security target mcafee policy auditor 6.2 and mcafee ......security target: mcafee policy auditor...
TRANSCRIPT
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page1of68
SecurityTarget
McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7
January5,2016
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page2of68
PreparedFor:
PreparedBy:
IntelCorporation
2821MissionCollegeBlvd.
SantaClara,CA95054
www.mcafee.com
AesonStrategy
3002-1372SeymourStreet
Vancouver,BCV6B0L1
www.aesonstrategy.com
Abstract
ThisdocumentprovidesthebasisforanevaluationofaspecificTargetofEvaluation(TOE),thePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3.ThisSecurityTarget(ST)definesasetofassumptionsabouttheaspectsoftheenvironment,alistofthreatsthattheproductintendstocounter,asetofsecurityobjectives,asetofsecurityrequirementsandtheITsecurityfunctionsprovidedbytheTOEwhichmeetthesetofrequirements.
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page3of68
TableofContents1 Introduction...................................................................................................................................................6
1.1 STReference...................................................................................................................................................61.2 TOEReference.................................................................................................................................................61.3 DocumentOrganization..................................................................................................................................61.4 DocumentConventions...................................................................................................................................71.5 DocumentTerminology...................................................................................................................................71.6 TOEOverview..................................................................................................................................................81.7 TOEDescription.............................................................................................................................................10
1.7.1 PhysicalBoundary.................................................................................................................................101.7.2 HardwareandSoftwareSuppliedbytheITEnvironment.....................................................................121.7.3 LogicalBoundary...................................................................................................................................131.7.4 TOEData................................................................................................................................................14
1.8 RationaleforNon-bypassabilityandSeparationoftheTOE.........................................................................16
2 ConformanceClaims....................................................................................................................................172.1 CommonCriteriaConformanceClaim..........................................................................................................172.2 ProtectionProfileConformanceClaim..........................................................................................................17
3 SecurityProblemDefinition.........................................................................................................................183.1 Threats..........................................................................................................................................................183.2 OrganizationalSecurityPolicies....................................................................................................................193.3 Assumptions..................................................................................................................................................19
4 SecurityObjectives......................................................................................................................................214.1 SecurityObjectivesfortheTOE.....................................................................................................................214.2 SecurityObjectivesfortheOperationalEnvironment...................................................................................214.3 SecurityObjectivesRationale........................................................................................................................22
5 ExtendedComponentsDefinition.................................................................................................................285.1 IDSClassofSFRs...........................................................................................................................................28
5.1.1 IDS_SDC.1SystemDataCollection........................................................................................................285.1.2 IDS_ANL.1AnalyzerAnalysis.................................................................................................................305.1.3 IDS_RDR.1RestrictedDataReview(EXT)..............................................................................................305.1.4 IDS_STG.1GuaranteeofSystemDataAvailability................................................................................31
6 SecurityRequirements.................................................................................................................................336.1 SecurityFunctionalRequirements................................................................................................................33
6.1.1 SecurityAudit(FAU)..............................................................................................................................336.1.2 ClassFCS:CryptographicSupport..........................................................................................................366.1.3 IdentificationandAuthentication(FIA).................................................................................................376.1.4 SecurityManagement(FMT).................................................................................................................386.1.5 ProtectionoftheTSF(FPT)....................................................................................................................416.1.6 IDSComponentRequirements(IDS).....................................................................................................42
6.2 SecurityAssuranceRequirements.................................................................................................................446.3 CCComponentHierarchiesandDependencies.............................................................................................446.4 SecurityRequirementsRationale..................................................................................................................45
6.4.1 SecurityFunctionalRequirementsfortheTOE.....................................................................................45
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page4of68
6.4.2 SecurityAssuranceRequirements.........................................................................................................486.5 TOESummarySpecificationRationale..........................................................................................................49
7 TOESummarySpecification.........................................................................................................................537.1 PolicyAudits..................................................................................................................................................537.2 CryptographicSupport..................................................................................................................................567.3 Identification&Authentication...................................................................................................................577.4 Management................................................................................................................................................57
