Security Target McAfee Policy Auditor 6.2 and McAfee ......Security Target: McAfee Policy Auditor 6.2 and McAfee ePolicy Orchestrator 5.1.3 1. 2. 4. 6. 7. Security Target: McAfee Policy

SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3

DocumentVersion1.7 ©McAfee Page1of68

SecurityTarget

McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3

DocumentVersion1.7

January5,2016



PreparedFor:

PreparedBy:

IntelCorporation

2821MissionCollegeBlvd.

SantaClara,CA95054

www.mcafee.com

AesonStrategy

3002-1372SeymourStreet

Vancouver,BCV6B0L1

www.aesonstrategy.com

Abstract

ThisdocumentprovidesthebasisforanevaluationofaspecificTargetofEvaluation(TOE),thePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3.ThisSecurityTarget(ST)definesasetofassumptionsabouttheaspectsoftheenvironment,alistofthreatsthattheproductintendstocounter,asetofsecurityobjectives,asetofsecurityrequirementsandtheITsecurityfunctionsprovidedbytheTOEwhichmeetthesetofrequirements.



TableofContents1 Introduction...................................................................................................................................................6

1.1 STReference...................................................................................................................................................61.2 TOEReference.................................................................................................................................................61.3 DocumentOrganization..................................................................................................................................61.4 DocumentConventions...................................................................................................................................71.5 DocumentTerminology...................................................................................................................................71.6 TOEOverview..................................................................................................................................................81.7 TOEDescription.............................................................................................................................................10

1.7.1 PhysicalBoundary.................................................................................................................................101.7.2 HardwareandSoftwareSuppliedbytheITEnvironment.....................................................................121.7.3 LogicalBoundary...................................................................................................................................131.7.4 TOEData................................................................................................................................................14

1.8 RationaleforNon-bypassabilityandSeparationoftheTOE.........................................................................16

2 ConformanceClaims....................................................................................................................................172.1 CommonCriteriaConformanceClaim..........................................................................................................172.2 ProtectionProfileConformanceClaim..........................................................................................................17

3 SecurityProblemDefinition.........................................................................................................................183.1 Threats..........................................................................................................................................................183.2 OrganizationalSecurityPolicies....................................................................................................................193.3 Assumptions..................................................................................................................................................19

4 SecurityObjectives......................................................................................................................................214.1 SecurityObjectivesfortheTOE.....................................................................................................................214.2 SecurityObjectivesfortheOperationalEnvironment...................................................................................214.3 SecurityObjectivesRationale........................................................................................................................22

5 ExtendedComponentsDefinition.................................................................................................................285.1 IDSClassofSFRs...........................................................................................................................................28

5.1.1 IDS_SDC.1SystemDataCollection........................................................................................................285.1.2 IDS_ANL.1AnalyzerAnalysis.................................................................................................................305.1.3 IDS_RDR.1RestrictedDataReview(EXT)..............................................................................................305.1.4 IDS_STG.1GuaranteeofSystemDataAvailability................................................................................31

6 SecurityRequirements.................................................................................................................................336.1 SecurityFunctionalRequirements................................................................................................................33

6.1.1 SecurityAudit(FAU)..............................................................................................................................336.1.2 ClassFCS:CryptographicSupport..........................................................................................................366.1.3 IdentificationandAuthentication(FIA).................................................................................................376.1.4 SecurityManagement(FMT).................................................................................................................386.1.5 ProtectionoftheTSF(FPT)....................................................................................................................416.1.6 IDSComponentRequirements(IDS).....................................................................................................42

6.2 SecurityAssuranceRequirements.................................................................................................................446.3 CCComponentHierarchiesandDependencies.............................................................................................446.4 SecurityRequirementsRationale..................................................................................................................45

6.4.1 SecurityFunctionalRequirementsfortheTOE.....................................................................................45



6.4.2 SecurityAssuranceRequirements.........................................................................................................486.5 TOESummarySpecificationRationale..........................................................................................................49

7 TOESummarySpecification.........................................................................................................................537.1 PolicyAudits..................................................................................................................................................537.2 CryptographicSupport..................................................................................................................................567.3 Identification&Authentication...................................................................................................................577.4 Management................................................................................................................................................57

7.4.1 ePOUserAccountManagement...........................................................................................................587.4.2 PermissionSetManagement................................................................................................................587.4.3 AuditLogManagement.........................................................................................................................597.4.4 PolicyAuditEventLogManagement.....................................................................................................597.4.5 EventFilteringManagement.................................................................................................................597.4.6 SystemTreeManagement....................................................................................................................597.4.7 TagManagement..................................................................................................................................607.4.8 ProductPolicyManagement.................................................................................................................617.4.9 QueryManagement..............................................................................................................................627.4.10 DashboardManagement.....................................................................................................................627.4.11 BenchmarkManagement....................................................................................................................627.4.12 PolicyAuditorManagement................................................................................................................637.4.13 PolicyAuditManagement...................................................................................................................647.4.14 WaiverManagement...........................................................................................................................657.4.15 FileIntegrityManagement..................................................................................................................65

7.5 Audit.............................................................................................................................................................667.6 SystemInformationImport...........................................................................................................................66

7.6.1 SCAPDataExchange..............................................................................................................................67

ListofTables

Table1–STOrganizationandSectionDescriptions.....................................................................................................6Table2–TermsandAcronymsUsedinSecurityTarget...............................................................................................8Table3–EvaluatedConfigurationfortheTOE...........................................................................................................11Table4–ManagementSystemComponentRequirements.......................................................................................13Table5–SupportedAgentPlatforms.........................................................................................................................13Table6–AgentPlatformHardwareRequirements....................................................................................................13Table7–LogicalBoundaryDescriptions....................................................................................................................14Table8–TOEData(Legend:AD=Authenticationdata;UA=Userattribute;GE=GenericInformation)......................16Table9–ThreatsAddressedbytheTOE....................................................................................................................18Table10–OrganizationalSecurityPolicies................................................................................................................19Table11–Assumptions..............................................................................................................................................20Table12–TOESecurityObjectives.............................................................................................................................21



Table13–OperationalEnvironmentSecurityObjectives..........................................................................................22Table14–MappingofAssumptions,Threats,andOSPstoSecurityObjectives........................................................23Table15–RationaleforMappingofThreats,Policies,andAssumptionstoObjectives............................................27Table16–SystemDataCollectionEventsandDetails...............................................................................................29Table17–TOEFunctionalComponents.....................................................................................................................33Table18–AuditEventsandDetails............................................................................................................................35Table20–TSFDataAccessPermissions.....................................................................................................................40Table21–SystemDataCollectionEventsandDetails...............................................................................................42Table22–SecurityAssuranceRequirementsatEAL2................................................................................................44Table23–TOESFRDependencyRationale................................................................................................................45Table24–MappingofTOESFRstoSecurityObjectives.............................................................................................46Table25–RationaleforMappingofTOESFRstoObjectives.....................................................................................48Table26–SecurityAssuranceMeasures....................................................................................................................49Table27–SFRtoTOESecurityFunctionsMapping....................................................................................................50Table28–SFRtoTSFRationale..................................................................................................................................52Table29–Cryptographicsupport..............................................................................................................................56

ListofFigures

Figure1–TOEBoundary............................................................................................................................................11Figure2–BenchmarkStructure.................................................................................................................................53



1 Introduction

ThissectionidentifiestheSecurityTarget(ST),TargetofEvaluation(TOE),SecurityTargetorganization,documentconventions,andterminology.Italsoincludesanoverviewoftheevaluatedproduct.

1.1 STReference

STTitle SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3

STRevision 1.7

STPublicationDate January5,2016Author AesonStrategy

1.2 TOEReference

TOEReference McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3TOEType SecurityManagement

1.3 DocumentOrganization

ThisSecurityTargetfollowsthefollowingformat:

SECTION TITLE DESCRIPTION1 Introduction ProvidesanoverviewoftheTOEanddefinesthehardwareand

softwarethatmakeuptheTOEaswellasthephysicalandlogicalboundariesoftheTOE

2 ConformanceClaims ListsevaluationconformancetoCommonCriteriaversions,ProtectionProfiles,orPackageswhereapplicable

3 SecurityProblemDefinition

Specifiesthethreats,assumptionsandorganizationalsecuritypoliciesthataffecttheTOE

4 SecurityObjectives DefinesthesecurityobjectivesfortheTOE/operationalenvironmentandprovidesarationaletodemonstratethatthesecurityobjectivessatisfythethreats

5 ExtendedComponentsDefinition

Describesextendedcomponentsoftheevaluation

6 SecurityRequirements ContainsthefunctionalandassurancerequirementsforthisTOE7 TOESummary

SpecificationIdentifiestheITsecurityfunctionsprovidedbytheTOEandalsoidentifiestheassurancemeasurestargetedtomeettheassurancerequirements.

Table1–STOrganizationandSectionDescriptions



1.4 DocumentConventions

Thenotation,formatting,andconventionsusedinthisSecurityTargetareconsistentwiththoseusedinVersion3.1,Revision4oftheCommonCriteria.SelectedpresentationchoicesarediscussedheretoaidtheSecurityTargetreader.TheCommonCriteriaallowsseveraloperationstobeperformedonfunctionalrequirements:TheallowableoperationsdefinedinPart2oftheCommonCriteriaarerefinement,selection,assignmentanditeration.

• Theassignmentoperationisusedtoassignaspecificvaluetoanunspecifiedparameter,suchasthelengthofapassword.Anassignmentoperationisindicatedbyitalicizedtext.

• Therefinementoperationisusedtoadddetailtoarequirement,andthusfurtherrestrictsarequirement.Refinementofsecurityrequirementsisdenotedbyboldtext.Anytextremovedisindicatedwithastrikethroughformat(Example:TSF).

• Theselectionoperationispickingoneormoreitemsfromalistinordertonarrowthescopeofacomponentelement.Selectionsaredenotedbyunderlinedtext.

• IteratedfunctionalandassurancerequirementsaregivenuniqueidentifiersbyappendingtothebaserequirementidentifierfromtheCommonCriteriaaniterationnumberinsideparenthesis,forexample,FIA_UAU.1.1(1)andFIA_UAU.1.1(2)refertoseparateinstancesoftheFIA_UAU.1securityfunctionalrequirementcomponent.

OutsidetheSFRs,italicizedtextisusedforbothofficialdocumenttitlesandtextmeanttobeemphasizedmorethanplaintext.

