level="2"} > ------------------------------- > > ::: {#FCS_DTLSC_EXT.1 .comp} > #### FCS\_DTLSC\_EXT.1 DTLS Client Support without Authentication > > ::: {.statustag} > ***The inclusion of this selection-based component depends upon > selection in [FAU\_GEN.1.1](#FAU_GEN.1.1).*** > ::: > > ::: {.element} > ::: {#FCS_DTLSC_EXT.1.1 .reqid} > [FCS\_DTLSC\_EXT.1.1](#FCS_DTLSC_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FCS_DTLSS_EXT.1 .comp} > #### FCS\_DTLSS\_EXT.1 DTLS Server Support without Authentication > > ::: {.statustag} > ***The inclusion of this selection-based component depends upon > selection in [FAU\_GEN.1.1](#FAU_GEN.1.1).*** > ::: > > ::: {.element} > ::: {#FCS_DTLSS_EXT.1.1 .reqid} > [FCS\_DTLSS\_EXT.1.1](#FCS_DTLSS_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FCS_HTTPS_EXT.1 .comp} > #### FCS\_HTTPS\_EXT.1 HTTPS Protocol > > ::: {.statustag} > ***The inclusion of this selection-based component depends upon > selection in [FAU\_GEN.1.1](#FAU_GEN.1.1).*** > ::: > > ::: {.element} > ::: {#FCS_HTTPS_EXT.1.1 .reqid} > [FCS\_HTTPS\_EXT.1.1](#FCS_HTTPS_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FCS_IPSEC_EXT.1 .comp} > #### FCS\_IPSEC\_EXT.1 IPsec Protocol > > ::: {.statustag} > ***The inclusion of this selection-based component depends upon > selection in [FAU\_GEN.1.1](#FAU_GEN.1.1).*** > ::: > > ::: {.element} > ::: {#FCS_IPSEC_EXT.1.1 .reqid} > [FCS\_IPSEC\_EXT.1.1](#FCS_IPSEC_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FCS_NTP_EXT.1 .comp} > #### FCS\_NTP\_EXT.1 NTP Protocol > > ::: {.statustag} > ***The inclusion of this selection-based component depends upon > selection in [FAU\_GEN.1.1](#FAU_GEN.1.1).*** > ::: > > ::: {.element} > ::: {#FCS_NTP_EXT.1.1 .reqid} > [FCS\_NTP\_EXT.1.1](#FCS_NTP_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FCS_SSHC_EXT.1 .comp} > #### FCS\_SSHC\_EXT.1 SSH Client Protocol > > ::: {.statustag} > ***The inclusion of this selection-based component depends upon > selection in [FAU\_GEN.1.1](#FAU_GEN.1.1).*** > ::: > > ::: {.element} > ::: {#FCS_SSHC_EXT.1.1 .reqid} > [FCS\_SSHC\_EXT.1.1](#FCS_SSHC_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FCS_SSHS_EXT.1 .comp} > #### FCS\_SSHS\_EXT.1 SSH Server Protocol > > ::: {.statustag} > ***The inclusion of this selection-based component depends upon > selection in [FAU\_GEN.1.1](#FAU_GEN.1.1).*** > ::: > > ::: {.element} > ::: {#FCS_SSHS_EXT.1.1 .reqid} > [FCS\_SSHS\_EXT.1.1](#FCS_SSHS_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FCS_TLSC_EXT.1 .comp} > #### FCS\_TLSC\_EXT.1 TLS Client Protocol > > ::: {.statustag} > ***The inclusion of this selection-based component depends upon > selection in [FAU\_GEN.1.1](#FAU_GEN.1.1).*** > ::: > > ::: {.element} > ::: {#FCS_TLSC_EXT.1.1 .reqid} > [FCS\_TLSC\_EXT.1.1](#FCS_TLSC_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FCS_TLSS_EXT.1 .comp} > #### FCS\_TLSS\_EXT.1 TLS Server Protocol > > ::: {.statustag} > ***The inclusion of this selection-based component depends upon > selection in [FAU\_GEN.1.1](#FAU_GEN.1.1).*** > ::: > > ::: {.element} > ::: {#FCS_TLSS_EXT.1.1 .reqid} > [FCS\_TLSS\_EXT.1.1](#FCS_TLSS_EXT.1.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > B.3 Identification and Authentication (FIA) {#s-fia-sel-based .indexable data-level=" > ------------------------------------------- > > ::: {#FIA_X509_EXT.1/Rev .comp} > #### FIA\_X509\_EXT.1/Rev X.509 Certificate Validation > > ::: {.statustag} > ***The inclusion of this selection-based component depends upon > selection in [FAU\_GEN.1.1](#FAU_GEN.1.1).