7.4.1 ePOUserAccountManagement...........................................................................................................587.4.2 PermissionSetManagement................................................................................................................587.4.3 AuditLogManagement.........................................................................................................................597.4.4 PolicyAuditEventLogManagement.....................................................................................................597.4.5 EventFilteringManagement.................................................................................................................597.4.6 SystemTreeManagement....................................................................................................................597.4.7 TagManagement..................................................................................................................................607.4.8 ProductPolicyManagement.................................................................................................................617.4.9 QueryManagement..............................................................................................................................627.4.10 DashboardManagement.....................................................................................................................627.4.11 BenchmarkManagement....................................................................................................................627.4.12 PolicyAuditorManagement................................................................................................................637.4.13 PolicyAuditManagement...................................................................................................................647.4.14 WaiverManagement...........................................................................................................................657.4.15 FileIntegrityManagement..................................................................................................................65
7.5 Audit.............................................................................................................................................................667.6 SystemInformationImport...........................................................................................................................66
7.6.1 SCAPDataExchange..............................................................................................................................67
ListofTables
Table1–STOrganizationandSectionDescriptions.....................................................................................................6Table2–TermsandAcronymsUsedinSecurityTarget...............................................................................................8Table3–EvaluatedConfigurationfortheTOE...........................................................................................................11Table4–ManagementSystemComponentRequirements.......................................................................................13Table5–SupportedAgentPlatforms.........................................................................................................................13Table6–AgentPlatformHardwareRequirements....................................................................................................13Table7–LogicalBoundaryDescriptions....................................................................................................................14Table8–TOEData(Legend:AD=Authenticationdata;UA=Userattribute;GE=GenericInformation)......................16Table9–ThreatsAddressedbytheTOE....................................................................................................................18Table10–OrganizationalSecurityPolicies................................................................................................................19Table11–Assumptions..............................................................................................................................................20Table12–TOESecurityObjectives.............................................................................................................................21
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page5of68
Table13–OperationalEnvironmentSecurityObjectives..........................................................................................22Table14–MappingofAssumptions,Threats,andOSPstoSecurityObjectives........................................................23Table15–RationaleforMappingofThreats,Policies,andAssumptionstoObjectives............................................27Table16–SystemDataCollectionEventsandDetails...............................................................................................29Table17–TOEFunctionalComponents.....................................................................................................................33Table18–AuditEventsandDetails............................................................................................................................35Table20–TSFDataAccessPermissions.....................................................................................................................40Table21–SystemDataCollectionEventsandDetails...............................................................................................42Table22–SecurityAssuranceRequirementsatEAL2................................................................................................44Table23–TOESFRDependencyRationale................................................................................................................45Table24–MappingofTOESFRstoSecurityObjectives.............................................................................................46Table25–RationaleforMappingofTOESFRstoObjectives.....................................................................................48Table26–SecurityAssuranceMeasures....................................................................................................................49Table27–SFRtoTOESecurityFunctionsMapping....................................................................................................50Table28–SFRtoTSFRationale..................................................................................................................................52Table29–Cryptographicsupport..............................................................................................................................56
ListofFigures
Figure1–TOEBoundary............................................................................................................................................11Figure2–BenchmarkStructure.................................................................................................................................53
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page6of68
1 Introduction
ThissectionidentifiestheSecurityTarget(ST),TargetofEvaluation(TOE),SecurityTargetorganization,documentconventions,andterminology.Italsoincludesanoverviewoftheevaluatedproduct.
1.1 STReference
STTitle SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
STRevision 1.7
STPublicationDate January5,2016Author AesonStrategy
1.2 TOEReference
TOEReference McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3TOEType SecurityManagement
1.3 DocumentOrganization
ThisSecurityTargetfollowsthefollowingformat:
SECTION TITLE DESCRIPTION1 Introduction ProvidesanoverviewoftheTOEanddefinesthehardwareand
softwarethatmakeuptheTOEaswellasthephysicalandlogicalboundariesoftheTOE
2 ConformanceClaims ListsevaluationconformancetoCommonCriteriaversions,ProtectionProfiles,orPackageswhereapplicable
3 SecurityProblemDefinition
Specifiesthethreats,assumptionsandorganizationalsecuritypoliciesthataffecttheTOE
4 SecurityObjectives DefinesthesecurityobjectivesfortheTOE/operationalenvironmentandprovidesarationaletodemonstratethatthesecurityobjectivessatisfythethreats
5 ExtendedComponentsDefinition
Describesextendedcomponentsoftheevaluation
6 SecurityRequirements ContainsthefunctionalandassurancerequirementsforthisTOE7 TOESummary
SpecificationIdentifiestheITsecurityfunctionsprovidedbytheTOEandalsoidentifiestheassurancemeasurestargetedtomeettheassurancerequirements.
Table1–STOrganizationandSectionDescriptions
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page7of68
1.4 DocumentConventions
Thenotation,formatting,andconventionsusedinthisSecurityTargetareconsistentwiththoseusedinVersion3.1,Revision4oftheCommonCriteria.SelectedpresentationchoicesarediscussedheretoaidtheSecurityTargetreader.TheCommonCriteriaallowsseveraloperationstobeperformedonfunctionalrequirements:TheallowableoperationsdefinedinPart2oftheCommonCriteriaarerefinement,selection,assignmentanditeration.
