Archived TD0104: FMT_SMF and FMT_MOF in OS PP
The current version of the OS PP (version 4.1) has one management requirement: FMT_MOF_EXT.1. This version of the requirement mixes the standard CC requirements of FMT_SMF and FMT_MOF, and so it is unclear in its current form which functions are mandatory to implement vs. those that must be managed if they are implemented.
For example, the current version of the requirement indicates that the TOE must be capable of enabling/disabling unauthenticated logon. Some products do not support unauthenticated logon. The implication with the current wording in the PP is that they would be required to add this feature in order to be compliant with the PP. This seems counterintuitive, as it only decreases security.
The management requirement is restructured to clearly indicate what management functionality must be present (the FMT_SMR aspect) and, if present whether the functionality is restricted to the administrator (the FMT_MOF aspect).
Replace the FMT_MOF_EXT.1 requirement in the current PP with the following two requirements:
FMT_MOF_EXT.1 Extended: Management of security functions behavior
FMT_MOF_EXT.1.1 The TSF shall restrict the ability to perform the function indicated in column 3 of the “Management Functions” table in FMT_SMF_EXT.1.1 to the administrator.
The functions that have an “M” in the third column must be restricted to the administrator when implemented in the TOE. The functions that have an “O” in the third column may be restricted to the administrator when implemented in the TOE at the discretion of the ST author. If capabilities marked with an “O” in the third column are to be restricted to an administrator, the ST author indicates this by replacing an “O” with an “X” (or some other indicator) in the PP.
The evaluator shall verify that the TSS describes those management functions that are restricted to Administrators, including how the user is prevented from performing those functions, or not able to use any interfaces that allow access to that function.
Test 1: For each function that is indicated as restricted to the administrator, the evaluation shall perform the function as an administrator, as specified in the Operational Guidance, and determine that it has the expected effect as outlined by the Operational Guidance and the SFR. The evaluator shall then perform the function (or otherwise attempt to access the function) as a non-administrator and observe that they are unable to invoke that functionality.
FMT_SMF_EXT.1 Extended: Specification of Management Functions
FMT_SMF_EXT.1.1 The TSF shall be capable of performing the following management functions:
The ST author indicates in the ST which of the optional management functions (beyond the first three, which are mandatory) are implement in the TOE; this can be done by copying the above table into the ST and adjusting the second column according to which capabilities are present or not present. The ST author also indicates, as was described in the Application Note for FMT_MOF_EXT.1, which of the selected capabilities are restricted such that only the administrator can perform the function. It should be noted that in the table above, only the ability to enable or disable unauthenticated logons (if that capability is implemented by the TOE) is restricted by this PP to be performed only by the administrator.
The terms "Administrator" and "User" are defined in Section 1.2.2. The intent of this requirement is to ensure that the ST is populated with the management functions that are provided by the OS. This enables developers of compliance checklists, including those provided as operational user guidance as specified in AGD_OPE.1.3C, to leverage this table by providing enterprise-specific values for each evaluated item.
Sophisticated account management policies, such as intricate password complexity requirements and handling of temporary accounts, are a function of directory servers. The OS can enroll in such account management and enable the overall information system to achieve such policies by binding to a directory server.
<Unchanged from current wording in PP>
This change clarifies the difference between requirements that must be implemented in compliant TOEs vs. those that are optional, and clarifies when management can only be done by an Administrator.