NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0693:  Typos in OSPP 4.3

Publication Date
2022.12.13

Protection Profiles
PP_OS_V4.3

Other References
FAU_GEN.1; FMT_MOF_EXT.1; FMT_SMF_EXT.1

Issue Description

FMT_MOF_EXT.1/FMT_SMF_EXT.1: The application notes talk about "X" and "O" options in the table for FMT_SMF_EXT.1, but the table uses "M" and "O" options.  It appears that the "M" has the same semantic meaning as "X", but that isn't quite clear.

FAU_GEN.1: Testing activities seems to repeat the test language in two places, but it isn't clear what the distinction is between the two slightly different wordings.

Resolution

The following modifications are made to the FMT_MOF_EXT.1 Application Note in PP_OS_V4.3 Section 5.1.3, with strikethrough denoting deletion and underline denoting addition:

Application Note: The functions with an "X" a "M" in the "Administrator" column

must be restricted to (or overridden by) the administrator in the TOE. The

functions with an "O" in the "Administrator" column may be restricted to (or

overridden by) the administrator when implemented in the TOE at the discretion

of the ST author. For such functions, the ST author indicates this by replacing an

"O" with an "X" a "M" in the ST.

The following modifications are made to the FMT_SMF_EXT.1 Application Note in PP_OS_V4.3 Section 5.1.3, with strikethrough denoting deletion and underline denoting addition:

Application Note: The ST should indicate which of the optional management

functions are implemented in the TOE. This can be done by copying the above

table into the ST and adjusting the "Administrator" and "User" columns to "X" "M"

according to which capabilities are present or not present, and for which

privilege level. The Application Note for FMT_MOF_EXT.1 explains how to

indicate Administrator or User capability.

The terms "Administrator" and "User" are defined in the glossary. The intent of

this requirement is to ensure that the ST is populated with the relevant

management functions that are provided by the OS.

Sophisticated account management policies, such as intricate password

complexity requirements and handling of temporary accounts, are a function of

directory servers. The OS can enroll in such account management and enable

the overall information system to achieve such policies by binding to a directory

server.

The following modifications are made to the FAU_GEN.1 Test Evaluation Activities in PP_OS_V4.3 Section 5.1.5, with strikethrough denoting deletion and underline denoting addition:

Tests

The evaluator will test the OS's ability to correctly generate audit records by having the TOE

generate audit records for the events listed in the ST. This should include all instance types of an

event specified. When verifying the test results, the evaluator will ensure the audit records

generated during testing match the format specified in the administrative guide, and that the

fields in each audit record have the proper entries provide the required information.

The evaluator will test the OS's ability to correctly generate audit records by having the TOE

generate audit records for the events listed in the ST. The evaluator will ensure the audit

records generated during testing match the format specified in the administrative guide, and

that the fields in each audit record provide the required information.

Justification

See issue description.

 
 
Site Map              Contact Us              Home