• Theassignmentoperationisusedtoassignaspecificvaluetoanunspecifiedparameter,suchasthelengthofapassword.Anassignmentoperationisindicatedbyitalicizedtext.
• Therefinementoperationisusedtoadddetailtoarequirement,andthusfurtherrestrictsarequirement.Refinementofsecurityrequirementsisdenotedbyboldtext.Anytextremovedisindicatedwithastrikethroughformat(Example:TSF).
• Theselectionoperationispickingoneormoreitemsfromalistinordertonarrowthescopeofacomponentelement.Selectionsaredenotedbyunderlinedtext.
• IteratedfunctionalandassurancerequirementsaregivenuniqueidentifiersbyappendingtothebaserequirementidentifierfromtheCommonCriteriaaniterationnumberinsideparenthesis,forexample,FIA_UAU.1.1(1)andFIA_UAU.1.1(2)refertoseparateinstancesoftheFIA_UAU.1securityfunctionalrequirementcomponent.
OutsidetheSFRs,italicizedtextisusedforbothofficialdocumenttitlesandtextmeanttobeemphasizedmorethanplaintext.
1.5 DocumentTerminology
Thefollowingtable1describesthetermsandacronymsusedinthisdocument:
TERM DEFINITIONAD ActiveDirectoryCC CommonCriteriaversion3.1,R4(ISO/IEC15408)CPU CentralProcessingUnitDBMS DataBaseManagementSystemDNS DomainNameSystemDSS DataSecurityStandardEAL EvaluationAssuranceLevelePO ePolicyOrchestratorFDCC FederalDesktopCoreConfigurationFISMA FederalInformationSecurityManagementActGUI GraphicalUserInterfaceHIPAA HealthInsurancePortabilityandAccountabilityActI&A Identification&Authentication
1DerivedfromtheIDSPP
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page8of68
TERM DEFINITIONIDS IntrusionDetectionSystemIIS InternetInformationServicesIP InternetProtocolIT InformationTechnologyJDBC JavaDataBaseConnectivityLDAP LightweightDirectoryAccessProtocolMAC MediaAccessControlMDAC MicrosoftDataAccessComponentsMSDE MSDataEngineNTFS NewTechnologyFileSystemNTP NetworkTimeProtocolOEM OriginalEquipmentManufacturerOS OperatingSystemOSP OrganizationalSecurityPolicyOVAL OpenVulnerabilityAssessmentLanguagePCI PaymentCardIndustryPDC PrimaryDomainControllerPP ProtectionProfileRAM RandomAccessMemorySCAP SecurityContentAutomationProtocolSF SecurityFunctionSFP SecurityFunctionPolicySFR SecurityFunctionalRequirementSMTP SimpleMailTransferProtocolSNMP SimpleNetworkMailProtocolSOF StrengthOfFunctionSP ServicePackSQL StructuredQueryLanguageSSL SecureSocketLayerST SecurityTargetTOE TargetofEvaluationTSC TOEScopeofControlTSF TOESecurityFunctionTSP TOESecurityPolicyVGA VideoGraphicsArrayXCCDF eXtensibleConfigurationChecklistDescriptionFormatXML eXtensibleMarkupLanguageTable2–TermsandAcronymsUsedinSecurityTarget
1.6 TOEOverview
McAfeePolicyAuditor6.2isanagent-based,purpose-builtITpolicyauditsolutionthatleveragestheXCCDF(version1.2)andOVAL(version5.10andearlier)securitystandardstoautomatetheprocessesrequiredforinternalandexternalITaudits.McAfeePolicyAuditorevaluatesthestatusofmanaged
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page9of68
systemsrelativetoauditsthatcontainbenchmarks.Benchmarkscontainrulesthatdescribethedesiredstateofamanagedsystem.BenchmarksaredistributedwiththeTOEorimportedintoMcAfeeBenchmarkEditorand,onceactivated,canbeusedbyPolicyAuditor.Benchmarksarewrittenintheopen-sourceXMLstandardformatsExtensibleConfigurationChecklistDescriptionFormat(XCCDF)andtheOpenVulnerabilityAssessmentLanguage(OVAL).XCCDFdescribeswhattocheckwhileOVALspecifieshowtoperformthecheck.
SeamlessintegrationwithMcAfeeePolicyOrchestrator®(ePO™)easesagentdeployment,management,andreporting.ePOprovidestheuserinterfacefortheTOEviaaGUIaccessedfromremotesystemsusingwebbrowsers.TheePOwebdashboardrepresentspolicycompliancebybenchmark.Customreportscanbefullyautomated,scheduled,orexported.ePOrequiresusertoidentifyandauthenticatethemselvesbeforeaccessisgrantedtoanydataormanagementfunctions.Auditrecordsaregeneratedtorecordconfigurationchangesmadebyusers.TheauditrecordsmaybereviewedviatheGUI.
