NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0104:  FMT_SMF and FMT_MOF in OS PP

Publication Date
2016.09.16

Protection Profiles
PP_OS_V4.1

Other References
FMT_MOF_EXT.1.1, FMT_SMF_EXT.1.1,

Issue Description

The current version of the OS PP (version 4.1) has one management requirement: FMT_MOF_EXT.1.  This version of the requirement mixes the standard CC requirements of FMT_SMF and FMT_MOF, and so it is unclear in its current form which functions are mandatory to implement vs. those that must be managed if they are implemented.

For example, the current version of the requirement indicates that the TOE must be capable of enabling/disabling unauthenticated logon. Some products do not support unauthenticated logon.  The implication with the current wording in the PP is that they would be required to add this feature in order to be compliant with the PP.  This seems counterintuitive, as it only decreases security.

Resolution

The management requirement is restructured to clearly indicate what management functionality must be present (the FMT_SMR aspect) and, if present whether the functionality is restricted to the administrator (the FMT_MOF aspect).

Replace the FMT_MOF_EXT.1 requirement in the current PP with the following two requirements:

FMT_MOF_EXT.1 Extended: Management of security functions behavior

FMT_MOF_EXT.1.1 The TSF shall restrict the ability to perform the function indicated in column 3 of the “Management Functions” table in FMT_SMF_EXT.1.1 to the administrator.

Application Note:

The functions that have an “M” in the third column must be restricted to the administrator when implemented in the TOE.  The functions that have an “O” in the third column may be restricted to the administrator when implemented in the TOE at the discretion of the ST author.  If capabilities marked with an “O” in the third column are to be restricted to an administrator, the ST author indicates this by replacing an “O” with an “X” (or some other indicator) in the PP.

Assurance Activity:

The evaluator shall verify that the TSS describes those management functions that are restricted to Administrators, including how the user is prevented from performing those functions, or not able to use any interfaces that allow access to that function.

Test 1: For each function that is indicated as restricted to the administrator, the evaluation shall perform the function as an administrator, as specified in the Operational Guidance, and determine that it has the expected effect as outlined by the Operational Guidance and the SFR.  The evaluator shall then perform the function (or otherwise attempt to access the function) as a non-administrator and observe that they are unable to invoke that functionality.

FMT_SMF_EXT.1 Extended: Specification of Management Functions

FMT_SMF_EXT.1.1 The TSF shall be capable of performing the following management functions:

Management Function

FMT_SMF_EXT.1

FMT_MOF_EXT.1

Enable/disable screen lock

M

O

Configure screen lock inactivity timeout

M

O

Configure local audit storage capacity

M

O

Configure minimum password Length

O

O

Configure minimum number of special characters in password

O

O

Configure minimum number of numeric characters in password

O

O

Configure minimum number of uppercase characters in password

O

O

Configure minimum number of lowercase characters in password

O

O

Configure remote connection inactivity timeout

 

 

Enable/disable unauthenticated logon

O

M

Configure lockout policy for unsuccessful authentication attempts through [selection: timeouts between attempts, limiting number of attempts during a time period]

O

O

Configure host-based firewall

O

O

Configure name/address of directory server to bind with

O

O

Configure name/address of remote management server from which to receive management settings

O

O

Configure name/address of audit/logging server to which to send audit/logging records

O

O

Configure audit rules

O

O

Configure name/address of network time server

O

O

Enable/disable automatic software update

O

O

Configure WiFi interface       

O

O

Enable/disable Bluetooth interface

O

O

Configure USB interfaces

O

O

Enable/disable [assignment: list of other external interfaces]

O

O

[assignment: list of other management functions to be provided by the TSF]

O

O

 

 

Application Note:

The ST author indicates in the ST which of the optional management functions (beyond the first three, which are mandatory) are implement in the TOE; this can be done by copying the above table into the ST and adjusting the second column according to which capabilities are present or not present.  The ST author also indicates, as was described in the Application Note for FMT_MOF_EXT.1, which of the selected capabilities are restricted such that only the administrator can perform the function.  It should be noted that in the table above, only the ability to enable or disable unauthenticated logons (if that capability is implemented by the TOE) is restricted by this PP to be performed only by the administrator.

The terms "Administrator" and "User" are defined in Section 1.2.2. The intent of this requirement is to ensure that the ST is populated with the management functions that are provided by the OS. This enables developers of compliance checklists, including those provided as operational user guidance as specified in AGD_OPE.1.3C, to leverage this table by providing enterprise-specific values for each evaluated item.

Sophisticated account management policies, such as intricate password complexity requirements and handling of temporary accounts, are a function of directory servers. The OS can enroll in such account management and enable the overall information system to achieve such policies by binding to a directory server.

Assurance Activity:

<Unchanged from current wording in PP>

Justification

This change clarifies the difference between requirements that must be implemented in compliant TOEs vs. those that are optional, and clarifies when management can only be done by an Administrator.

 
 
Site Map              Contact Us              Home