1.5 DocumentTerminology

Thefollowingtable1describesthetermsandacronymsusedinthisdocument:

TERM DEFINITIONAD ActiveDirectoryCC CommonCriteriaversion3.1,R4(ISO/IEC15408)CPU CentralProcessingUnitDBMS DataBaseManagementSystemDNS DomainNameSystemDSS DataSecurityStandardEAL EvaluationAssuranceLevelePO ePolicyOrchestratorFDCC FederalDesktopCoreConfigurationFISMA FederalInformationSecurityManagementActGUI GraphicalUserInterfaceHIPAA HealthInsurancePortabilityandAccountabilityActI&A Identification&Authentication

1DerivedfromtheIDSPP



TERM DEFINITIONIDS IntrusionDetectionSystemIIS InternetInformationServicesIP InternetProtocolIT InformationTechnologyJDBC JavaDataBaseConnectivityLDAP LightweightDirectoryAccessProtocolMAC MediaAccessControlMDAC MicrosoftDataAccessComponentsMSDE MSDataEngineNTFS NewTechnologyFileSystemNTP NetworkTimeProtocolOEM OriginalEquipmentManufacturerOS OperatingSystemOSP OrganizationalSecurityPolicyOVAL OpenVulnerabilityAssessmentLanguagePCI PaymentCardIndustryPDC PrimaryDomainControllerPP ProtectionProfileRAM RandomAccessMemorySCAP SecurityContentAutomationProtocolSF SecurityFunctionSFP SecurityFunctionPolicySFR SecurityFunctionalRequirementSMTP SimpleMailTransferProtocolSNMP SimpleNetworkMailProtocolSOF StrengthOfFunctionSP ServicePackSQL StructuredQueryLanguageSSL SecureSocketLayerST SecurityTargetTOE TargetofEvaluationTSC TOEScopeofControlTSF TOESecurityFunctionTSP TOESecurityPolicyVGA VideoGraphicsArrayXCCDF eXtensibleConfigurationChecklistDescriptionFormatXML eXtensibleMarkupLanguageTable2–TermsandAcronymsUsedinSecurityTarget

1.6 TOEOverview

McAfeePolicyAuditor6.2isanagent-based,purpose-builtITpolicyauditsolutionthatleveragestheXCCDF(version1.2)andOVAL(version5.10andearlier)securitystandardstoautomatetheprocessesrequiredforinternalandexternalITaudits.McAfeePolicyAuditorevaluatesthestatusofmanaged



systemsrelativetoauditsthatcontainbenchmarks.Benchmarkscontainrulesthatdescribethedesiredstateofamanagedsystem.BenchmarksaredistributedwiththeTOEorimportedintoMcAfeeBenchmarkEditorand,onceactivated,canbeusedbyPolicyAuditor.Benchmarksarewrittenintheopen-sourceXMLstandardformatsExtensibleConfigurationChecklistDescriptionFormat(XCCDF)andtheOpenVulnerabilityAssessmentLanguage(OVAL).XCCDFdescribeswhattocheckwhileOVALspecifieshowtoperformthecheck.

SeamlessintegrationwithMcAfeeePolicyOrchestrator®(ePO™)easesagentdeployment,management,andreporting.ePOprovidestheuserinterfacefortheTOEviaaGUIaccessedfromremotesystemsusingwebbrowsers.TheePOwebdashboardrepresentspolicycompliancebybenchmark.Customreportscanbefullyautomated,scheduled,orexported.ePOrequiresusertoidentifyandauthenticatethemselvesbeforeaccessisgrantedtoanydataormanagementfunctions.Auditrecordsaregeneratedtorecordconfigurationchangesmadebyusers.TheauditrecordsmaybereviewedviatheGUI.

Baseduponper-userpermissions,usersmayconfigurethesystemstobeauditedforpolicycompliance(the“managedsystems”)alongwiththebenchmarkstobechecked.ThePolicyAuditorAgentPlug-InexecutingonthemanagedsystemsperformsthepolicyauditandreturnstheresultstoPolicyAuditor.PolicyAuditorallowsyoutoconductpolicyauditsonvariousreleasesofoperatingsystemsdetailedintheMcAfeeKnowledgeCentreTechnicalArticleIDKB72961,atthefollowinglink:https://kc.mcafee.com/corporate/index?page=content&id=KB72961.

Theplatformsavailableintheevaluatedconfigurationareasfollows:

PAendpointontheagent:

• Windows2012ServerR2(64-bit)

• Windows2008ServerR2(64-bit)

• Windows7(64-bit)

ePOServer:

• Windows2008R2withMSSQLServer2008R2

UserscanreviewtheresultsofthepolicyauditsviaePO.Accesstothisinformationisagainlimitedbyper-userpermissions.

CommunicationbetweenthedistributedcomponentsoftheTOEisprotectedfromdisclosureandmodificationbycryptographicfunctionalityprovidedbytheoperationalenvironment.



1.7 TOEDescription

TheTOEhelpsorganizationsmonitorpolicycomplianceontheirassetsbyperformingauditsonthoseassets.Thissolutionallowsmanagerstocontinuouslymonitorthestateoftheirassets.McAfeePolicyAuditorutilizestheSecurityContentAutomationProtocol(SCAP)standard1.2,asspecifiedbyNISTSpecialPublication800-126R2,toanalyzecomputersecurityconfigurationinformation.

Administratorsconfigurethesystem,includinguseraccounts.Usersschedulepolicyauditsandreviewtheresults.

1.7.1 PhysicalBoundary

TheTOEisasoftwareTOEandincludes:

1. TheePOapplicationexecutingonadedicatedserver

2. ThePolicyAuditorapplicationonthesamesystemastheePOapplication

3. TheBenchmarkEditorapplicationonthesamesystemastheePOapplication

4. TheMcAfeeAgentapplicationoneachmanagedsystemtobeaudited

5. ThePolicyAuditorAgentPlug-Insoftwareoneachmanagedsystemtobeaudited

Notethatthehardware,operatingsystemsandthirdpartysupportsoftware(e.g.DBMS)oneachofthesystemsareexcludedfromtheTOEboundary.

ThefollowingdocumentationprovidedtoendusersisincludedintheTOEboundary:

1. McAfeePolicyAuditor6.2SoftwareInstallationGuide

2. McAfeePolicyAuditor6.2Software(ProductGuide)

3. ReleaseNotesMcAfeePolicyAuditor6.2.0

4. McAfeeBenchmarkEditor6.2.0

5. InstallationGuideRevisionBMcAfeeePolicyOrchestrator5.1.0Software

6. ProductGuideRevisionBMcAfeeePolicyOrchestrator5.1.0Software

7. BestPracticesGuideMcAfeeePolicyOrchestrator5.1.1Software

8. McAfeePolicyAuditor6.2andePolicyOrchestrator5.1.3OperationalUserGuidanceandPreparativeProceduresGuidanceAddendumv1.4

9. ReleaseNotesMcAfeeePolicyOrchestrator5.1.3Software

10. McAfeeAgentProductGuide5.0

11. ReleaseNotesMcAfeeAgent5.0.2

Inordertocomplywiththeevaluatedconfiguration,thefollowinghardwareandsoftwarecomponentsshouldbeused:



TOECOMPONENT VERSION/MODELNUMBERTOESoftware PolicyAuditor6.2

BenchmarkEditor6.2PolicyAuditorAgentPlug-In6.2ePolicyOrchestrator5.1.3McAfeeAgent5.0.2

ITEnvironment Specifiedinthefollowing:• Table4–ManagementSystemComponentRequirements• Table5–SupportedAgentPlatforms• Table6–AgentPlatformHardwareRequirements

Table3–EvaluatedConfigurationfortheTOE

Theevaluatedconfigurationconsistsofasingleinstanceofthemanagementsystem(withePO,PolicyAuditorandBenchmarkEditor)andoneormoreinstancesofmanagedsystems(withMcAfeeAgentandthePolicyAuditorAgentPlug-in).

ePOsupportsbothePOauthenticationandWindowsauthenticationofuseraccountcredentials.TheevaluatedconfigurationpermitstheuseofePOauthenticationonly.

Thefollowingfigurepresentsanexampleofanoperationalconfiguration.TheshadedelementsintheboxesatthetopofthefigurerepresenttheTOEcomponents.

Figure1–TOE

Boundary



Thefollowingspecificconfigurationoptionsapplytotheevaluatedconfiguration:

1. TheMcAfeeAgentsystemtrayiconisnotdisplayedonmanagedsystems.

2. McAfeeAgentwake-upcallsareenabled.

3. IncomingconnectionstoMcAfeeAgentsareonlyacceptedfromtheconfiguredaddressoftheePOserver.

4. TheonlyrepositorysupportedistheePOserver.

5. UpdatestotheTOEsoftwarearenotpermittedintheevaluatedconfiguration.

PleasenotethattheinstallationoftheTOEwillnothaveanadverseeffectonotherMcAfeeproductsthatmaybeinstalledorsupportedbyePO.Similarly,otherMcAfeeproductsinstalledwithintheePOframeworkwillnothaveanadverseeffectontheTOE.ThearchitectureoftheePOframework(i.e.,theuseofproductextensionstosupportspecificfunctionality)facilitatestheuseofmultipleMcAfeeproductsonasingleePOserver.

1.7.2 HardwareandSoftwareSuppliedbytheITEnvironment

TheTOEconsistsofasetofsoftwareapplications.Thehardware,operatingsystemsandallthirdpartysupportsoftware(e.g.,DBMS)onthesystemsonwhichtheTOEexecutesareexcludedfromtheTOEboundary.

TheplatformonwhichtheePO,PolicyAuditorandBenchmarkEditorsoftwareisinstalledmustbededicatedtofunctioningasthemanagementsystem.ePOoperatesasadistributionsystemandmanagementsystemforaclient-serverarchitectureofferingcomponentsfortheserverpartofthearchitecture(nottheclients).TheTOErequiresthefollowinghardwareandsoftwareconfigurationonthisplatform.

COMPONENT MINIMUMREQUIREMENTSProcessor 64-bitIntelPentiumDorhigher

2.66GHzorhigherMemory 8GBavailableRAMrecommendedminimumFreeDiskSpace 20GB—RecommendedminimumMonitor 1024x768,256-color,VGAmonitororhigherOperatingSystem WindowsServer2008R2DBMS MicrosoftSQLServer2008R2NetworkCard Ethernet,100MborhigherDiskPartitionFormats NTFSDomainControllers ThesystemmusthaveatrustrelationshipwiththePrimary

DomainController(PDC)onthenetwork



COMPONENT MINIMUMREQUIREMENTSMiscellaneous Microsoft.NETFramework3.5orlater(Required—Youmust

acquireandinstallthissoftwaremanually.ThissoftwareisrequiredifyouselectaninstallationoptionthatautomaticallyinstallstheSQLServerExpress2008softwarebundledwiththisePolicyOrchestratorsoftware.)MicrosoftupdatesMicrosoftVisualC++Required—Installedautomatically.2005SP1RedistributableMicrosoftVisualC++Required—Installedautomatically.2008RedistributablePackage(x86)MSXML6.0

Table4–ManagementSystemComponentRequirements

TheMcAfeeAgentandPolicyAuditorAgentPlug-Inexecuteononeormoresystemswhosepolicysettingsaretobeaudited.Thesupportedplatformsforthesecomponentsintheevaluatedconfigurationare:

SUPPORTEDAGENTOS PLATFORMWindows764-bit X64platformsWindows2008ServerR2 X64platformsWindows2012ServerR2 X64platformsTable5–SupportedAgentPlatforms

Theminimumhardwarerequirementsfortheagentplatformsarespecifiedinthefollowingtable:

COMPONENT MINIMUMHARDWAREREQUIREMENTSMemory 512MBRAMFreeDiskSpace 50MB,excludinglogfilesProcessorspeed 1GHzorhigherNetworkCard Ethernet,10MborhigherTable6–AgentPlatformHardwareRequirements

Themanagementsystemisaccessedfromremotesystemsviaabrowser,andtheevaluatedconfigurationusesMicrosoft™InternetExplorer11Webbrowser.