Baseduponper-userpermissions,usersmayconfigurethesystemstobeauditedforpolicycompliance(the“managedsystems”)alongwiththebenchmarkstobechecked.ThePolicyAuditorAgentPlug-InexecutingonthemanagedsystemsperformsthepolicyauditandreturnstheresultstoPolicyAuditor.PolicyAuditorallowsyoutoconductpolicyauditsonvariousreleasesofoperatingsystemsdetailedintheMcAfeeKnowledgeCentreTechnicalArticleIDKB72961,atthefollowinglink:https://kc.mcafee.com/corporate/index?page=content&id=KB72961.
Theplatformsavailableintheevaluatedconfigurationareasfollows:
PAendpointontheagent:
• Windows2012ServerR2(64-bit)
• Windows2008ServerR2(64-bit)
• Windows7(64-bit)
ePOServer:
• Windows2008R2withMSSQLServer2008R2
UserscanreviewtheresultsofthepolicyauditsviaePO.Accesstothisinformationisagainlimitedbyper-userpermissions.
CommunicationbetweenthedistributedcomponentsoftheTOEisprotectedfromdisclosureandmodificationbycryptographicfunctionalityprovidedbytheoperationalenvironment.
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page10of68
1.7 TOEDescription
TheTOEhelpsorganizationsmonitorpolicycomplianceontheirassetsbyperformingauditsonthoseassets.Thissolutionallowsmanagerstocontinuouslymonitorthestateoftheirassets.McAfeePolicyAuditorutilizestheSecurityContentAutomationProtocol(SCAP)standard1.2,asspecifiedbyNISTSpecialPublication800-126R2,toanalyzecomputersecurityconfigurationinformation.
Administratorsconfigurethesystem,includinguseraccounts.Usersschedulepolicyauditsandreviewtheresults.
1.7.1 PhysicalBoundary
TheTOEisasoftwareTOEandincludes:
1. TheePOapplicationexecutingonadedicatedserver
2. ThePolicyAuditorapplicationonthesamesystemastheePOapplication
3. TheBenchmarkEditorapplicationonthesamesystemastheePOapplication
4. TheMcAfeeAgentapplicationoneachmanagedsystemtobeaudited
5. ThePolicyAuditorAgentPlug-Insoftwareoneachmanagedsystemtobeaudited
Notethatthehardware,operatingsystemsandthirdpartysupportsoftware(e.g.DBMS)oneachofthesystemsareexcludedfromtheTOEboundary.
ThefollowingdocumentationprovidedtoendusersisincludedintheTOEboundary:
1. McAfeePolicyAuditor6.2SoftwareInstallationGuide
2. McAfeePolicyAuditor6.2Software(ProductGuide)
3. ReleaseNotesMcAfeePolicyAuditor6.2.0
4. McAfeeBenchmarkEditor6.2.0
5. InstallationGuideRevisionBMcAfeeePolicyOrchestrator5.1.0Software
6. ProductGuideRevisionBMcAfeeePolicyOrchestrator5.1.0Software
7. BestPracticesGuideMcAfeeePolicyOrchestrator5.1.1Software
8. McAfeePolicyAuditor6.2andePolicyOrchestrator5.1.3OperationalUserGuidanceandPreparativeProceduresGuidanceAddendumv1.4
9. ReleaseNotesMcAfeeePolicyOrchestrator5.1.3Software
10. McAfeeAgentProductGuide5.0
11. ReleaseNotesMcAfeeAgent5.0.2
Inordertocomplywiththeevaluatedconfiguration,thefollowinghardwareandsoftwarecomponentsshouldbeused:
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page11of68
TOECOMPONENT VERSION/MODELNUMBERTOESoftware PolicyAuditor6.2
BenchmarkEditor6.2PolicyAuditorAgentPlug-In6.2ePolicyOrchestrator5.1.3McAfeeAgent5.0.2
ITEnvironment Specifiedinthefollowing:• Table4–ManagementSystemComponentRequirements• Table5–SupportedAgentPlatforms• Table6–AgentPlatformHardwareRequirements
Table3–EvaluatedConfigurationfortheTOE
Theevaluatedconfigurationconsistsofasingleinstanceofthemanagementsystem(withePO,PolicyAuditorandBenchmarkEditor)andoneormoreinstancesofmanagedsystems(withMcAfeeAgentandthePolicyAuditorAgentPlug-in).
ePOsupportsbothePOauthenticationandWindowsauthenticationofuseraccountcredentials.TheevaluatedconfigurationpermitstheuseofePOauthenticationonly.
