FIA_AFL_EXT.1 in PP_BASE_VIRTUALIZATION_V1.0 does not provide clarification on the distinction between local and remote administrative access and the applicability of account lockout to local Administrator’s account. It also does not provide clarification on the applicability of failed login attempts and lockout to SSH public key and certificate credentials. In addition, Test 2 and Test 3 of FIA_AFL_EXT.1.2 are not marked as optional, although they are associated with optional selections under FIA_AFL_EXT.1.1.

FIA_AFL_EXT.1 will be modified as follows:

FIA_AFL_EXT.1.1 The TSF shall detect when [selection:

• [assignment: a positive integer number],
• an Administrator-configurable positive integer within a [assignment: range of acceptable values]]

unsuccessful authentication attempts for [selection:

• authentication based on username and password,
• authentication based on username and a PIN that releases an asymmetric key stored in OE-protected storage]
• authentication based on X.509 certificates,
• authentication based on an SSH public key credential]

occur related to [assignment: list of authentication events] Administrators attempting to authenticate remotely using a [selection: password, PIN].

Assurance Activity

The evaluator will set an administrator-configurable threshold for failed attempts, or note the ST-specified assignment. The evaluator will then (per selection) repeatedly attempt to authenticate with an incorrect password PIN, or certificate until the number of attempts reaches the threshold. Note that the authentication attempts and lockouts must also be logged as specified in FAU_GEN.1.

FIA_AFL_EXT.1.2 When the defined number of unsuccessful authentication attempts for an account has been met, the TSF shall: [selection: Account Lockout, Account Disablement, Mandatory Credential Reset, prevent the offending Administrator from successfully establishing remote session using any authentication method that involves a password or PIN until [assignment: action to unlock] is taken by an Administrator; prevent the offending Administrator from successfully establishing remote session using any authentication method that involves a password or PIN until an Administrator defined time period has elapsed [assignment: list of actions]]

Application Note:

The action to be taken shall be populated in the assignment selection of the ST and defined in the Administrator guidance.

This requirement applies to a defined number of successive unsuccessful remote password or PIN-based authentication attempts and does not apply to local Administrative access. Compliant TOEs may optionally include cryptographic authentication failures and local authentication failures in the number of unsuccessful authentication attempts.

Assurance Activity:

The evaluator shall perform the following tests for each credential selected in FIA_AFL_EXT.1.1:

1. The evaluator will set an Administrator-configurable threshold n for failed attempts, or note the ST-specified assignment.
1. The evaluator will attempt to authenticate remotely with the credential n-1 times. The evaluator will then attempt to authenticate using a good credential and verify that authentication is successful.
2. The evaluator will make n attempts to authenticate using a bad credential. The evaluator will then attempt to authenticate using a good credential and verify that the attempt is unsuccessful. Note that the authentication attempts and lockouts must also be logged as specified in FAU_GEN.1.
3. After reaching the limit for unsuccessful authentication attempts the evaluator will proceed as follows:
1. If the Administrator action selection in FIA_AFL_EXT.1.2 is selected, then the evaluator will confirm by testing that following the operational guidance and performing each action specified in the ST to re-enable the remote Administrator’s access results in successful access (when using valid credentials for that Administrator).
2. If the time period selection in FIA_AFL_EXT.1.2 is selected, the evaluator will wait for just less than the time period configured and show that an authentication attempt using valid credentials does not result in successful access. The evaluator will then wait until just after the time period configured and show that an authentication attempt using valid credentials results in successful access.
2. The evaluator will attempt to authenticate repeatedly to the system with a known bad password. Once the defined number of failed authentication attempts has been reached the evaluator will ensure that the account that was being used for testing has had the actions detailed in the assignment list above applied to it. The evaluator will ensure that an event has been logged to the security event log detailing that the account has had these actions applied.
3. The evaluator will attempt to authenticate repeatedly to the system with a known bad certificate. Once the defined number of failed authentication attempts has been reached the evaluator will ensure that the account that was being used for testing has had the actions detailed in the assignment list above applied to it. The evaluator will ensure that an event has been logged to the security event log detailing that the account has had these actions applied.
4. The evaluator will attempt to authenticate repeatedly to the system using both a bad password and a bad certificate. Once the defined number of failed authentication attempts has been reached the evaluator will ensure that the account that was being used for testing has had the actions detailed in the assignment list above applied to it. The evaluator will ensure that an event has been logged to the security event log detailing that the account has had these actions applied.

See issue description. TD0408 and TD0409 for NDcPP are applicable to this SFR.