TheTOEauthenticatesusercredentialsduringthelogonprocessthroughtheePolicyOrchestrator.UseraccountsmustbedefinedwithinePOinordertoassociatepermissionswiththeusers.

1.7.3 LogicalBoundary

ThissectionoutlinestheboundariesofthesecurityfunctionalityoftheTOE;thelogicalboundaryoftheTOEincludesthesecurityfunctionalitydescribedinthefollowingsections.

TSF DESCRIPTION



TSF DESCRIPTIONPolicyAudits TheTOEauditsmanagedsystemstodeterminepolicycomplianceonthosesystems.

Resultsofthepolicyauditsarestoredinthedatabase(theDBMSisintheITEnvironment),andreportsbaseduponcompletedpolicyauditsmayberetrievedviatheGUIinterfaceorbygeneratingSCAP-conformantXMLfilestobesharedwithexternalsystems.

CryptographicSupport

TheTOEprotectstransmissionsbetweentheePOandtheMcAfeeAgentfromdisclosureandundetectedmodificationbyencryptingthetransmissions.

Identification&Authentication

Onthemanagementsystem,theTOErequiresuserstoidentifyandauthenticatethemselvesbeforeaccessingtheTOEsoftware.UseraccountsmustbedefinedwithinePO,andauthenticationoftheusercredentialsisperformedbyePO.Noactioncanbeinitiatedbeforeproperidentificationandauthentication.EachTOEuserhassecurityattributesassociatedwiththeiruseraccountthatdefinethefunctionalitytheuserisallowedtoperform.Onthemanagementsystemandallmanagedsystems,I&Aforlocallogintotheoperatingsystem(i.e.,viaalocalconsole)isperformedbythelocalOS(ITEnvironment).

Management TheTOE’sManagementSecurityFunctionprovidessupportfunctionalitythatenablesuserstoconfigureandmanageTOEcomponents.ManagementoftheTOEmaybeperformedviatheGUI.Managementprivilegesaredefinedper-user.

Audit TheTOE’sAuditSecurityFunctionprovidesauditingofmanagementactionsperformedbyadministrators.AuthorizedusersmayreviewtheauditrecordsviaePO.

SystemInformationImport

TheTOEmaybeconfiguredtoimportinformationaboutsystemstobemanagedfromActiveDirectory(LDAPservers)orNTdomaincontrollers.ThisfunctionalityensuresthatallthedefinedsystemsintheenterprisenetworkareknowntotheTOEandmaybeconfiguredtobemanaged.

SCAPDataExchange

TheTOEmustbeabletoimportandexportSCAPbenchmarkassessmentdata.Thisfunctionalityensuresthattheassessmentsremaincurrentasnewbenchmarksaredevelopedandallowscustom-designedbenchmarksintheTOEtobemadeavailabletoothersystems

Table7–LogicalBoundaryDescriptions

1.7.4 TOEData

TOEdataconsistsofbothTSFdataanduserdata(information).TSFdataconsistsofauthenticationdata,securityattributes,andothergenericconfigurationinformation.SecurityattributesenabletheTOEtoenforcethesecuritypolicy.AuthenticationdataenablestheTOEtoidentifyandauthenticateusers.

TSFData Description AD UA GEBenchmarks Containanorganizedsetofrulesthatdescribethedesired

stateofasetofmanagedsystems. !



TSFData Description AD UA GEContacts AlistofemailaddressesthatePolicyOrchestratorusesto

sendemailmessagestospecifiedusersinresponsetoevents.

!

Dashboards Collectionsofchart-basedqueriesthatarerefreshedatauser-configuredinterval.

!

DataRetention Parameterscontrollingthelengthoftimepolicyauditeventrecordsaresavedinthedatabase.

!

ePOUserAccounts

ePOusername,authenticationconfiguration,enabledstatus,AdministratorstatusandpermissionsetsforeachuserauthorizedtoaccessTOEfunctionalityonthemanagementsystem.

!

EventFiltering Specifieswhicheventsareforwardedtotheserverfromtheagentsonthemanagedsystems.

!

GlobalAdministratorStatus

Usersassignedtothe“administrator”permissionset,whichisasupersetofallotherpermissionsets.Thisincludesthedefault“admin”useraccountcreatedwhenePOisinstalled.Usersassignedtothispermissionsetareknownas“GlobalAdministrator”

!

Groups NodeonthehierarchicalSystemTreethatmaycontainsubordinategroupsorsystems.

!

MaximumLowScore

Thescoringthresholdatwhichsystemsareconsideredtofailthepolicyaudit.

!

Permission Aprivilegetoperformaspecificfunction. ! PermissionSet Agroupofpermissionsthatcanbegrantedtoanyusersby

assigningittothoseusers’accounts. !

PolicyAudit Causesmanagedsystemstobeanalyzedrelativetoaspecifiedbenchmarkataconfiguredfrequency.

!

ProductPolicy Acollectionofsettingsthatyoucreate,configure,thenenforcetoensurethatthemanagedsecuritysoftwareproducts(e.g.,PolicyAuditor)areconfiguredandperformaccordinglyonthemanagedsystems.

!

Queries Configurableobjectsthatretrieveanddisplaydatafromthedatabase.

!

ScoringModel SpecifieswhichoftheXCCDF1.2scoringmodelsisusedtocalculatethecompliancescorefortheresultsofapolicyaudit.

!

ServerSettings ControlhowtheePolicyOrchestratorserverbehaves. !SystemData Resultsofauditsperformedonmanagedsystems. !SystemInformation

Informationspecifictoasinglemanagedsystem(e.g.internetaddress)intheSystemTree.

!

SystemTree AhierarchicalcollectionofallofthesystemsmanagedbyePolicyOrchestrator.

!

Tags Labelsthatyoucanapplytooneormoresystems,automatically(basedoncriteria)ormanually.

!

Waivers Specifytemporaryaffectstothescoringofpolicyaudits. !



TSFData Description AD UA GEFileIntegrityMonitoring

Designateasetoffilestomonitorforchanges. !

Table8–TOEData(Legend:AD=Authenticationdata;UA=Userattribute;GE=GenericInformation)

1.8 RationaleforNon-bypassabilityandSeparationoftheTOE

Theresponsibilityfornon-bypassabilityandnon-interferenceissplitbetweentheTOEandtheITEnvironment.TOEcomponentsaresoftwareonlyproductsandthereforethenon-bypassabilityandnon-interferenceclaimsaredependentuponhardwareandOSmechanisms.TheTOErunsontopoftheITEnvironmentsuppliedoperatingsystems.

TheTOEensuresthatthesecuritypolicyisappliedandsucceedsbeforefurtherprocessingispermittedwheneverasecurityrelevantinterfaceisinvoked:theinterfacesarewelldefinedandinsurethattheaccessrestrictionsareenforced.Non-securityrelevantinterfacesdonotinteractwiththesecurityfunctionalityoftheTOE.TheTOEdependsuponOSmechanismstoprotectTSFdatasuchthatitcanonlybeaccessedviatheTOE.ThesystemonwhichePO,PolicyAuditorandBenchmarkEditorexecuteisdedicatedtothatpurpose.TheMcAfeeAgentandPolicyAuditorAgentPlug-Inexecuteonnon-dedicatedsystems;thesecomponentsonlyperformpolicyauditsanddonotenforceaccesscontrolpoliciesforusers.

TheTOEisimplementedwithwell-definedinterfacesthatcanbecategorizedassecurityrelevantornon-securityrelevant.TheTOEisimplementedsuchthatnon-securityrelevantinterfaceshavenomeansofimpactingthesecurityfunctionalityoftheTOE.UnauthenticatedusersmaynotperformanyactionswithintheTOE.TheTOEtracksmultipleusersbysessionsandensurestheaccessprivilegesofeachareenforced.

Theserverhardwareprovidesvirtualmemoryandprocessseparation,whichtheserverOSutilizestoensurethatother(non-TOE)processesmaynotinterferewiththeTOE;allinteractionsarelimitedtothedefinedTOEinterfaces.TheOSandDBMSrestrictaccesstoTOEdatainthedatabasetopreventinterferencewiththeTOEviathatmechanism.

TheTOEconsistsofdistributedcomponents.CommunicationbetweenthecomponentsreliesuponcryptographicfunctionalityprovidedbytheTOEtoprotecttheinformationexchangedfromdisclosureormodification.



2 ConformanceClaims

2.1 CommonCriteriaConformanceClaim

TheTOEisCommonCriteriaVersion3.1Revision4(September2012)Part2extendedandPart3conformantatEvaluationAssuranceLevel2andaugmentedbyALC_FLR.2–FlawReportingProcedures.

2.2 ProtectionProfileConformanceClaim

TheTOEdoesnotclaimconformancetoaProtectionProfile.



3 SecurityProblemDefinition

InordertoclarifythenatureofthesecurityproblemthattheTOEisintendedtosolve,thissectiondescribesthefollowing:

• AnyknownorassumedthreatstotheassetsagainstwhichspecificprotectionwithintheTOEoritsenvironmentisrequired.

• AnyorganizationalsecuritypolicystatementsorruleswithwhichtheTOEmustcomply.• Anyassumptionsaboutthesecurityaspectsoftheenvironmentand/orofthemannerinwhich

theTOEisintendedtobeused.

ThischapteridentifiesassumptionsasA.assumption,threatsasT.threatandpoliciesasP.policy.

3.1 Threats

ThefollowingarethreatsidentifiedfortheTOEandtheITSystemtheTOEmonitors.TheTOEitselfhasthreatsandtheTOEisalsoresponsibleforaddressingthreatstotheenvironmentinwhichitresides.Theassumedlevelofexpertiseoftheattackerforallthethreatsisunsophisticated.

TheTOEaddressesthefollowingthreats:

THREAT DESCRIPTIONT.COMDIS Anunauthorizedusermayattempttodisclosethedatacollectedandproduced

bytheTOEbybypassingasecuritymechanism.T.COMINT Anunauthorizedusermayattempttocompromisetheintegrityofthedata

collectedandproducedbytheTOEbybypassingasecuritymechanism.T.IMPCON AnunauthorizedusermayinappropriatelychangetheconfigurationoftheTOE

causingpotentialintrusionstogoundetected.T.LOSSOF Anunauthorizedusermayattempttoremoveordestroydatacollectedand

producedbytheTOE.T.NOHALT Anunauthorizedusermayattempttocompromisethecontinuityofthe

System’scollectionandanalysisfunctionsbyhaltingexecutionoftheTOE.T.PRIVIL AnunauthorizedusermaygainaccesstotheTOEandexploitsystemprivileges

togainaccesstoTOEsecurityfunctionsanddataT.FALREC TheTOEmayfailtorecognizevulnerabilitiesorinappropriateactivitybasedon

dataacquiredfrommanagedsystems,resultinginpotentialcompromiseofmanagedsystems.