Thefollowingfigurepresentsanexampleofanoperationalconfiguration.TheshadedelementsintheboxesatthetopofthefigurerepresenttheTOEcomponents.
Figure1–TOE
Boundary
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page12of68
Thefollowingspecificconfigurationoptionsapplytotheevaluatedconfiguration:
1. TheMcAfeeAgentsystemtrayiconisnotdisplayedonmanagedsystems.
2. McAfeeAgentwake-upcallsareenabled.
3. IncomingconnectionstoMcAfeeAgentsareonlyacceptedfromtheconfiguredaddressoftheePOserver.
4. TheonlyrepositorysupportedistheePOserver.
5. UpdatestotheTOEsoftwarearenotpermittedintheevaluatedconfiguration.
PleasenotethattheinstallationoftheTOEwillnothaveanadverseeffectonotherMcAfeeproductsthatmaybeinstalledorsupportedbyePO.Similarly,otherMcAfeeproductsinstalledwithintheePOframeworkwillnothaveanadverseeffectontheTOE.ThearchitectureoftheePOframework(i.e.,theuseofproductextensionstosupportspecificfunctionality)facilitatestheuseofmultipleMcAfeeproductsonasingleePOserver.
1.7.2 HardwareandSoftwareSuppliedbytheITEnvironment
TheTOEconsistsofasetofsoftwareapplications.Thehardware,operatingsystemsandallthirdpartysupportsoftware(e.g.,DBMS)onthesystemsonwhichtheTOEexecutesareexcludedfromtheTOEboundary.
TheplatformonwhichtheePO,PolicyAuditorandBenchmarkEditorsoftwareisinstalledmustbededicatedtofunctioningasthemanagementsystem.ePOoperatesasadistributionsystemandmanagementsystemforaclient-serverarchitectureofferingcomponentsfortheserverpartofthearchitecture(nottheclients).TheTOErequiresthefollowinghardwareandsoftwareconfigurationonthisplatform.
COMPONENT MINIMUMREQUIREMENTSProcessor 64-bitIntelPentiumDorhigher
2.66GHzorhigherMemory 8GBavailableRAMrecommendedminimumFreeDiskSpace 20GB—RecommendedminimumMonitor 1024x768,256-color,VGAmonitororhigherOperatingSystem WindowsServer2008R2DBMS MicrosoftSQLServer2008R2NetworkCard Ethernet,100MborhigherDiskPartitionFormats NTFSDomainControllers ThesystemmusthaveatrustrelationshipwiththePrimary
DomainController(PDC)onthenetwork
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page13of68
COMPONENT MINIMUMREQUIREMENTSMiscellaneous Microsoft.NETFramework3.5orlater(Required—Youmust
acquireandinstallthissoftwaremanually.ThissoftwareisrequiredifyouselectaninstallationoptionthatautomaticallyinstallstheSQLServerExpress2008softwarebundledwiththisePolicyOrchestratorsoftware.)MicrosoftupdatesMicrosoftVisualC++Required—Installedautomatically.2005SP1RedistributableMicrosoftVisualC++Required—Installedautomatically.2008RedistributablePackage(x86)MSXML6.0
Table4–ManagementSystemComponentRequirements
TheMcAfeeAgentandPolicyAuditorAgentPlug-Inexecuteononeormoresystemswhosepolicysettingsaretobeaudited.Thesupportedplatformsforthesecomponentsintheevaluatedconfigurationare:
SUPPORTEDAGENTOS PLATFORMWindows764-bit X64platformsWindows2008ServerR2 X64platformsWindows2012ServerR2 X64platformsTable5–SupportedAgentPlatforms
Theminimumhardwarerequirementsfortheagentplatformsarespecifiedinthefollowingtable:
COMPONENT MINIMUMHARDWAREREQUIREMENTSMemory 512MBRAMFreeDiskSpace 50MB,excludinglogfilesProcessorspeed 1GHzorhigherNetworkCard Ethernet,10MborhigherTable6–AgentPlatformHardwareRequirements
Themanagementsystemisaccessedfromremotesystemsviaabrowser,andtheevaluatedconfigurationusesMicrosoft™InternetExplorer11Webbrowser.
TheTOEauthenticatesusercredentialsduringthelogonprocessthroughtheePolicyOrchestrator.UseraccountsmustbedefinedwithinePOinordertoassociatepermissionswiththeusers.
1.7.3 LogicalBoundary
ThissectionoutlinestheboundariesofthesecurityfunctionalityoftheTOE;thelogicalboundaryoftheTOEincludesthesecurityfunctionalitydescribedinthefollowingsections.