*** > ::: > > ::: {.element} > ::: {#FIA_X509_EXT.1.1/Rev .reqid} > [FIA\_X509\_EXT.1.1/Rev](#FIA_X509_EXT.1.1/Rev){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FIA_X509_EXT.2 .comp} > #### FIA\_X509\_EXT.2 X.509 Certificate Authentication > > ::: {.statustag} > ***The inclusion of this selection-based component depends upon > selection in [FAU\_GEN.1.1](#FAU_GEN.1.1).*** > ::: > > ::: {.element} > ::: {#FIA_X509_EXT.2.1 .reqid} > [FIA\_X509\_EXT.2.1](#FIA_X509_EXT.2.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FIA_X509_EXT.3 .comp} > #### FIA\_X509\_EXT.3 X.509 Certificate Requests > > ::: {.statustag} > ***The inclusion of this selection-based component depends upon > selection in [FAU\_GEN.1.1](#FAU_GEN.1.1).*** > ::: > > ::: {.element} > ::: {#FIA_X509_EXT.3.1 .reqid} > [FIA\_X509\_EXT.3.1](#FIA_X509_EXT.3.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > B.4 Security Management (FMT) {#s-fmt-sel-based .indexable data-level="2"} > ----------------------------- > > ::: {#FMT_MOF.1/Services .comp} > #### FMT\_MOF.1/Services Management of Security Functions Behaviour > > ::: {.statustag} > ***The inclusion of this selection-based component depends upon > selection in [FAU\_GEN.1.1](#FAU_GEN.1.1).*** > ::: > > ::: {.element} > ::: {#FMT_MOF.1.1/Services .reqid} > [FMT\_MOF.1.1/Services](#FMT_MOF.1.1/Services){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FMT_MOF.1/AutoUpdate .comp} > #### FMT\_MOF.1/AutoUpdate Management of Security Functions Behaviour > > ::: {.statustag} > ***The inclusion of this selection-based component depends upon > selection in [FAU\_GEN.1.1](#FAU_GEN.1.1).*** > ::: > > ::: {.element} > ::: {#FMT_MOF.1.1/AutoUpdate .reqid} > [FMT\_MOF.1.1/AutoUpdate](#FMT_MOF.1.1/AutoUpdate){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FMT_MOF.1/Functions .comp} > #### FMT\_MOF.1/Functions Management of Security Functions Behaviour > > ::: {.statustag} > ***The inclusion of this selection-based component depends upon > selection in [FAU\_GEN.1.1](#FAU_GEN.1.1).*** > ::: > > ::: {.element} > ::: {#FMT_MOF.1.1/Functions .reqid} > [FMT\_MOF.1.1/Functions](#FMT_MOF.1.1/Functions){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > ::: {#FMT_MTD.1/CryptoKeys .comp} > #### FMT\_MTD.1/CryptoKeys Management of TSF Data > > ::: {.statustag} > ::: > > ::: {.element} > ::: {#FMT_MTD.1.1/CryptoKeys .reqid} > [FMT\_MTD.1.1/CryptoKeys](#FMT_MTD.1.1/CryptoKeys){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > B.5 Protection of the TSF (FPT) {#s-fpt-sel-based .indexable data-level="2"} > ------------------------------- > > ::: {#FPT_TUD_EXT.2 .comp} > #### FPT\_TUD\_EXT.2 Trusted Update Based on Certificates > > ::: {.statustag} > ***The inclusion of this selection-based component depends upon > selection in [FAU\_GEN.1.1](#FAU_GEN.1.1).*** > ::: > > ::: {.element} > ::: {#FPT_TUD_EXT.2.1 .reqid} > [FPT\_TUD\_EXT.2.1](#FPT_TUD_EXT.2.1){.abbr} > ::: > > ::: {.reqdesc} > The [TOE](#abbr_TOE) shall > > ::: {.appnote} > [Application Note: ]{.note-header}[]{.note} > ::: > ::: > ::: > ::: > > Appendix C - Entropy Documentation and Assessment {#satisfiedreqs .indexable data-lev > ================================================= > > blah > > Appendix D - Glossary {#a-glossary .indexable data-level="A"} > ===================== > > ::: {.no-link} > D.1 Terms {#glossary .indexable data-level="2"} > --------- > > The following sections list Common Criteria and technology terms used in > this document. > > ### D.1.1 Common Criteria Terms {#cc-terms .indexable data-level="3"} > > +-----------------------------------+-----------------------------------+ > | ::: {#Assurance} | Grounds for confidence that a TOE | > | Assurance | meets the SFRs [\[CC\]](#bibCC). | > | ::: | | > +-----------------------------------+-----------------------------------+ > | ::: {#Base_Protection_Profile} | Protection