T.SCNCFG Impropersecurityconfigurationsettingsmayexistinthemanagedsystems,allowinganattacktobeperformedorgoundetected.

T.SCNMLC UserscouldexecutemaliciouscodeonanITSystemthattheTOEmonitorswhichcausesmodificationoftheITSystemprotecteddataorunderminestheITSystemsecurityfunctions.

T.SCNVUL VulnerabilitiesmayexistintheITSystemtheTOEmonitorsthatcouldresultinanexploitbyanunauthorizeduser.

Table9–ThreatsAddressedbytheTOE



3.2 OrganizationalSecurityPolicies

Anorganizationalsecuritypolicyisasetofrules,practices,andproceduresimposedbyanorganizationtoaddressitssecurityneeds.ThefollowingOrganizationalSecurityPoliciesapplytotheTOE:

POLICY DESCRIPTIONP.ACCACT UsersoftheTOEshallbeaccountablefortheiractionswithintheTOE.P.ACCESS AlldatacollectedandproducedbytheTOEshallonlybeusedforauthorized

purposes.P.ANALYZ Analyticalprocessesandinformationtoderiveconclusionsaboutintrusions

(past,present,orfuture)mustbeappliedtodatareceivedfromdatasourcesandappropriateresponseactionstaken.

P.DETECT StaticconfigurationinformationthatmightbeindicativeofthepotentialforafutureintrusionortheoccurrenceofapastintrusionofanITSystemoreventsthatareindicativeofinappropriateactivitythatmayhaveresultedfrommisuse,access,ormaliciousactivityofITSystemassetsmustbecollected.

P.IMPORT TheTOEshallbeabletoimportdataaboutmanagedsystemsfromLDAPserversandNTDomains.

P.INTGTY DatacollectedandproducedbytheTOEshallbeprotectedfrommodification.P.MANAGE TheTOEshallonlybemanagedbyauthorizedusers.P.PROTCT TheTOEshallbeprotectedfromunauthorizedaccessesanddisruptionsofTOE

dataandfunctions.P.SCAP TheTOEshallbeabletoexchangeSCAPBenchmarkAssessmentdatawith

externalsystems.Table10–OrganizationalSecurityPolicies

3.3 Assumptions

ThissectiondescribesthesecurityaspectsoftheenvironmentinwhichtheTOEisintendedtobeused.TheTOEisassuredtoprovideeffectivesecuritymeasuresinaco-operativenon-hostileenvironmentonlyifitisinstalled,managed,andusedcorrectly.ThefollowingspecificconditionsareassumedtoexistinanenvironmentwheretheTOEisemployed.

ASSUMPTION DESCRIPTIONA.ACCESS TheTOEhasaccesstoalltheITSystemdataitneedstoperformitsfunctions.A.ASCOPE TheTOEisappropriatelyscalabletotheITSystemstheTOEmonitors.A.DATABASE AccesstothedatabaseusedbytheTOEviamechanismsoutsidetheTOE

boundaryisrestrictedtousebyauthorizedusers.A.DYNMIC TheTOEwillbemanagedinamannerthatallowsittoappropriatelyaddress

changesintheITSystemtheTOEmonitors.A.LOCATE TheprocessingresourcesoftheTOEwillbelocatedwithincontrolledaccess

facilities,whichwillpreventunauthorizedphysicalaccess.A.MANAGE TherewillbeoneormorecompetentindividualsassignedtomanagetheTOE

andthesecurityoftheinformationitcontains.



ASSUMPTION DESCRIPTIONA.NOEVIL Theauthorizedadministratorsarenotcareless,willfullynegligent,orhostile,

andwillfollowandabidebytheinstructionsprovidedbytheTOEdocumentation.

A.PROTCT TheTOEhardwareandsoftwarecriticaltosecuritypolicyenforcementwillbeprotectedfromunauthorizedphysicalmodification.

Table11–Assumptions



4 SecurityObjectives

4.1 SecurityObjectivesfortheTOE

TheITsecurityobjectivesfortheTOEareaddressedbelow:

OBJECTIVE DESCRIPTIONO.ACCESS TheTOEmustallowauthorizeduserstoaccessonlyauthorizedTOEfunctions

anddata.O.AUDITS TheTOEmustrecordauditrecordsfordataaccessesanduseoftheTOE

functionsonthemanagementsystem.O.AUDIT_PROTECT TheTOEwillprovidethecapabilitytoprotectauditinformationgeneratedbythe

TOE.O.CRYPTO TheTOEwillprovidecryptographicfunctionalityandprotocolsrequiredforthe

TOEtosecurelytransferinformationbetweendistributedportionsoftheTOE.O.EADMIN TheTOEmustincludeasetoffunctionsthatalloweffectivemanagementofits

functionsanddata.O.IDANLZ TheTOEmustapplyanalyticalprocessesandinformationtoderiveconclusions

aboutintrusions(past,present,orfuture).O.IDENTIFY TheTOEmustbeabletoidentifyandauthenticateuserspriortoallowingaccess

toTOEfunctionsanddataonthemanagementsystem.O.IDSCAN TheTOEmustcollectandstorestaticconfigurationinformationthatmightbe

indicativeofthepotentialforafutureintrusionortheoccurrenceofapastintrusionofanITSystem.

O.IMPORT TheTOEshallprovidemechanismstoimportsystemdatafromActiveDirectory(LDAPservers)andNTDomainControllers.

O.INTEGR TheTOEmustensuretheintegrityofallSystemdata.O.SCAP TheTOEshallprovidemechanismstoexchangeSCAPBenchmarkAssessment

data.O.SD_PROTECTION TheTOEwillprovidethecapabilitytoprotectsystemdata.Table12–TOESecurityObjectives

4.2 SecurityObjectivesfortheOperationalEnvironment

Thesecurityobjectivesfortheoperationalenvironmentareaddressedbelow:

OBJECTIVE DESCRIPTIONOE.PHYCAL ThoseresponsiblefortheTOEmustensurethatthosepartsoftheTOEcritical

tosecuritypolicyareprotectedfromanyphysicalattack.OE.CREDEN ThoseresponsiblefortheTOEmustensurethatallaccesscredentialsare

protectedbytheusersinamannerwhichisconsistentwithITsecurity.OE.INSTAL ThoseresponsiblefortheTOEmustensurethattheTOEisdelivered,

installed,managed,andoperatedinamannerwhichisconsistentwithITsecurity.

OE.INTROP TheTOEisinteroperablewiththemanagedsystemsitmonitors



OBJECTIVE DESCRIPTIONOE.PERSON Personnelworkingasauthorizedadministratorsshallbecarefullyselected

andtrainedforproperoperationoftheSystem.OE.AUDIT_PROTECT TheITEnvironmentwillprovidethecapabilitytoprotectauditinformation

generatedbytheTOEviamechanismsoutsidetheTSC.OE.AUDIT_REVIEW TheITEnvironmentwillprovidethecapabilityforauthorizedadministrators

toreviewauditinformationgeneratedbytheTOE.OE.DATABASE ThoseresponsiblefortheTOEmustensurethataccesstothedatabasevia

mechanismsoutsidetheTOEboundary(e.g.,DBMS)isrestrictedtoauthorizedusersonly.

OE.PROTECT TheITenvironmentwillprotectitselfandtheTOEfromexternalinterferenceortampering.

OE.SD_PROTECTION TheITEnvironmentwillprovidethecapabilitytoprotectsystemdataviamechanismsoutsidetheTSC.

OE.STORAGE TheITEnvironmentwillstoreTOEdatainthedatabaseandretrieveitwhendirectedbytheTOE.

OE.TIME TheITEnvironmentwillprovidereliabletimestampstotheTOETable13–OperationalEnvironmentSecurityObjectives

4.3 SecurityObjectivesRationale

Thissectionprovidesthesummarythatallsecurityobjectivesaretracedbacktoaspectsoftheaddressedassumptions,threats,andOrganizationalSecurityPolicies(ifapplicable).Thefollowingtableprovidesahighlevelmappingofcoverageforeachthreat,assumption,andpolicy:

OBJECTIVE

THREAT/ASSUMPTION O

.IDSC

AN

O.ID

ANLZ

O.EAD

MIN

O.ACC

ESS

O.CRY

PTO

O.ID

ENTIFY

O.IN

TEGR

OE.INSTAL

OE.PH

YCAL

OE.CR

EDEN

OE.PE

RSON

OE.INTR

OP

O.AUDITS

O.AUDIT_P

ROTECT

O.IM

PORT

O.SCA

PO.SD_P

ROTECT

ION

OE.TIME

OE.PR

OTECT

OE.SD

_PRO

TECT

ION

OE.DAT

ABAS

EOE.AU

DIT_P

ROTECT

OE.AU

DIT_R

EVIEW

OE.STORA

GE

A.ACCESS ! A.ASCOPE ! A.DATABASE ! A.DYNMIC ! ! A.LOCATE ! A.MANAGE ! A.NOEVIL ! ! ! A.PROTCT ! P.ACCACT ! ! ! P.ACCESS ! ! ! ! ! P.ANALYZ ! P.DETECT ! ! ! P.IMPORT ! P.INTGTY ! ! ! ! !P.MANAGE ! ! ! ! ! !



OBJECTIVE

THREAT/ASSUMPTION O

.IDSC

AN

O.ID

ANLZ

O.EAD

MIN

O.ACC

ESS

O.CRY

PTO

O.ID

ENTIFY

O.IN

TEGR

OE.INSTAL

OE.PH

YCAL

OE.CR

EDEN

OE.PE

RSON

OE.INTR

OP

O.AUDITS

O.AUDIT_P

ROTECT

O.IM

PORT

O.SCA

PO.SD_P

ROTECT

ION

OE.TIME

OE.PR

OTECT

OE.SD

_PRO

TECT

ION

OE.DAT

ABAS

EOE.AU

DIT_P

ROTECT

OE.AU

DIT_R

EVIEW

OE.STORA

GE

P.PROTCT ! ! ! !P.SCAP ! T.COMDIS ! ! ! ! T.COMINT ! ! ! ! ! T.FALREC ! T.IMPCON ! ! ! ! ! T.LOSSOF ! ! ! T.NOHALT ! ! ! ! T.PRIVIL ! ! T.SCNCFG ! T.SCNMLC ! T.SCNVUL ! Table14–MappingofAssumptions,Threats,andOSPstoSecurityObjectives

Thefollowingtableprovidesdetailedevidenceofcoverageforeachthreat,policy,andassumption:

THREATS,POLICIES,ANDASSUMPTIONS RATIONALE

A.ACCESS TheTOEhasaccesstoalltheITSystemdataitneedstoperformitsfunctions.TheOE.INTROPobjectiveensurestheTOEhastheneededaccess.

A.ASCOPE TheTOEisappropriatelyscalabletotheITSystemtheTOEmonitors.TheOE.INTROPobjectiveensurestheTOEhasthenecessaryinteractionswiththeITSystemitmonitors.