TSF DESCRIPTION
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page14of68
TSF DESCRIPTIONPolicyAudits TheTOEauditsmanagedsystemstodeterminepolicycomplianceonthosesystems.
Resultsofthepolicyauditsarestoredinthedatabase(theDBMSisintheITEnvironment),andreportsbaseduponcompletedpolicyauditsmayberetrievedviatheGUIinterfaceorbygeneratingSCAP-conformantXMLfilestobesharedwithexternalsystems.
CryptographicSupport
TheTOEprotectstransmissionsbetweentheePOandtheMcAfeeAgentfromdisclosureandundetectedmodificationbyencryptingthetransmissions.
Identification&Authentication
Onthemanagementsystem,theTOErequiresuserstoidentifyandauthenticatethemselvesbeforeaccessingtheTOEsoftware.UseraccountsmustbedefinedwithinePO,andauthenticationoftheusercredentialsisperformedbyePO.Noactioncanbeinitiatedbeforeproperidentificationandauthentication.EachTOEuserhassecurityattributesassociatedwiththeiruseraccountthatdefinethefunctionalitytheuserisallowedtoperform.Onthemanagementsystemandallmanagedsystems,I&Aforlocallogintotheoperatingsystem(i.e.,viaalocalconsole)isperformedbythelocalOS(ITEnvironment).
Management TheTOE’sManagementSecurityFunctionprovidessupportfunctionalitythatenablesuserstoconfigureandmanageTOEcomponents.ManagementoftheTOEmaybeperformedviatheGUI.Managementprivilegesaredefinedper-user.
Audit TheTOE’sAuditSecurityFunctionprovidesauditingofmanagementactionsperformedbyadministrators.AuthorizedusersmayreviewtheauditrecordsviaePO.
SystemInformationImport
TheTOEmaybeconfiguredtoimportinformationaboutsystemstobemanagedfromActiveDirectory(LDAPservers)orNTdomaincontrollers.ThisfunctionalityensuresthatallthedefinedsystemsintheenterprisenetworkareknowntotheTOEandmaybeconfiguredtobemanaged.
SCAPDataExchange
TheTOEmustbeabletoimportandexportSCAPbenchmarkassessmentdata.Thisfunctionalityensuresthattheassessmentsremaincurrentasnewbenchmarksaredevelopedandallowscustom-designedbenchmarksintheTOEtobemadeavailabletoothersystems
Table7–LogicalBoundaryDescriptions
1.7.4 TOEData
TOEdataconsistsofbothTSFdataanduserdata(information).TSFdataconsistsofauthenticationdata,securityattributes,andothergenericconfigurationinformation.SecurityattributesenabletheTOEtoenforcethesecuritypolicy.AuthenticationdataenablestheTOEtoidentifyandauthenticateusers.
TSFData Description AD UA GEBenchmarks Containanorganizedsetofrulesthatdescribethedesired
stateofasetofmanagedsystems. !
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page15of68
TSFData Description AD UA GEContacts AlistofemailaddressesthatePolicyOrchestratorusesto
sendemailmessagestospecifiedusersinresponsetoevents.
!
Dashboards Collectionsofchart-basedqueriesthatarerefreshedatauser-configuredinterval.
!
DataRetention Parameterscontrollingthelengthoftimepolicyauditeventrecordsaresavedinthedatabase.
!
ePOUserAccounts
ePOusername,authenticationconfiguration,enabledstatus,AdministratorstatusandpermissionsetsforeachuserauthorizedtoaccessTOEfunctionalityonthemanagementsystem.
!
EventFiltering Specifieswhicheventsareforwardedtotheserverfromtheagentsonthemanagedsystems.
!
GlobalAdministratorStatus
Usersassignedtothe“administrator”permissionset,whichisasupersetofallotherpermissionsets.Thisincludesthedefault“admin”useraccountcreatedwhenePOisinstalled.Usersassignedtothispermissionsetareknownas“GlobalAdministrator”
!
Groups NodeonthehierarchicalSystemTreethatmaycontainsubordinategroupsorsystems.
!
MaximumLowScore
Thescoringthresholdatwhichsystemsareconsideredtofailthepolicyaudit.
!
Permission Aprivilegetoperformaspecificfunction. ! PermissionSet Agroupofpermissionsthatcanbegrantedtoanyusersby
assigningittothoseusers’accounts. !
PolicyAudit Causesmanagedsystemstobeanalyzedrelativetoaspecifiedbenchmarkataconfiguredfrequency.
!
ProductPolicy Acollectionofsettingsthatyoucreate,configure,thenenforcetoensurethatthemanagedsecuritysoftwareproducts(e.g.,PolicyAuditor)areconfiguredandperformaccordinglyonthemanagedsystems.