Profile used as a | > | Base Protection Profile (Base-PP) | basis to build a | > | ::: | PP-Configuration. | > +-----------------------------------+-----------------------------------+ > | ::: {#Collaborative_Protection_Pr | A Protection Profile developed by | > | ofile} | international technical | > | Collaborative Protection Profile | communities and approved by | > | (cPP) | multiple schemes. | > | ::: | | > +-----------------------------------+-----------------------------------+ > | ::: {#Common_Criteria} | Common Criteria for Information | > | Common Criteria (CC) | Technology Security Evaluation | > | ::: | (International Standard ISO/IEC | > | | 15408). | > +-----------------------------------+-----------------------------------+ > | ::: {#Common_Criteria_Testing_Lab | Within the context of the Common | > | oratory} | Criteria Evaluation and | > | Common Criteria Testing | Validation Scheme (CCEVS), an IT | > | Laboratory | security evaluation facility | > | ::: | accredited by the National | > | | Voluntary Laboratory | > | | Accreditation Program (NVLAP) and | > | | approved by the NIAP Validation | > | | Body to conduct Common | > | | Criteria-based evaluations. | > +-----------------------------------+-----------------------------------+ > | ::: {#Common_Evaluation_Methodolo | Common Evaluation Methodology for | > | gy} | Information Technology Security | > | Common Evaluation Methodology | Evaluation. | > | (CEM) | | > | ::: | | > +-----------------------------------+-----------------------------------+ > | ::: {#Distributed_TOE} | A TOE composed of multiple | > | Distributed TOE | components operating as a logical | > | ::: | whole. | > +-----------------------------------+-----------------------------------+ > | ::: {#Extended_Package} | A deprecated document form for | > | Extended Package (EP) | collecting SFRs that implement a | > | ::: | particular protocol, technology, | > | | or functionality. See Functional | > | | Packages. | > +-----------------------------------+-----------------------------------+ > | ::: {#Functional_Package} | A document that collects SFRs for | > | Functional Package (FP) | a particular protocol, | > | ::: | technology, or functionality. | > +-----------------------------------+-----------------------------------+ > | ::: {#Operational_Environment} | Hardware and software that are | > | Operational Environment (OE) | outside the TOE boundary that | > | ::: | support the TOE functionality and | > | | security policy. | > +-----------------------------------+-----------------------------------+ > | ::: {#Protection_Profile} | An implementation-independent set | > | Protection Profile (PP) | of security requirements for a | > | ::: | category of products. | > +-----------------------------------+-----------------------------------+ > | ::: {#Protection_Profile_Configur | A comprehensive set of security | > | ation} | requirements for a product type | > | Protection Profile Configuration | that consists of at least one | > | (PP-Configuration) | Base-PP and at least one | > | ::: | PP-Module. | > +-----------------------------------+-----------------------------------+ > | ::: {#Protection_Profile_Module} | An implementation-independent | > | Protection Profile Module | statement of security needs for a | > | (PP-Module) | TOE type complementary to one or | > | ::: | more Base-PPs. | > +-----------------------------------+-----------------------------------+ > | ::: {#Security_Assurance_Requirem | A requirement to assure the | > | ent} | security of the TOE. | > | Security Assurance Requirement | | > | (SAR) | | > | ::: | | > +-----------------------------------+-----------------------------------+ > | ::: {#Security_Functional_Require | A requirement for security | > | ment} | enforcement by the TOE. | > | Security Functional Requirement | | > | (SFR) | | > | ::: | | > +-----------------------------------+-----------------------------------+ > | ::: {#Security_Target} | A set of implementation-dependent | > | Security Target (ST) | security requirements for a | > | ::: | specific product. | > +-----------------------------------+-----------------------------------+ > | ::: {#Target_of_Evaluation} | The product under evaluation. | > | Target of Evaluation (TOE) | | > | ::: | | > +-----------------------------------+-----------------------------------+ > | ::: {#TOE_Security_Functionality} | The security functionality of the | > | TOE Security Functionality (TSF) | product under evaluation. | > | ::: | | > +-----------------------------------+-----------------------------------+ > | ::: {#TOE_Summary_Specification} | A description of how a TOE | > | TOE Summary Specification (TSS) | satisfies the SFRs in an ST. | > | ::: | | > +-----------------------------------+-----------------------------------+ > > ### D.1.2 Technical Terms {#tech-terms .indexable data-level="3"} > > +-----------------------------------+-----------------------------------+ > | ::: {#Address_Space_Layout_Random | An anti-exploitation feature | > | ization} | which loads memory mappings into | > | Address Space Layout | unpredictable locations. ASLR | > | Randomization (ASLR) | makes it more difficult for an | > | ::: | attacker to redirect control to | > | | code that they have introduced | > | | into the address space of a | > | | process. | > +-----------------------------------+-----------------------------------+ > | ::: {#Administrator} | An administrator is responsible | > | Administrator | for management activities, | > | ::: | including setting policies that | > | | are applied by the enterprise on | > | | the operating system. This | > | | administrator could be acting | > | | remotely through a management | > | | server, from which the system | > | | receives configuration policies. | > | | An administrator can enforce | > | | settings on the system which | > | | cannot be overridden by | > | | non-administrator users. | > +-----------------------------------+-----------------------------------+ > | ::: {#Application} | Software that runs on a platform | > | Application (app) | and performs tasks on behalf of | > | ::: | the user or owner of the | > | | platform, as well as its | > | | supporting documentation. | > +-----------------------------------+-----------------------------------+ > | ::: {#Application_Programming_Int | A specification of routines, data | > | erface} | structures, object classes, and | > | Application Programming Interface | variables that allows an | > | (API) | application to make use of | > | ::: | services provided by another | > | | software component, such as a | > | | library. APIs are often provided | > | | for a set of libraries included | > | | with the platform. | > +-----------------------------------+-----------------------------------+ > | ::: {#Credential} | Data that establishes the | > | Credential | identity of a user, e.g. a | > | ::: | cryptographic key or password. | > +-----------------------------------+-----------------------------------+ > | ::: {#Critical_Security_Parameter | Information that is either user | > | s} | or system defined and is used to | > | Critical Security Parameters | operate a cryptographic module in | > | (CSP) | processing encryption functions | > | ::: | including cryptographic keys and | > | | authentication data, such as | > | | passwords, the disclosure or | > | | modification of which can | > | | compromise