A.DATABASE AccesstothedatabaseusedbytheTOEviamechanismsoutsidetheTOEboundaryisrestrictedtousebyauthorizedusers.TheOE.DATABASEobjectiveensuresthataccesstoanymechanismsoutsidetheTOEboundarythatmaybeusedtoaccessthedatabaseisconfiguredbytheadministratorssuchthatonlyauthorizedusersmayutilizethemechanisms.

A.DYNMIC TheTOEwillbemanagedinamannerthatallowsittoappropriatelyaddresschangesintheITSystemtheTOEmonitors.TheOE.INTROPobjectiveensurestheTOEhastheproperaccesstotheITSystem.TheOE.PERSONobjectiveensuresthattheTOEwillmanagedappropriately.

A.LOCATE TheprocessingresourcesoftheTOEwillbelocatedwithincontrolledaccessfacilities,whichwillpreventunauthorizedphysicalaccess.TheOE.PHYCALprovidesforthephysicalprotectionoftheTOE.




A.MANAGE TherewillbeoneormorecompetentindividualsassignedtomanagetheTOEandthesecurityoftheinformationitcontains.TheOE.PERSONobjectiveensuresallauthorizedadministratorsarequalifiedandtrainedtomanagetheTOE.

A.NOEVIL Theauthorizedadministratorsarenotcareless,willfullynegligent,orhostile,andwillfollowandabidebytheinstructionsprovidedbytheTOEdocumentation.TheOE.INSTALobjectiveensuresthattheTOEisproperlyinstalledandoperatedandtheOE.PHYCALobjectiveprovidesforphysicalprotectionoftheTOEbyauthorizedadministrators.TheOE.CREDENobjectivesupportsthisassumptionbyrequiringprotectionofallauthenticationdata.

A.PROTCT TheTOEhardwareandsoftwarecriticaltosecuritypolicyenforcementwillbeprotectedfromunauthorizedphysicalmodification.TheOE.PHYCALprovidesforthephysicalprotectionoftheTOEhardwareandsoftware.

P.ACCACT UsersoftheTOEshallbeaccountablefortheiractionswithintheTOE.TheO.AUDITSobjectiveimplementsthispolicybyrequiringauditingofalldataaccessesanduseofTOEfunctions.TheO.IDENTIFYobjectivesupportsthisobjectivebyensuringeachuserisuniquelyidentifiedandauthenticated.TheOE.AUDIT_REVIEWobjectiveprovidestheabilityforadministratorstoreviewtheauditrecordsgeneratedbytheTOEsothataccountabilityforadministratoractionscanbedetermined.

P.ACCESS AlldatacollectedandproducedbytheTOEshallonlybeusedforauthorizedpurposes.TheO.IDENTIFYobjectiveprovidesforidentificationandauthenticationofuserspriortoanyTOEfunctionaccessesviatheePOwebinterface.TheO.ACCESSobjectivebuildsupontheO.IDENTIFYobjectivebyonlypermittingauthorizeduserstoaccessTOEfunctions.TheOE.SD_PROTECTIONandOE.DATABASEobjectivesaddressthispolicyformechanismsoutsidetheTSCviaITEnvironmentprotectionsofthesystemdatatrailandthedatabaseusedtoholdTOEdata.TheO.SD_PROTECTIONandO.ACCESSobjectivesaddressthispolicyformechanismsinsidetheTSCviaTOEprotectionsofthesystemdatatrailandthedatabaseusedtoholdTOEdata.

P.ANALYZ Analyticalprocessesandinformationtoderiveconclusionsaboutintrusions(past,present,orfuture)mustbeappliedtodatareceivedfromdatasourcesandappropriateresponseactionstaken.TheO.IDANLZobjectiveaddressesthispolicybyrequiringtheTOEtoapplyanalyticalprocessesandinformationtoderiveconclusionsaboutintrusions(past,present,orfuture).




P.DETECT StaticconfigurationinformationthatmightbeindicativeofthepotentialforafutureintrusionortheoccurrenceofapastintrusionofanITSystemoreventsthatareindicativeofinappropriateactivitythatmayhaveresultedfrommisuse,access,ormaliciousactivityofITSystemassetsmustbecollected.TheO.AUDITSandO.IDSCANobjectivesaddressthispolicybyrequiringcollectionofauditandpolicyauditdata.TheOE.TIMEobjectivesupportsthispolicybyprovidingatimestampforinsertionintothesystemdatarecords.

P.IMPORT TheTOEshallbeabletoimportdataaboutmanagedsystemsfromLDAPserversandNTDomains.TheO.IMPORTobjectiveaddressesthispolicybyrequiringtheTOEtoprovidefunctionalitytoimportdataaboutmanagedsystemsfromLDAPserversandNTDomains.

P.INTGTY DatacollectedandproducedbytheTOEshallbeprotectedfrommodification.TheO.INTEGRobjectiveensurestheprotectionofSystemdatafrommodification.TheO.AUDIT_PROTECTandOE.AUDIT_PROTECTobjectivesensuretheintegrityofauditrecordsinthedatabasegeneratedbytheTOEusingaccessmechanismsinsideandoutsidetheTSCrespectively.TheO.CRYPTOobjectiverequirestheTOEtoprovidecryptographicfunctionalityandprotocolstoprotectthedataduringtransit.TheOE.STORAGEobjectiverequirestheITEnvironmenttoprovidestorageandretrievalmechanismsforSystemdataforusebytheTOE.

P.MANAGE TheTOEshallonlybemanagedbyauthorizedusers.TheOE.PERSONobjectiveensurescompetentadministratorswillmanagetheTOEandtheO.EADMINobjectiveensuresthereisasetoffunctionsforadministratorstouse.TheOE.INSTALobjectivesupportstheOE.PERSONobjectivebyensuringadministratorfollowallprovideddocumentationandmaintainthesecuritypolicy.TheO.IDENTIFYobjectiveprovidesforidentificationandauthenticationofuserspriortoanyTOEfunctionaccesses.TheO.ACCESSobjectivebuildsupontheO.IDENTIFYobjectivebyonlypermittingauthorizeduserstoaccessTOEfunctions.TheOE.CREDENobjectiverequiresadministratorstoprotectallauthenticationdata.

P.PROTCT TheTOEshallbeprotectedfromunauthorizedaccessesanddisruptionsofTOEdataandfunctions.TheOE.PHYCALobjectiveprotectstheTOEfromunauthorizedphysicalmodifications.TheOE.PROTECTobjectivesupportstheTOEprotectionfromtheITEnvironment.TheO.CRYPTOobjectiverequirestheTOEtoprovidecryptographicfunctionalityandprotocolstoprotectthedataduringtransit.TheOE.STORAGEobjectiverequirestheITEnvironmenttoprovidestorageandretrievalmechanismsforSystemdataforusebytheTOE.

P.SCAP TheTOEshallbeabletoexchangeSCAPBenchmarkAssessmentdatawithexternalsystems.TheO.SCAPobjectiveaddressesthispolicybyrequiringtheTOEtoprovidemechanismstoexchangeSCAPdatawithexternalsources.




T.COMDIS AnunauthorizedusermayattempttodisclosethedatacollectedandproducedbytheTOEbybypassingasecuritymechanism.TheO.IDENTIFYobjectiveprovidesforidentificationandauthenticationofuserspriortoanyTOEdataaccess.TheO.ACCESSobjectivebuildsupontheO.IDENTIFYobjectivebyonlypermittingauthorizeduserstoaccessTOEdata.TheO.CRYPTOobjectiverequirestheTOEtoprovidecryptographicfunctionalityandprotocolstoprotectthedataduringtransit.TheOE.PROTECTobjectivesupportstheTOEprotectionfromtheITEnvironment.

T.COMINT AnunauthorizedusermayattempttocompromisetheintegrityofthedatacollectedandproducedbytheTOEbybypassingasecuritymechanism.TheO.IDENTIFYobjectiveprovidesforidentificationandauthenticationofuserspriortoanyTOEdataaccess.TheO.ACCESSobjectivebuildsupontheO.IDENTIFYobjectivebyonlypermittingauthorizeduserstoaccessTOEdata.TheO.INTEGRobjectiveensuresnoSystemdatawillbemodified.TheO.CRYPTOobjectiverequirestheTOEtoprovidecryptographicfunctionalityandprotocolstoprotectthedataduringtransit.TheOE.PROTECTobjectivesupportstheTOEprotectionfromtheITEnvironment.

T.FALREC TheTOEmayfailtorecognizevulnerabilitiesorinappropriateactivitybasedondatareceivedfromeachdatasource.TheO.IDANLZobjectiveprovidesthefunctionthattheTOEwillrecognizevulnerabilitiesorinappropriateactivityfromadatasource.

T.IMPCON AnunauthorizedusermayinappropriatelychangetheconfigurationoftheTOEcausingpotentialintrusionstogoundetected.TheOE.INSTALobjectivestatestheauthorizedadministratorswillconfiguretheTOEproperly.TheO.EADMINobjectiveensurestheTOEhasallthenecessaryadministratorfunctionstomanagetheproduct.TheO.IDENTIFYobjectiveprovidesforidentificationandauthenticationofuserspriortoanyTOEdataaccess.TheO.ACCESSobjectivebuildsupontheO.IDENTIFYobjectivebyonlypermittingauthorizeduserstoaccessTOEfunctions.TheO.CRYPTOobjectiverequirestheTOEtoprovidecryptographicfunctionalityandprotocolstoprotectthedataduringtransit.

T.LOSSOF AnunauthorizedusermayattempttoremoveordestroydatacollectedandproducedbytheTOE.TheO.IDENTIFYobjectiveprovidesforidentificationandauthenticationofuserspriortoanyTOEdataaccess.TheO.ACCESSobjectivebuildsupontheO.IDENTIFYobjectivebyonlypermittingauthorizeduserstoaccessTOEdata.TheO.INTEGRobjectiveensuresnoSystemdatawillbedeleted.

T.NOHALT AnunauthorizedusermayattempttocompromisethecontinuityoftheSystem’scollectionandanalysisfunctionsbyhaltingexecutionoftheTOE.TheO.IDENTIFYobjectiveprovidesforidentificationandauthenticationofuserspriortoanyTOEdataaccess.TheO.ACCESSobjectivebuildsupontheO.IDENTIFYobjectivebyonlypermittingauthorizeduserstoaccessTOEfunctions.TheO.IDSCANandO.IDANLZobjectivesaddressthisthreatbyrequiringtheTOEtocollectandanalyzeSystemdata,whichincludesattemptstohalttheTOE.




T.PRIVIL AnunauthorizedusermaygainaccesstotheTOEandexploitsystemprivilegestogainaccesstoTOEsecurityfunctionsanddata.TheO.IDENTIFYobjectiveprovidesforidentificationandauthenticationofuserspriortoanyTOEdataaccess.TheO.ACCESSobjectivebuildsupontheO.IDENTIFYobjectivebyonlypermittingauthorizeduserstoaccessTOEfunctions.