!
Queries Configurableobjectsthatretrieveanddisplaydatafromthedatabase.
!
ScoringModel SpecifieswhichoftheXCCDF1.2scoringmodelsisusedtocalculatethecompliancescorefortheresultsofapolicyaudit.
!
ServerSettings ControlhowtheePolicyOrchestratorserverbehaves. !SystemData Resultsofauditsperformedonmanagedsystems. !SystemInformation
Informationspecifictoasinglemanagedsystem(e.g.internetaddress)intheSystemTree.
!
SystemTree AhierarchicalcollectionofallofthesystemsmanagedbyePolicyOrchestrator.
!
Tags Labelsthatyoucanapplytooneormoresystems,automatically(basedoncriteria)ormanually.
!
Waivers Specifytemporaryaffectstothescoringofpolicyaudits. !
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page16of68
TSFData Description AD UA GEFileIntegrityMonitoring
Designateasetoffilestomonitorforchanges. !
Table8–TOEData(Legend:AD=Authenticationdata;UA=Userattribute;GE=GenericInformation)
1.8 RationaleforNon-bypassabilityandSeparationoftheTOE
Theresponsibilityfornon-bypassabilityandnon-interferenceissplitbetweentheTOEandtheITEnvironment.TOEcomponentsaresoftwareonlyproductsandthereforethenon-bypassabilityandnon-interferenceclaimsaredependentuponhardwareandOSmechanisms.TheTOErunsontopoftheITEnvironmentsuppliedoperatingsystems.
TheTOEensuresthatthesecuritypolicyisappliedandsucceedsbeforefurtherprocessingispermittedwheneverasecurityrelevantinterfaceisinvoked:theinterfacesarewelldefinedandinsurethattheaccessrestrictionsareenforced.Non-securityrelevantinterfacesdonotinteractwiththesecurityfunctionalityoftheTOE.TheTOEdependsuponOSmechanismstoprotectTSFdatasuchthatitcanonlybeaccessedviatheTOE.ThesystemonwhichePO,PolicyAuditorandBenchmarkEditorexecuteisdedicatedtothatpurpose.TheMcAfeeAgentandPolicyAuditorAgentPlug-Inexecuteonnon-dedicatedsystems;thesecomponentsonlyperformpolicyauditsanddonotenforceaccesscontrolpoliciesforusers.
TheTOEisimplementedwithwell-definedinterfacesthatcanbecategorizedassecurityrelevantornon-securityrelevant.TheTOEisimplementedsuchthatnon-securityrelevantinterfaceshavenomeansofimpactingthesecurityfunctionalityoftheTOE.UnauthenticatedusersmaynotperformanyactionswithintheTOE.TheTOEtracksmultipleusersbysessionsandensurestheaccessprivilegesofeachareenforced.
Theserverhardwareprovidesvirtualmemoryandprocessseparation,whichtheserverOSutilizestoensurethatother(non-TOE)processesmaynotinterferewiththeTOE;allinteractionsarelimitedtothedefinedTOEinterfaces.TheOSandDBMSrestrictaccesstoTOEdatainthedatabasetopreventinterferencewiththeTOEviathatmechanism.
TheTOEconsistsofdistributedcomponents.CommunicationbetweenthecomponentsreliesuponcryptographicfunctionalityprovidedbytheTOEtoprotecttheinformationexchangedfromdisclosureormodification.
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page17of68
2 ConformanceClaims
2.1 CommonCriteriaConformanceClaim
TheTOEisCommonCriteriaVersion3.1Revision4(September2012)Part2extendedandPart3conformantatEvaluationAssuranceLevel2andaugmentedbyALC_FLR.2–FlawReportingProcedures.
2.2 ProtectionProfileConformanceClaim
TheTOEdoesnotclaimconformancetoaProtectionProfile.
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page18of68
3 SecurityProblemDefinition
InordertoclarifythenatureofthesecurityproblemthattheTOEisintendedtosolve,thissectiondescribesthefollowing:
• AnyknownorassumedthreatstotheassetsagainstwhichspecificprotectionwithintheTOEoritsenvironmentisrequired.
• AnyorganizationalsecuritypolicystatementsorruleswithwhichtheTOEmustcomply.• Anyassumptionsaboutthesecurityaspectsoftheenvironmentand/orofthemannerinwhich
theTOEisintendedtobeused.
ThischapteridentifiesassumptionsasA.assumption,threatsasT.threatandpoliciesasP.policy.
3.1 Threats
ThefollowingarethreatsidentifiedfortheTOEandtheITSystemtheTOEmonitors.TheTOEitselfhasthreatsandtheTOEisalsoresponsibleforaddressingthreatstotheenvironmentinwhichitresides.Theassumedlevelofexpertiseoftheattackerforallthethreatsisunsophisticated.