the security of a | > | | cryptographic module or the | > | | security of the information | > | | protected by the module. | > +-----------------------------------+-----------------------------------+ > | ::: {#DAR_Protection} | Countermeasures that prevent | > | DAR Protection | attackers, even those with | > | ::: | physical access, from extracting | > | | data from non-volatile storage. | > | | Common techniques include data | > | | encryption and wiping. | > +-----------------------------------+-----------------------------------+ > | ::: {#Data_Execution_Prevention} | An anti-exploitation feature of | > | Data Execution Prevention (DEP) | modern operating systems | > | ::: | executing on modern computer | > | | hardware, which enforces a | > | | non-execute permission on pages | > | | of memory. DEP prevents pages of | > | | memory from containing both data | > | | and instructions, which makes it | > | | more difficult for an attacker to | > | | introduce and execute code. | > +-----------------------------------+-----------------------------------+ > | ::: {#Developer} | An entity that writes OS | > | Developer | software. For the purposes of | > | ::: | this document, vendors and | > | | developers are the same. | > +-----------------------------------+-----------------------------------+ > | ::: {#General_Purpose_Operating_S | A class of OSes designed to | > | ystem} | support a wide-variety of | > | General Purpose Operating System | workloads consisting of many | > | ::: | concurrent applications or | > | | services. Typical characteristics | > | | for OSes in this class include | > | | support for third-party | > | | applications, support for | > | | multiple users, and security | > | | separation between users and | > | | their respective resources. | > | | General Purpose Operating Systems | > | | also lack the real-time | > | | constraint that defines Real Time | > | | Operating Systems (RTOS). RTOSes | > | | typically power routers, | > | | switches, and embedded devices. | > +-----------------------------------+-----------------------------------+ > | ::: {#Host-based_Firewall} | A software-based firewall | > | Host-based Firewall | implementation running on the OS | > | ::: | for filtering inbound and | > | | outbound network traffic to and | > | | from processes running on the OS. | > +-----------------------------------+-----------------------------------+ > | ::: {#Operating_System} | Software that manages physical | > | Operating System (OS) | and logical resources and | > | ::: | provides services for | > | | applications. The terms *TOE* and | > | | *OS* are interchangeable in this | > | | document. | > +-----------------------------------+-----------------------------------+ > | ::: {#Personally_Identifiable_Inf | Any information about an | > | ormation} | individual maintained by an | > | Personally Identifiable | agency, including, but not | > | Information (PII) | limited to, education, financial | > | ::: | transactions, medical history, | > | | and criminal or employment | > | | history and information which can | > | | be used to distinguish or trace | > | | an individual\'s identity, such | > | | as their name, social security | > | | number, date and place of birth, | > | | mother\'s maiden name, biometric | > | | records, etc., including any | > | | other personal information which | > | | is linked or linkable to an | > | | individual.