T.SCNCFG Impropersecurityconfigurationsettingsmayexistinthemanagedsystems.TheO.IDSCANobjectivecountersthisthreatbyrequiringaTOE,thatcontainsaScanner,collectandstorestaticconfigurationinformationthatmightbeindicativeofaconfigurationsettingchange.

T.SCNMLC UserscouldexecutemaliciouscodeonanITSystemthattheTOEmonitorswhichcausesmodificationoftheITSystemprotecteddataorunderminestheITSystemsecurityfunctions.TheO.IDSCANobjectivecountersthisthreatbyrequiringaTOE,thatcontainsaScanner,collectandstorestaticconfigurationinformationthatmightbeindicativeofmaliciouscode.

T.SCNVUL VulnerabilitiesmayexistinanITSystemtheTOEmonitors.TheO.IDSCANobjectivecountersthisthreatbyrequiringaTOEthatcontainsaScanner,collectandstorestaticconfigurationinformationthatmightbeindicativeofavulnerability.

Table15–RationaleforMappingofThreats,Policies,andAssumptionstoObjectives



5 ExtendedComponentsDefinition

5.1 IDSClassofSFRs

AllofthecomponentsinthissectionweretakenfromtheU.S.GovernmentProtectionProfileIntrusionDetectionSystemSystemForBasicRobustnessEnvironments.

ThisclassofrequirementsiscopiedfromtheIDSSystemPPtospecificallyaddressthedatacollectedandanalysedbyanIDSscannerandanalyzer.TheauditfamilyoftheCC(FAU)wasusedasamodelforcreatingtheserequirements.Thepurposeofthisclassofrequirementsistoaddresstheuniquenatureofsystemdataandprovideforrequirementsaboutcollecting,reviewingandmanagingthedata.

5.1.1 IDS_SDC.1SystemDataCollection

Management:IDS_SDC.1

ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

a) Configurationoftheeventstobecollected

Audit:IDS_SDC.1

Therearenoauditableeventsforeseen.

IDS_SDC.1SystemDataCollection

Hierarchicalto: Noothercomponents

Dependencies: Nodependencies

IDS_SDC.1.1 TheSystemshallbeabletocollectthefollowinginformationfromthetargetedITSystemresource(s):

a)[selection:Start-upandshutdown,identificationandauthenticationevents,dataaccesses,servicerequests,networktraffic,securityconfigurationchanges,dataintroduction,detectedmaliciouscode,accesscontrolconfiguration,serviceconfiguration,authenticationconfiguration,accountabilitypolicyconfiguration,detectedknownvulnerabilities];and

b)[assignment:otherspecificallydefinedevents].

IDS_SDC.1.2 Ataminimum,theSystemshallcollectandrecordthefollowinginformation:

a) Dateandtimeoftheevent,typeofevent,subjectidentity,andtheoutcome(successorfailure)oftheevent;and



b) TheadditionalinformationspecifiedintheDetailscolumnofthetablebelow:

COMPONENT EVENT DETAILSIDS_SDC.1 Startupandshutdown NoneIDS_SDC.1 Identificationandauthentication

eventsUseridentity,location,sourceaddress,destinationaddress

IDS_SDC.1 Dataaccesses ObjectIDS,requestedaccess,sourceaddress,destinationaddress

IDS_SDC.1 Servicerequests Specificservice,sourceaddress,destinationaddress

IDS_SDC.1 Networktraffic Protocol,sourceaddress,destinationaddress

IDS_SDC.1 Securityconfigurationchanges Sourceaddress,destinationaddress

IDS_SDC.1 Dataintroduction ObjectIDS,locationofobject,sourceaddress,destinationaddress

IDS_SDC.1 Startupandshutdownofauditfunctions

None

IDS_SDC.1 Detectedmaliciouscode Location,identificationofcode

IDS_SDC.1 Accesscontrolconfiguration Location,accesssettingsIDS_SDC.1 Serviceconfiguration Serviceidentification

(nameorport),interface,protocols

IDS_SDC.1 Authenticationconfiguration Accountnamesforcrackedpasswords,accountpolicyparameters

IDS_SDC.1 Accountabilitypolicyconfiguration Accountabilitypolicyconfigurationparameters

IDS_SDC.1 Detectedknownvulnerabilities Identificationoftheknownvulnerability

Table16–SystemDataCollectionEventsandDetails

ApplicationNote:TherowsinthistablemustberetainedthatcorrespondtotheselectionsinIDS_SDC.1.1whenthatoperationiscompleted.IfadditionaleventsaredefinedintheassignmentinIDS_SDC.1.1,thencorrespondingrowsshouldbeaddedtothetableforthiselement.



5.1.2 IDS_ANL.1AnalyzerAnalysis

Management:IDS_ANL.1


a) Configurationoftheanalysistobeperformed

Audit:IDS_ANL.1

ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedintheST:

a) Minimal:Enablinganddisablingofanyoftheanalysismechanisms

IDS_ANL.1AnalyzerAnalysis


Dependencies: Nodependencies

IDS_ANL.1.1 TheSystemshallperformthefollowinganalysisfunction(s)onallIDSdatareceived:

a)[selection:statistical,signature,integrity];and

b)[assignment:otheranalyticalfunctions].

IDS_ANL.1.2 TheSystemshallrecordwithineachanalyticalresultatleastthefollowinginformation:

a.Dateandtimeoftheresult,typeofresult,identificationofdatasource;and

b.[assignment:othersecurityrelevantinformationabouttheresult].(EXT)

5.1.3 IDS_RDR.1RestrictedDataReview(EXT)

Management:IDS_RDR.1


a) maintenance(deletion,modification,addition)ofthegroupofuserswithreadaccessrighttothesystemdatarecords.

Audit:IDS_RDR.1



ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedintheST:

a) Basic:Attemptstoreadsystemdatathataredenied.

b) Detailed:Readingofinformationfromthesystemdatarecords.

IDS_RDR.1RestrictedDataReview


Dependencies: IDS_SDC.1 SystemDataCollectionIDS_ANL.1 AnalyzerAnalysis

IDS_RDR.1.1 TheSystemshallprovide[assignment:authorizedusers]withthecapabilitytoread[assignment:listofSystemdata]fromtheSystemdata.

IDS_RDR.1.2 TheSystemshallprovidetheSystemdatainamannersuitablefortheusertointerprettheinformation.

IDS_RDR.1.3 TheSystemshallprohibitallusersreadaccesstotheSystemdata,exceptthoseusersthathavebeengrantedexplicitread-access.

5.1.4 IDS_STG.1GuaranteeofSystemDataAvailability

Management:IDS_STG.1


a) maintenanceoftheparametersthatcontrolthesystemdatastoragecapability.

Audit:IDS_STG.1

Therearenoauditableeventsforeseen.

IDS_STG.1GuaranteeofSystemDataAvailability


Dependencies: IDS_SDC.1 SystemDataCollectionIDS_ANL.1 AnalyzerAnalysis

IDS_STG.1.1 TheSystemshallprotectthestoredSystemdatafromunauthorizeddeletion.

IDS_STG.1.2 TheSystemshallprotectthestoredSystemdatafrommodification.



ApplicationNote:AuthorizeddeletionofdataisnotconsideredamodificationofSystemdatainthiscontext.ThisrequirementappliestotheactualcontentoftheSystemdata,whichshouldbeprotectedfromanymodifications.

IDS_STG.1.3 TheSystemshallensurethat[assignment:metricforsavingSystemdata]Systemdatawillbemaintainedwhenthefollowingconditionsoccur:[selection:Systemdatastorageexhaustion,failure,attack].



6 SecurityRequirements

ThesecurityrequirementsthatareleviedontheTOEarespecifiedinthissectionoftheST.

6.1 SecurityFunctionalRequirements

ThefunctionalsecurityrequirementsforthisSecurityTargetconsistofthefollowingcomponentsfromPart2oftheCC,andtheextendedcomponentsdefinedinsection5ofthisST,allofwhicharesummarizedinthefollowingtable:

CLASSHEADING CLASS_FAMILY DESCRIPTIONSecurityAudit FAU_GEN.1 AuditDataGeneration

FAU_GEN.2 UserIdentityAssociationFAU_SAR.1 AuditReviewFAU_SAR.2 RestrictedAuditReviewFAU_STG.1 ProtectedAuditTrailStorageFAU_STG.4 PreventionofAuditTrailDataLoss

CryptographicSupport FCS_CKM.1(1-4) CryptographicKeyGenerationFCS_CKM.4 CryptographicKeyDestructionFCS_COP.1 CryptographicOperation

IdentificationandAuthentication

FIA_ATD.1 UserAttributeDefinitionFIA_UAU.2 UserAuthenticationBeforeAnyActionFIA_UID.2 UserIdentificationBeforeAnyactionFIA_USB.1 User-SubjectBinding

SecurityManagement FMT_MTD.1 ManagementofTSFDataFMT_SMF.1 SpecificationofManagementFunctionsFMT_SMR.1 SecurityRoles

ProtectionoftheTSF FPT_TDC.1(1) Inter-TSFBasicTSFDataConsistencyFPT_TDC.1(2) Inter-TSFBasicTSFDataConsistency

IDSComponentRequirements

IDS_SDC.1 SystemDataCollectionIDS_ANL.1 AnalyzerAnalysisIDS_RDR.1 RestrictedDataReviewIDS_STG.1 GuaranteeofSystemDataAvailability

Table17–TOEFunctionalComponents

6.1.1 SecurityAudit(FAU)

6.1.1.1 FAU_GEN.1AuditDataGeneration

FAU_GEN.1.1 TheTSFshallbeabletogenerateanauditrecordofthefollowingauditableevents:

a) Start-upandshutdownoftheauditfunctions;

b) Allauditableeventsforthenotspecifiedlevelofaudit;and

c) Theeventsidentifiedinthefollowingtable



FAU_GEN.1.2 TheTSFshallrecordwithineachauditrecordatlastthefollowinginformation:


b) Foreachauditeventtype,basedontheauditableeventdefinitionsofthefunctionalcomponentsincludedinthePP/ST,theinformationdetailedinthefollowingtable.

ApplicationNote:Theauditableeventsfortherespectivelevelofauditingareincludedinthefollowingtable:COMPONENT EVENT DETAILSFAU_GEN.1 Start-upandshutdownofauditfunctions FAU_GEN.1 AccesstotheTOEandSystemdata ObjectIDs,

RequestedaccessFAU_SAR.2 Note:Unsuccessfulattemptstoread

informationfromtheauditrecordsdonotoccurbecausetheTOEdoesnotpresentthatcapabilitytousersthatarenotauthorizedtoreadtheauditrecords.

FAU_STG.4 Note:Newauditrecordsarediscardedwhenstoragespaceisexhausted,theITEnvironmentalarmstheadministratorwithanotificationindicatinglowdiskspace.

FIA_ATD.1

AllchangestoTSFdata(excludingpasswordchanges)resultinanauditrecordbeinggenerated.Notethatpasswordsarenotconfigured,sonoauditrecordsforrejectionofatestedsecretwillbegenerated.

