Validated Product - IBM i5/OS V5R3M0 running on IBM eServer models 520, 550, and 570 with Software Feature Code 1930

PRODUCT DESCRIPTION

IBM i5/OS is a complete operating system that operates on an IBM iSeries hardware platform. i5/OS is object-based and, in the evaluated configuration, implements approximately 50 object types. Data access and system management is controlled via access controls on the available objects, but only after the responsible user has been identified and authenticated by i5/OS and if the user has the required authorities. Additionally, i5/OS can audit security-relevant actions, including authentication attempts, access attempts, and security management functions.

Like most other operating systems, i5/OS consists of layers ranging from the most critical (hardware) to non-critical (user applications). The hardware is an IBM iSeries product and the lower layers of i5/OS are designed to abstract hardware details away from the higher layers of i5/OS. As a result, the Software Licensed Internal Code (SLIC) and Machine Instruction (MI) interfaces are essentially static regardless of the underlying hardware and it is these interfaces upon which i5/OS and user applications operate.

Since all sharable data is contained in encapsulated objects, discretionary access control (DAC) is maintained by each object manager using a system-wide, common function to verify authorization of any user to any instantiation of an object. The i5/OS DAC mechanism provides authorities on both a private (individual or groups) and public (any authorized user) basis. A user may obtain authority from any one of up to 16 groups. In addition, the capability to adopt (gain) authority from a program owner is provided. Two levels (system groupings plus individual data and object authorities) of DAC granularity are provided to suit varying user needs.

Object reuse on the i5/OS is controlled primarily by storage management when storage objects are allocated. When objects are reused, the object manager either reuses them on the same user or clears all residual data.

I5/OS provides accountability via a centralized identification and authentication mechanism in the operating system. All users are registered via a user profile object created by a trusted administrator. Associated with each user profile is a one-way encrypted password. The i5/OS provides numerous options as to the makeup and control of passwords, allowing specific installations to meet their local requirements. In addition, i5/OS provides uid and gid support for user and group profiles.

A highly configurable set of auditing capabilities is available on the i5/OS. These auditing capabilities fall into three categories: actions, objects, and users. I5/OS provides the ability to selectively audit very specific preselection by narrowing the scope of the audit to only the desired actions, objects, or users, thereby reducing the system resources needed for auditing. In addition, ease of post selection is provided via the SQL interface.

I5/OS provides data integrity features in addition to its security features. I5/OS assures system isolation by explicitly verifying all system pointers and space pointers passed into its Target Of Evaluation (TOE) via application programming interfaces, kernel system calls, commands, and MI instructions. In addition, the concepts of user state and system state are implemented in hardware, with full software support. The hardware provides a storage protection feature that restricts user state programs to read only or no access at all to protected memory locations. The encapsulation of programs and strong typing prevents data from being executed as a program. Since only program objects can be executed, and only within an operating system controlled process, all interprocess communications are controlled by i5/OS and are auditable. The use of logical files (i.e., views) in the database provides the user a mechanism to specify access control to the record/column/element level of a physical file. (Note: authorization lists and private authorities are applied at the file level, not at the record/column/element level.) The SQL grant commands, as well as the referential integrity and triggers capability, use the same DAC mechanism as the rest of the system.

The evaluated configuration supports peripherals including: tape, direct access storage device (DASD), diskette, workstations, and optical devices. The software is distributed by CD-ROM.

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the IBM i5/OS TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.1 and International Interpretations effective on November 19, 2003. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 4 augmented with ALC_FLR.2. The product, when configured as specified in the IBM iSeries Configure Your System For Common Criteria Security Version 5 Release 3 SC41-5336-00, Last revised: May 13, 2005, satisfies all of the security functional requirements stated in the IBM i5/OS Administration Security Target (Version 1.0). Two validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in May 2005. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-05-0111, dated 10 August 2005) prepared by CCEVS.

ENVIRONMENTAL STRENGTHS

The logical boundaries of i5/OS can be characterized as the set of security functions available at its physical interfaces. Each of these security functions is summarized below.

Security Audit: i5/OS has an audit mechanism that is invoked for access checks, authentication attempts, administrator functions, and at other times during its operation. When invoked, the date, time, responsible individual and other details describing the event are recorded to the audit trail.

i5/OS can be configured to halt when data can't be written to the audit log, or to discard the data and continue processing. i5/OS can also be configured so that when audit log spaces (called journal receivers) fill, the system will automatically generate new ones so that audit data is not lost. Tools are provided so that an administrator can effectively review the audit trail, including searching and sorting by user identities.

User Data Protection: i5/OS is object oriented and implements approximately 50 object types (e.g. class, command, data queue, file, job queue, and journal). Each of the objects has associated operations and access modes that can be configured so that individual users and groups of users can be restricted so that they can perform only selected operations on given objects.

Identification and Authentication: In the evaluated configuration, each user must provide a user name and password before they are allowed to exercise any i5/OS commands, regardless of the mechanism used to communicate with i5/OS . Once a user has been authenticated, i5/OS maintains the identity and other attributes with the resulting session to ensure proper access controls are enforced and individual accountability is maintained.

Security management: i5/OS offers an extensive set of tools to manage and otherwise use its security services. i5/OS supports the notion of roles by assigning various authorities to specific users. Access to essentially all of the i5/OS objects, including those used to store and manipulate the i5/OS security configuration, are protected using these authorities in conjunction with a discretionary access control policy.

Protection of the TOE Security Functions: Diagnostic tests exist to ensure that the hardware is functioning correctly. Some of the tests execute automatically during i5/OS initial program load (IPL) and additional tests can be exercised by an authorized administrator when necessary.

i5/OS protects itself using a combination of hardware support and strict control over the set of available applications. i5/OS includes a translator and compiler that are specifically designed to ensure that a given program will only access resources it is supposed to (e.g., the application will not be allowed to access memory from another user or system process).

i5/OS is object-based and provides a number of well-defined interfaces to access each object. Objects can only be accessed through the interfaces provided and those interfaces have been carefully designed to ensure that the appropriate access checks are made before they operate on any object.