PRODUCT DESCRIPTION

CA Access Control R12 SP1 is a security software product that is tied to the operating system. The UNIX/LINUX Operating Systems (OS) are used in the evaluated configuration.  In addition to supplying the regular security functions – such as an access rule database, an audit log, and administration tools – CA Access Control intercepts in memory the operating system events that are to be protected. No changes are made to system files other than the OS configuration files, and the UNIX kernel is not modified at all. CA Access Control either denies or allows the operation based upon rules and policies in Seosdb.  The TOE enforces policy-based control of who can access objects protected by the PROGRAM, PROCESS, TERMINAL, FILE, USER, GROUP, SEOS, SURROGATE, XUSER, and XGROUP classes.  In addition, the TOE enforces policy based controls to determine what users can do with their respective access rights and under what circumstances that access is allowed.

CA Access Control is not a replacement for the operating system, but works in conjunction with the underlying OS.  CA Access Control hooks security related syscalls that must be protected and an interception is put on the Access Control kernel module at load time.  This means control is passed to CA Access Control before the action or operation is executed. Following the syscall interception, CA Access Control then decides whether the user is allowed to perform the requested operation.

EVALUATED CONFIGURATION

The TOE was evaluated on the following platforms:

Access Control Server running on Linux Red Hat Advanced Server 5.0

• CPU:                Intel Xeon 2.0 GHz
• Memory:           4 GB system RAM
• Disk Space:      130 GB

Access Control Server running on Solaris 10

• CPU:                Sparcv9 1336 MHz
• Memory:           6 GB system RAM
• Disk Space:      5 GB

Access Control Admin running on Linux Red Hat Advanced Server 5.0

• CPU:                Intel Xeon 2.0 GHz
• Memory:           4 GB system RAM
• Disk Space:      130 GB

Access Control Admin running on Solaris 10

• CPU:                Sparcv9 1336 MHz
• Memory:           6 GB system RAM
• Disk Space:      5 GB

Attack Machine

• IBM T40 Running Dual boot Windows XP Service Pack 2 and Backtrack 3 Linux Distribution
• Intel Pentium M 1.6 GHz CPU
• 512 MB RAM
• 40 GB Disk Drive

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. CA Access Control R12 SP1 software was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 3. It has been determined that the product meets the security criteria in the Security Target, which specifies an assurance level of EAL3 augmented with ALC_FLR.1 and ASE_TSS.2. Validators, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed in December 2009.

ENVIRONMENTAL STRENGTHS

Identification and Authentication

There are two types of users of the TOE: Administrators and end users.  Administrators manage the TOE remotely through the command line interface: selang. One or more of them will also be given the ability to access the audit records locally using seaudit.  End users access the TOE directly by logging onto their respective local machine. Both types of users are authenticated by the underlying Operating System before they are allowed to access the TOE. The TOE can define password composition requirements to be applied to system accounts for one or more endpoint users. This is accomplished by using the sepass utility.

Security Audit

CA Access Control generates secure and reliable audit logs which associate usernames to all resource actions. It maintains a user’s “true” username so that rules cannot be circumvented by the su command.  The audit records are stored in an audit log called seos.audit.  The location of the audit log is specified in the seos.ini file.

Security Management

The TOE provides management capabilities through selang, the command line interface that is used by remote administrators.  Through the use of selang, CA Access Control allows administrators to manage accessors and resources in their environment.  Administrators can create new accessor records, delete and modify accessor records, modify all or part of Seosdb, and assign administrative attributes to other administrators.  In addition, administrators can perform distributive management of multiple endpoints simultaneously, applying single rules or a collection of them to a target subset of the environment.

Degraded Fault Tolerance

Once the TOE is started, its applications monitor each other so that if one is terminated, it can continuously be restored by another. Seoswd is responsible for restarting seosd if it shuts down, seosd is responsible for restarting seagent if it shuts down, and seagent is responsible for restarting seoswd if it shuts down. This ensures that the TOE cannot be shut down on a local system without authorization and also ensures continued operation in the event of an unexpected failure. In addition, seosd will refuse any kill attempt made against, including kill -9. The kernel module of the TOE is able to intercept attempts to shut down the TOE and reject them

Encrypted Communications

In the evaluated configuration, Access Control employs the AES and RSA encryption algorithms.  The AES encryption algorithm uses 128-bit HMAC keys for symmetric cipher. The RSA asymmetric-key encryption algorithm is used with SHA-256 for TLS connections and key generation.  The TLS connection is used to protect the disclosure and modification of information between Seagent and the selang shell on the remote client. It’s also used to protect the communications between endpoints when sepmdd is updating subscriber databases when the Policy Model is used.

Classes

Each object belongs to a predefined class which is a collection of objects of the same type.  In CA Access Control, the class of a record defines the properties that the record can have. All records in a class have the same properties but will have different values for these properties.  Each record contains values for the properties appropriate to the record’s class.  

The classes included in the evaluated configuration are: PROGRAM, PROCESS, TERMINAL, FILE, USER, GROUP, SUDO, SURROGATE, XUSER and XGROUP.

Access Control

Every attempt to access a resource is performed by an accessor. These accessors must be governed to ensure the proper access authorities or access rights are assigned and enforced.  In CA Access Control, these access rights are assigned and managed in a variety of way, however, to gain access to a resource the accessor must meet one or more of the following criteria:

• The accessor must have the proper authority as granted by the resource Access Control List (ACL)
• The accessor must be a member of a group that has access authority
• The accessor must be running a program that has the access authority.  For example, the accessor has the authority to run a program in the PROGRAMS class.
• The default access of the resource allows some degree of interaction to accessors for which there’s no specific authority.

SEARCH CCEVS

Announcements

 »  14th International Common Criteria Conference

 »  Revision of NIAP Policy #12

 »  Mobile OS PP Updates

 »  Posting of Software Full Disk Encryption Protection Profile

Quick Links

Available products to assist in making a more secure infrastructure.

Approved protection profiles for use by vendors.

NIAP Technical Communities are key to the development of new Protection Profiles.

Find a lab to evaluate your product.

Find answers to commonly asked questions.

How to become an NVLAP Accredited Lab.

Collaboration Tools

CC Users Forum

NIAP TeamLab