FIA_UAU.2 Useoftheuserauthenticationmechanism

Useridentity,location

FIA_UID.2 Alluseoftheuseridentificationmechanism

Useridentity,location

FIA_USB.1

Successfulbindingofattributestosubjectsisreflectedintheauditrecordforsuccessfulauthentication.UnsuccessfulbindingdoesnotoccurintheTOEdesign.

FMT_MTD.1 AllmodificationstothevaluesofTSFdata,withtheexceptionofWaiverManagementfunctions.

FMT_SMF.1 Useofthemanagementfunctions,withtheexceptionofWaiverManagementfunctions.

Useridentity,functionused



COMPONENT EVENT DETAILSFMT_SMR.1 Modificationstothegroupofusersthat

arepartofaroleUseridentity

FPT_TDC.1 Useoftheassetimportfunction DataSource,result,identificationofwhichTSFdatahavebeenimported

DetectionofmodifiedTSFdata DataSource,IdentificationofwhichTSFdatahavebeenmodified

IDS_ANL.1 None(theanalysisfunctionisalwaysenabled)

IDS_RDR.1 None(theuserisnotgiventheoptionofaccessingunauthorizedsystemdata)

Table18–AuditEventsandDetails

6.1.1.2 FAU_GEN.2UserIdentityAssociation

FAU_GEN.2.1 TheTSFshallbeabletoassociateeachauditableeventwiththeidentityoftheuserthatcausedtheevent.

6.1.1.3 FAU_SAR.1AuditReview

FAU_SAR.1.1 TheTSFshallprovideauthorizeduserswithGlobalAdministratorpermissionorassignedtooneofExecutiveReviewer,GlobalReviewer,GroupAdmin,GroupReviewerpermissionsetswiththecapabilitytoreadallinformationfromtheauditrecords.

FAU_SAR.1.2 TheTSFshallprovidetheauditrecordsinamannersuitablefortheusertointerprettheinformation.

6.1.1.4 FAU_SAR.2RestrictedAuditReview

FAU_SAR.2.1 TheTSFshallprohibitallusersreadaccesstotheauditrecords,exceptthoseusersthathavebeengrantedexplicitread-access.

6.1.1.5 FAU_STG.1ProtectedAuditTrailStorage

FAU_STG.1.1 TheTSFshallprotectthestoredauditrecordsintheaudittrailfromunauthorizeddeletion.

FAU_STG.1.2 TheTSFshallbeabletopreventunauthorizedmodificationstotheauditrecordsintheaudittrail.

6.1.1.6 FAU_STG.4PreventionofAuditDataLoss

FAU_STG.4.1 TheTSFshallignoreauditableeventsandperformnullactioniftheaudittrailisfull.



ApplicationNote:TheTOEreliesontheITEnvironmenttomonitordiskspaceandsendtheappropriatealarm.TheTOEsendsauditeventstotheITEnvironment,andiffull,thedatabaseignoresthenewauditeventsandalarmstheadministratorwithanotificationindicatinglowdiskspace.

6.1.2 ClassFCS:CryptographicSupport

6.1.2.1 FCS_CKM.1(1)Cryptographickeygeneration(ePOAES)

FCS_CKM.1.1(1) TheTSFshallgeneratecryptographickeysinaccordancewithaspecifiedcryptographickeygenerationalgorithmCTR_DRBGfordeterministicrandombitgenerationandspecifiedcryptographickeysizes256bitsforencryption/decryptionthatmeetthefollowingNISTSpecialPublication800-90(CAVPalgorithmcertificate#540).

6.1.2.2 FCS_CKM.1(2)Cryptographickeygeneration(ePORSA)

FCS_CKM.1.1(2) TheTSFshallgeneratecryptographickeysinaccordancewithaspecifiedcryptographickeygenerationalgorithmCTR_DRBGfordeterministicrandombitgenerationandspecifiedcryptographickeysizes2048bitsforkeytransportthatmeetthefollowingNISTSpecialPublication800-90(CAVPalgorithmcertificate#540).

6.1.2.3 FCS_CKM.1(3)Cryptographickeygeneration(MAAES)

FCS_CKM.1.1(3) TheTSFshallgeneratecryptographickeysinaccordancewithaspecifiedcryptographickeygenerationalgorithmHMAC_DRBGforrandomnumbergenerationandspecifiedcryptographickeysizes256bitsforencryption/decryptionthatmeetthefollowingNISTSpecialPublication800-90A(CAVPalgorithmcertificate#191).

6.1.2.4 FCS_CKM.1(4)Cryptographickeygeneration(MARSA)

FCS_CKM.1.1(4) TheTSFshallgeneratecryptographickeysinaccordancewithaspecifiedcryptographickeygenerationalgorithmHMAC_DRBGforrandomnumbergenerationandspecifiedcryptographickeysizes2048bitsforkeytransportthatmeetthefollowingNISTSpecialPublication800-90A(CAVPalgorithmcertificate#191).

6.1.2.5 FCS_CKM.4 Cryptographickeydestruction

FCS_CKM.4.1 TheTSFshalldestroycryptographickeysinaccordancewithaspecifiedcryptographickeydestructionmethodzeroizationthatmeetsthefollowing:FIPS140-2level1.



6.1.2.6 FCS_COP.1 Cryptographicoperation

FCS_COP.1.1 TheTSFshallperform[listofcryptographicoperations–seeTable19below]inaccordancewithaspecifiedcryptographicalgorithm[cryptographicalgorithm–seeTable19below]andcryptographickeysizes[cryptographickeysizes–seeTable19below]thatmeetthefollowing:[listofstandards–seeTable19below].

Table19-CryptographicOperations

CryptographicOperations

CryptographicAlgorithm

KeySizes(bits) Standards

KeyTransport RSAencrypt/decrypt 2048 AllowedinFIPSmode

Symmetricencryptionanddecryption

AdvancedEncryptionStandard(AES)(operating

inGCMmode)

256 FIPS197

SecureHashing SHA-384 NotApplicable FIPS180-3

6.1.3 IdentificationandAuthentication(FIA)

6.1.3.1 FIA_ATD.1UserAttributeDefinition

FIA_ATD.1.1 TheTSFshallmaintainthefollowinglistofsecurityattributesbelongingtoindividualusers:

a) ePOUsername;

b) Enabledordisabled;

c) Authenticationconfiguration;

d) Hashed password (when Local ePO authentication is configured);

e) PermissionSets.

6.1.3.2 FIA_UAU.2Userauthenticationbeforeanyaction

FIA_UAU.2.1 TheTSFshallrequireeachusertobesuccessfullyauthenticatedbeforeallowinganyotherTSF-mediatedactionsonbehalfofthatuser.



6.1.3.3 FIA_UID.2UserIdentificationbeforeanyaction

FIA_UID.2.1 TheTSFshallrequireeachusertobesuccessfullyidentifiedbeforeallowinganyotherTSF-mediatedactionsonbehalfofthatuser.

6.1.3.4 FIA_USB.1User-SubjectBinding

FIA_USB.1.1 TheTSFshallassociatethefollowingusersecurityattributeswithsubjectsactingonbehalfofthatuser:

a) Permissionsets.

FIA_USB.1.2 TheTSFshallenforcethefollowingrulesontheinitialassociationofuser

securityattributeswithsubjectsactingonthebehalfofusers:usersecurityattributesarebounduponsuccessfulloginwithavalidePOUserName.

FIA_USB.1.3 TheTSFshallenforcethefollowingrulesgoverningchangestotheusersecurityattributesassociatedwithsubjectsactingonthebehalfofusers:usersecurityattributesdonotchangeuntiltheuserrefreshesthemenuoftheGUImanagementsession.

ApplicationNote:Permissionsaredeterminedbytheunionofallpermissionsinanypermissionsetassociatedwithauser.

ApplicationNote:Ifthesecurityattributesforauserarechangedwhilethatuserhasanactivesession,thenewsecurityattributesarenotboundtoasessionuntilthenextpagerefresh.

6.1.4 SecurityManagement(FMT)

6.1.4.1 FMT_MTD.1ManagementofTSFData

FMT_MTD.1.1 TheTSFshallrestricttheabilitytoquery,modify,delete,clear,create,exportandusetheTSFdataidentifiedinthefollowingtabletoauserwiththepermissionsidentifiedinthefollowingtableoraGlobalAdministrator.

TSFDATA ASSOCIATEDPERMISSION OPERATIONSPERMITTEDBenchmarks Activatebenchmarks Modify(activate)

benchmarksApplylabels Queryandmodify(apply)

labelsCreate,deleteandapplylabels

Query,create,deleteandmodify(apply)labels

Create,deleteandimportchecks

Query,create(manuallyorbyimporting)anddeletechecks



TSFDATA ASSOCIATEDPERMISSION OPERATIONSPERMITTEDCreate,delete,modifyandimportbenchmarks

Query,create(manuallyorbyimporting),deleteandmodifybenchmarks

Create,delete,modify,importandunlockbenchmarks

Query,create(manually),delete,andmodify(unlock)benchmarks

Editbenchmarktailoring Queryandmodifybenchmarktailoring

Editexistingbenchmarks Queryandmodifybenchmarks

Viewandexportbenchmarks Queryandexportbenchmarks

Viewandexportchecks QueryandexportchecksAuditLog Viewauditlog View

Viewandpurgeauditlog ViewanddeleteDashboards Usepublicdashboards Queryandusepublic

dashboardsUsepublicdashboards;createandeditprivatedashboards

Queryandusepublicdashboards;createandmodifyprivatedashboards

Usepublicdashboards;createandeditprivatedashboards;makeprivatedashboardspublic

Queryandusepublicdashboards;create,deleteandmodifyprivatedashboards;makeprivatedashboardspublic

DataRetentionSettings

n/a(onlyallowedbyaGlobalAdministrator)

Queryandmodify

EventRecords(PolicyAudit)

Add,removeandchangeAuditsandAssignments

Querypolicyauditeventrecords

ViewAuditsandAssignments Querypolicyauditeventrecords

ePOUserAccounts


Query,create,deleteandmodify

EventFiltering


Queryandmodify

GlobalAdministratorStatus


Queryandmodify

Groups View"SystemTree"tab QueryView"SystemTree"tabalongwithEditSystemTreegroupsandsystems

Query,create,deleteandmodify

MaximumLowScore


Queryandmodify



TSFDATA ASSOCIATEDPERMISSION OPERATIONSPERMITTEDPermissionSet


Query,create,delete,modify,andassign(toauser)permissions

PolicyAudit Add,removeandchangeAuditsandAssignments

Query,create,deleteandmodifypolicyaudits

ViewAuditsandAssignments QuerypolicyauditsProductPolicy

Viewsettings(McAfeeAgentand/orPolicyAuditorAgent)

Query

Viewandchangesettings(McAfeeAgentand/orPolicyAuditorAgent)

Query,create,delete,andmodify(includingenable)


Query,create,delete,andmodify(includingassignandenable)

QueriesandReports

Usepublicgroups QueryandusepublicgroupsUsepublicqueries;createandeditprivatequeries

Queryandusepublicqueries;createandmodifyprivatequeries

Editpublicgroups;createandeditprivategroups;makeprivatequeries/reportspublic

Editpublicgroups;create,deleteandmodify(includingmakepublic)privatequeries/reports;makeprivatequeries/reportspublic

ScoringModel


Queryandmodify

ServerSettings


Queryandmodify

SystemInformation

Createandeditsystems Query,create,deleteandmodify

Systems View“SystemTree”tab QueryActions WakeupAgents;viewAgent

ActivityLog;EditSystemTreegroupsandsystems;Deployagents

SystemTreeAccess

AccessnodesandportionsoftheSystemTree

AccessnodesandportionsoftheSystemTree

Waivers ViewWaivers Queryandcreate(request)GrantandmodifyWaivers Query,modify(expireor

grant),anddeleteFileIntegrityMonitoring

ViewFileIntegrityMonitoring QueryManageFileIntegrityMonitoring

Create,apply,query,modify,anddelete

Table20–TSFDataAccessPermissions



6.1.4.2 FMT_SMF.1SpecificationofManagementFunctions

FMT_SMF.1.1 TheTSFshallbecapableofperformingthefollowingsecuritymanagementfunctions:

a) ePOUserAccountmanagement,

b) PermissionSetmanagement,

c) AuditLogmanagement,

d) EventLogmanagement,

e) EventFilteringmanagement,

f) SystemTreemanagement,

g) Tagmanagement,

h) ProductPolicymanagement,

i) Querymanagement,

j) Dashboardmanagement,

k) Benchmarkmanagement,

l) PolicyAuditormanagement,

m) PolicyAuditmanagement,

n) Waivermanagement,and

o) FileIntegrityMonitoringmanagement.