[\[OMB\]](#bibOMB) | > +-----------------------------------+-----------------------------------+ > | ::: {#Sensitive_Data} | Sensitive data may include all | > | Sensitive Data | user or enterprise data or may be | > | ::: | specific application data such as | > | | PII, emails, messaging, | > | | documents, calendar items, and | > | | contacts. Sensitive data must | > | | minimally include credentials and | > | | keys. Sensitive data shall be | > | | identified in the OS\'s TSS by | > | | the ST author. | > +-----------------------------------+-----------------------------------+ > | ::: {#User} | A user is subject to | > | User | configuration policies applied to | > | ::: | the operating system by | > | | administrators. On some systems | > | | under certain configurations, a | > | | normal user can temporarily | > | | elevate privileges to that of an | > | | administrator. At that time, such | > | | a user should be considered an | > | | administrator. | > +-----------------------------------+-----------------------------------+ > | ::: {#Virtual_Machine} | Blah Blah Blah | > | Virtual Machine (VM) | | > | ::: | | > +-----------------------------------+-----------------------------------+ > ::: > > Appendix E - Acronyms {#acronyms .indexable data-level="A"} > ===================== > > Acronym Meanin > ---------------------------------------------------------------------------- ------ > [[AES](#abbr_AES)]{#abbr_AES .term} [Advan > [[API](#abbr_API)]{#abbr_API .term} [Appli > [[API](#abbr_API)]{#abbr_API .term} [Appli > [[ASLR](#abbr_ASLR)]{#abbr_ASLR .term} [Addre > [[Base-PP](#abbr_Base-PP)]{#abbr_Base-PP .term data-plural="Base-PPs"} [Base > [[CC](#abbr_CC)]{#abbr_CC .term} [Commo > [[CEM](#abbr_CEM)]{#abbr_CEM .term} [Commo > [[CESG](#abbr_CESG)]{#abbr_CESG .term} [Commu > [[CMC](#abbr_CMC)]{#abbr_CMC .term} [Certi > [[CMS](#abbr_CMS)]{#abbr_CMS .term} [Crypt > [[CN](#abbr_CN)]{#abbr_CN .term} [Commo > [[CRL](#abbr_CRL)]{#abbr_CRL .term} [Certi > [[CSA](#abbr_CSA)]{#abbr_CSA .term} [Compu > [[CSP](#abbr_CSP)]{#abbr_CSP .term} [Criti > [[DAR](#abbr_DAR)]{#abbr_DAR .term} [Data > [[DEP](#abbr_DEP)]{#abbr_DEP .term} [Data > [[DES](#abbr_DES)]{#abbr_DES .term} [Data > [[DHE](#abbr_DHE)]{#abbr_DHE .term} [Diffi > [[DNS](#abbr_DNS)]{#abbr_DNS .term} [Domai > [[DRBG](#abbr_DRBG)]{#abbr_DRBG .term} [Deter > [[DSS](#abbr_DSS)]{#abbr_DSS .term} [Digit > [[DSS](#abbr_DSS)]{#abbr_DSS .term} [Digit > [[DT](#abbr_DT)]{#abbr_DT .term} [Date/ > [[DTLS](#abbr_DTLS)]{#abbr_DTLS .term} [Datag > [[EAP](#abbr_EAP)]{#abbr_EAP .term} [Exten > [[ECDHE](#abbr_ECDHE)]{#abbr_ECDHE .term} [Ellip > [[ECDSA](#abbr_ECDSA)]{#abbr_ECDSA .term} [Ellip > [[EP](#abbr_EP)]{#abbr_EP .term} [Exten > [[EST](#abbr_EST)]{#abbr_EST .term} [Enrol > [[FIPS](#abbr_FIPS)]{#abbr_FIPS .term} [Feder > [[FP](#abbr_FP)]{#abbr_FP .term} [Funct > [[HMAC](#abbr_HMAC)]{#abbr_HMAC .term} [Hash- > [[HTTP](#abbr_HTTP)]{#abbr_HTTP .term} [Hyper > [[HTTPS](#abbr_HTTPS)]{#abbr_HTTPS .term} [Hyper > [[IETF](#abbr_IETF)]{#abbr_IETF .term} [Inter > [[IP](#abbr_IP)]{#abbr_IP .term} [Inter > [[ISO](#abbr_ISO)]{#abbr_ISO .term} [Inter > [[IT](#abbr_IT)]{#abbr_IT .term} [Infor > [[ITSEF](#abbr_ITSEF)]{#abbr_ITSEF .term} [Infor > [[NIAP](#abbr_NIAP)]{#abbr_NIAP .term} [Natio > [[NIST](#abbr_NIST)]{#abbr_NIST .term} [Natio > [[OCSP](#abbr_OCSP)]{#abbr_OCSP .term} [Onlin > [[OE](#abbr_OE)]{#abbr_OE .term} [Opera > [[OID](#abbr_OID)]{#abbr_OID .term} [Objec > [[OMB](#abbr_OMB)]{#abbr_OMB .term} [Offic > [[OS](#abbr_OS)]{#abbr_OS .term data-plural="OSes"} [Opera > [[PII](#abbr_PII)]{#abbr_PII .term} [Perso > [[PKI](#abbr_PKI)]{#abbr_PKI .term} [Publi > [[PP](#abbr_PP)]{#abbr_PP .term} [Prote > [[PP](#abbr_PP)]{#abbr_PP .term data-plural="PPs"} [Prote > [[PP-Configuration](#abbr_PP-Configuration)]{#abbr_PP-Configuration .term} [Prote > [[PP-Module](#abbr_PP-Module)]{#abbr_PP-Module .term} [Prote > [[RBG](#abbr_RBG)]{#abbr_RBG .term} [Rando > [[RFC](#abbr_RFC)]{#abbr_RFC .term} [Reque > [[RNG](#abbr_RNG)]{#abbr_RNG .term} [Rando > [[RNGVS](#abbr_RNGVS)]{#abbr_RNGVS .term} [Rando > [[S/MIME](#abbr_S/MIME)]{#abbr_S/MIME .term} [Secur > [[SAN](#abbr_SAN)]{#abbr_SAN .term} [Subje > [[SAR](#abbr_SAR)]{#abbr_SAR .term data-plural="SARs"} [Secur > [[SFR](#abbr_SFR)]{#abbr_SFR .term data-plural="SFRs"} [Secur > [[SHA](#abbr_SHA)]{#abbr_SHA .term} [Secur > [[SIP](#abbr_SIP)]{#abbr_SIP .term} [Sessi > [[ST](#abbr_ST)]{#abbr_ST .term data-plural="STs"} [Secur > [[SWID](#abbr_SWID)]{#abbr_SWID .term} [Softw > [[TLS](#abbr_TLS)]{#abbr_TLS .term} [Trans > [[TOE](#abbr_TOE)]{#abbr_TOE .term data-plural="TOEs"} [Targe > [[TSF](#abbr_TSF)]{#abbr_TSF .term} [[TOE] > [[TSFI](#abbr_TSFI)]{#abbr_TSFI .term data-plural="TSFIs"} [[TSF] > [[TSS](#abbr_TSS)]{#abbr_TSS .term} [[TOE] > [[URI](#abbr_URI)]{#abbr_URI .term} [Unifo > [[URL](#abbr_URL)]{#abbr_URL .term} [Unifo > [[USB](#abbr_USB)]{#abbr_USB .term} [Unive > [[VM](#abbr_VM)]{#abbr_VM .term} [Virtu > [[XCCDF](#abbr_XCCDF)]{#abbr_XCCDF .term} [eXten > [[XOR](#abbr_XOR)]{#abbr_XOR .term} [Exclu > [[app](#abbr_app)]{#abbr_app .term} [Appli > [[cPP](#abbr_cPP)]{#abbr_cPP .term data-plural="cPPs"} [Colla > > Appendix F - Bibliography {#appendix-bibliography .indexable data-level="A"} > ========================= > > +-----------------------------------+-----------------------------------+ > | Identifier | Title | > +===================================+===================================+ > | [\[[CC](#abbr_CC)\]]{#bibCC} | Common Criteria for Information | > | | Technology Security Evaluation - | > | | | > | | - [Part 1: Introduction and | > | | General | > | | Model](http://www.commoncrite | > | | riaportal.org/files/ccfiles/CCPAR | > | | T1V3.1R5.pdf), | > | | CCMB-2017-04-001, Version 3.1 | > | | Revision 5, April 2017. | > | | - [Part 2: Security Functional | > | | Components](http://www.common | > | | criteriaportal.org/files/ccfiles/ | > | | CCPART2V3.1R5.pdf), | > | | CCMB-2017-04-002, Version 3.1 | > | | Revision 5, April 2017. | > | | - [Part 3: Security Assurance | > | | Components](http://www.common | > | | criteriaportal.org/files/ccfiles/ | > | | CCPART3V3.1R5.pdf), | > | | CCMB-2017-04-003, Version 3.1 | > | | Revision 5, April 2017. | > +-----------------------------------+-----------------------------------+ > | [\[[CEM](#abbr_CEM)\]]{#bibCEM} | [Common Evaluation Methodology | > | | for Information Technology | > | | Security - Evaluation | > | | Methodology](http://www.commoncri | > | | teriaportal.org/files/ccfiles/CEM | > | | V3.1R4.pdf), | > | | CCMB-2012-09-004, Version 3.1, | > | | Revision 4, September 2012. | > +-----------------------------------+-----------------------------------+ > | [\[[CESG](#abbr_CESG)\]]{#bibCESG | [CESG](#abbr_CESG) - [End User | > | } | Devices Security and | > | | Configuration | > | | Guidance](https://www.gov.uk/gove | > | | rnment/collections/end-user-devic | > | | es-security-guidance) | > +-----------------------------------+-----------------------------------+ > | [\[[CSA](#abbr_CSA)\]]{#bibCSA} | [Computer Security Act of | > | | 1987](http://csrc.nist.gov/groups | > | | /SMA/ispab/documents/csa_87.txt), | > | | H.R. 145, June 11, 1987. | > +-----------------------------------+-----------------------------------+ > | [\[[OMB](#abbr_OMB)\]]{#bibOMB} | [Reporting Incidents Involving | > | | Personally Identifiable | > | | Information and Incorporating the | > | | Cost for Security in Agency | > | | Information Technology | > | | Investments](http://www.whitehous | > | | e.gov/sites/default/files/omb/mem | > | | oranda/fy2006/m06-19.pdf), | > | | [OMB](#abbr_OMB) M-06-19, July | > | | 12, 2006. | > +-----------------------------------+-----------------------------------+