6.1.4.3 FMT_SMR.1SecurityRoles

FMT_SMR.1.1 TheTSFshallmaintaintheroles:[GlobalAdministratorandUserswithSelectedPermissions].

FMT_SMR.1.2 TheTSFshallbeabletoassociateuserswithroles.

ApplicationNote:AGlobalAdministratorisadefineduseraccountwithGlobalAdministratorstatus.UsersaredefineduseraccountswithoutGlobalAdministratorstatusbutwithspecificpermissions.

6.1.5 ProtectionoftheTSF(FPT)

6.1.5.1 FPT_TDC.1Inter-TSFBasicTSFDataConsistency

FPT_TDC.1.1(1) TheTSFshallprovidethecapabilitytoconsistentlyinterpretsysteminformationwhensharedbetweentheTSFandanothertrustedITproduct.

FPT_TDC.1.2(1) TheTSFshallusethefollowingruleswheninterpretingtheTSFdatafromanothertrustedITproduct.



a) ForActiveDirectory(LDAPservers),thedataisinterpretedaccordingtotheLDAPversion3protocol.

b) ForNTDomains,thedataisinterpretedaccordingtotheNetBIOSprotocol.

c) Whenconflictinginformationisreceivedfromdifferentsources,highestpriorityisgiventoinformationlearnedfromtheMcAfeeAgent,thentoActiveDirectory,andfinallytoNTDomains.

FPT_TDC.1.1(2) TheTSFshallprovidethecapabilitytoconsistentlyinterpretSCAPBenchmarkAssessmentswhensharedbetweentheTSFandanothertrustedITproduct.

FPT_TDC.1.2(2) TheTSFshallusetheSCAPBenchmarkAssessmentXCCDFandOVALstandardswheninterpretingtheTSFdatafromanothertrustedITproduct.

6.1.6 IDSComponentRequirements(IDS)

6.1.6.1 IDS_SDC.1 SystemDataCollection

IDS_SDC.1.1 TheSystemshallbeabletocollectthefollowinginformationfromthetargetedITSystemresource(s):

a) accesscontrolconfiguration,serviceconfiguration,authenticationconfiguration,detectedknownvulnerabilitiesand

b) nootherevents.IDS_SDC.1.2 Ataminimum,theSystemshallcollectandrecordthefollowinginformation:


b) TheadditionalinformationspecifiedintheDetailscolumnofthetablebelow.

COMPONENT EVENT DETAILSIDS_SDC.1 Accesscontrol

configurationLocation,accesssettings

IDS_SDC.1 Serviceconfiguration Serviceidentification(nameorport),interface,protocols

IDS_SDC.1 Authenticationconfiguration

Accountpolicyparameters

IDS_SDC.1 Detectedknownvulnerabilities

Identificationoftheknownvulnerability

Table21–SystemDataCollectionEventsandDetails

ApplicationNote:Accesscontrolconfigurationreferstoconfigurationsettingsusedtorestrictaccessforindividualusers/roles.Serviceconfigurationreferstoservicesmadeavailabletousersviathenetworkinterfaceandprotocolstack.Authenticationconfigurationreferstosettingsregardingpasswordcontentparametersandauthenticationattempts.Theinformationcollectedforeachmanagedsystemisdeterminedbythebenchmarksappliedagainstthatmanagedsystem.



6.1.6.2 IDS_ANL.1 Analyzeranalysis

IDS_ANL.1.1 TheSystemshallperformthefollowinganalysisfunction(s)onallsystemdatareceived:

a) signature;and

b) scoring.

IDS_ANL.1.2 TheSystemshallrecordwithineachanalyticalresultatleastthefollowinginformation:

a) Dateandtimeoftheresult,typeofresult,identificationofdatasource;and

b) Thescoreforthesystemdata.

6.1.6.3 IDS_RDR.1 RestrictedDataReview(EXT)

IDS_RDR.1.1 TheSystemshallprovideauserwiththeViewSystemTreepermissionoraGlobalAdministratorwiththecapabilitytoreadeventrecordsandscoresfromtheSystemdata.

IDS_RDR.1.2 TheSystemshallprovidetheSystemdatainamannersuitablefortheusertointerprettheinformation.

IDS_RDR.1.3 TheSystemshallprohibitallusersreadaccesstotheSystemdata,exceptthoseusersthathavebeengrantedexplicitread-access.

6.1.6.4 IDS_STG.1GuaranteeofSystemDataAvailability

IDS_STG.1.1 TheSystemshallprotectthestoredSystemdatafromunauthorizeddeletion.

IDS_STG.1.2 TheSystemshallprotectthestoredSystemdatafrommodification.

ApplicationNote:AuthoriseddeletionofdataisnotconsideredamodificationofSystemdatainthiscontext.ThisrequirementappliestotheactualcontentoftheSystemdata,whichshouldbeprotectedfromanymodifications.

IDS_STG.1.3 TheSystemshallensurethat(tothelimitsofthestoragespacefortheconfigureddataretentionperiod)theoldestSystemdatawillbemaintainedwhenthefollowingconditionsoccur:Systemdatastorageexhaustion.



6.2 SecurityAssuranceRequirements

TheassurancesecurityrequirementsforthisSecurityTargetaretakenfromPart3oftheCC.TheseassurancerequirementscomposeanEvaluationAssuranceLevel2(EAL2)augmentedbyALC_FLR.2.Theassurancecomponentsaresummarizedinthefollowingtable:

CLASSHEADING CLASS_FAMILY DESCRIPTIONADV:Development ADV_ARC.1 SecurityArchitectureDescription

ADV_FSP.2 Security-enforcingFunctionalSpecificationADV_TDS.1 BasicDesign

AGD:GuidanceDocuments AGD_OPE.1 OperationalUserGuidanceAGD_PRE.1 PreparativeProcedures

ALC:LifecycleSupport ALC_CMC.2 UseofaCMSystemALC_CMS.2 PartsoftheTOECMcoverageALC_DEL.1 DeliveryProceduresALC_FLR.2 FlawReportingProcedures

ATE:Tests ATE_COV.1 EvidenceofCoverageATE_FUN.1 FunctionalTestingATE_IND.2 IndependentTesting-Sample

AVA:VulnerabilityAssessment AVA_VAN.2 VulnerabilityAnalysisTable22–SecurityAssuranceRequirementsatEAL2

6.3 CCComponentHierarchiesandDependencies

ThissectionoftheSTdemonstratesthattheidentifiedSFRsincludetheappropriatehierarchyanddependencies.ThefollowingtableliststheTOESFRsandtheSFRseacharehierarchicalto,dependentuponandanynecessaryrationale.

SFR HIERARCHICALTO DEPENDENCY RATIONALEFAU_GEN.1 Noother

componentsFPT_STM.1 SatisfiedbyOE.TIMEintheenvironment

FAU_GEN.2 Noothercomponents

FAU_GEN.1,FIA_UID.1

SatisfiedSatisfied

FAU_SAR.1 Noothercomponents

FAU_GEN.1 Satisfied

FAU_SAR.2 Noothercomponents

FAU_SAR.1 Satisfied

FAU_STG.1 Noothercomponents

FAU_GEN.1 Satisfied

FAU_STG.4 FAU_STG.3 FAU_STG.1 SatisfiedFCS_CKM.1 Noother

componentsFCS_CKM.2orFCS_COP.1,FCS_CKM.4

Satisfied

FCS_CKM.4 Noothercomponents

FDP_ITC.1orFDP_ITC.2orFCS_CKM.1

Satisfied



SFR HIERARCHICALTO DEPENDENCY RATIONALEFCS_COP.1 Noother

componentsFDP_ITC.1orFDP_ITC.2orFCS_CKM.1,FCS_CKM.4

Satisfied

FIA_ATD.1 Noothercomponents

None n/a

FIA_UAU.2 FIA_UAU.1 FIA_UID.1 SatisfiedFIA_UID.2 FIA_UID.1 None n/aFIA_USB.1 Noother

componentsFIA_ATD.1 Satisfied

FMT_MTD.1 Noothercomponents

FMT_SMF.1FMT_SMR.1

SatisfiedSatisfied

FMT_SMF.1 Noothercomponents

None n/a

FMT_SMR.1 Noothercomponents

FIA_UID.1 Satisfied

FPT_TDC.1 Noothercomponents

None n/a

IDS_SDC.1 Noothercomponents

None None

IDS_ANL.1 Noothercomponents

None None

IDS_RDR.1 Noothercomponents

IDS_SDC.1,IDS_ANL.1

SatisfiedSatisfied

IDS_STG.1 Noothercomponents

IDS_SDC.1,IDS_ANL.1

SatisfiedSatisfied

Table23–TOESFRDependencyRationale

6.4 SecurityRequirementsRationale

ThissectionprovidesrationalefortheSecurityFunctionalRequirementsdemonstratingthattheSFRsaresuitabletoaddressthesecurityobjectives

6.4.1 SecurityFunctionalRequirementsfortheTOE

Thefollowingtableprovidesahighlevelmappingofcoverageforeachsecurityobjective:

OBJECTIVE

SFR

O.ACC

ESS

O.AUDITS

O.AUDIT_P

ROTECT

O.CRY

PTO

O.EAD

MIN

O.ID

ANLZ

O.ID

ENTIFY

O.ID

SCAN

O.IM

PORT

O.IN

TEGR

O.SCA

P

O.SD_P

ROTECT

ION

FAU_GEN.1 !


DocumentVersion1.7