TheTOEaddressesthefollowingthreats:
THREAT DESCRIPTIONT.COMDIS Anunauthorizedusermayattempttodisclosethedatacollectedandproduced
bytheTOEbybypassingasecuritymechanism.T.COMINT Anunauthorizedusermayattempttocompromisetheintegrityofthedata
collectedandproducedbytheTOEbybypassingasecuritymechanism.T.IMPCON AnunauthorizedusermayinappropriatelychangetheconfigurationoftheTOE
causingpotentialintrusionstogoundetected.T.LOSSOF Anunauthorizedusermayattempttoremoveordestroydatacollectedand
producedbytheTOE.T.NOHALT Anunauthorizedusermayattempttocompromisethecontinuityofthe
System’scollectionandanalysisfunctionsbyhaltingexecutionoftheTOE.T.PRIVIL AnunauthorizedusermaygainaccesstotheTOEandexploitsystemprivileges
togainaccesstoTOEsecurityfunctionsanddataT.FALREC TheTOEmayfailtorecognizevulnerabilitiesorinappropriateactivitybasedon
dataacquiredfrommanagedsystems,resultinginpotentialcompromiseofmanagedsystems.
T.SCNCFG Impropersecurityconfigurationsettingsmayexistinthemanagedsystems,allowinganattacktobeperformedorgoundetected.
T.SCNMLC UserscouldexecutemaliciouscodeonanITSystemthattheTOEmonitorswhichcausesmodificationoftheITSystemprotecteddataorunderminestheITSystemsecurityfunctions.
T.SCNVUL VulnerabilitiesmayexistintheITSystemtheTOEmonitorsthatcouldresultinanexploitbyanunauthorizeduser.
Table9–ThreatsAddressedbytheTOE
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page19of68
3.2 OrganizationalSecurityPolicies
Anorganizationalsecuritypolicyisasetofrules,practices,andproceduresimposedbyanorganizationtoaddressitssecurityneeds.ThefollowingOrganizationalSecurityPoliciesapplytotheTOE:
POLICY DESCRIPTIONP.ACCACT UsersoftheTOEshallbeaccountablefortheiractionswithintheTOE.P.ACCESS AlldatacollectedandproducedbytheTOEshallonlybeusedforauthorized
purposes.P.ANALYZ Analyticalprocessesandinformationtoderiveconclusionsaboutintrusions
(past,present,orfuture)mustbeappliedtodatareceivedfromdatasourcesandappropriateresponseactionstaken.
P.DETECT StaticconfigurationinformationthatmightbeindicativeofthepotentialforafutureintrusionortheoccurrenceofapastintrusionofanITSystemoreventsthatareindicativeofinappropriateactivitythatmayhaveresultedfrommisuse,access,ormaliciousactivityofITSystemassetsmustbecollected.
P.IMPORT TheTOEshallbeabletoimportdataaboutmanagedsystemsfromLDAPserversandNTDomains.
P.INTGTY DatacollectedandproducedbytheTOEshallbeprotectedfrommodification.P.MANAGE TheTOEshallonlybemanagedbyauthorizedusers.P.PROTCT TheTOEshallbeprotectedfromunauthorizedaccessesanddisruptionsofTOE
dataandfunctions.P.SCAP TheTOEshallbeabletoexchangeSCAPBenchmarkAssessmentdatawith
externalsystems.Table10–OrganizationalSecurityPolicies
3.3 Assumptions
ThissectiondescribesthesecurityaspectsoftheenvironmentinwhichtheTOEisintendedtobeused.TheTOEisassuredtoprovideeffectivesecuritymeasuresinaco-operativenon-hostileenvironmentonlyifitisinstalled,managed,andusedcorrectly.ThefollowingspecificconditionsareassumedtoexistinanenvironmentwheretheTOEisemployed.
ASSUMPTION DESCRIPTIONA.ACCESS TheTOEhasaccesstoalltheITSystemdataitneedstoperformitsfunctions.A.ASCOPE TheTOEisappropriatelyscalabletotheITSystemstheTOEmonitors.A.DATABASE AccesstothedatabaseusedbytheTOEviamechanismsoutsidetheTOE
boundaryisrestrictedtousebyauthorizedusers.A.DYNMIC TheTOEwillbemanagedinamannerthatallowsittoappropriatelyaddress
changesintheITSystemtheTOEmonitors.A.LOCATE TheprocessingresourcesoftheTOEwillbelocatedwithincontrolledaccess
facilities,whichwillpreventunauthorizedphysicalaccess.A.MANAGE TherewillbeoneormorecompetentindividualsassignedtomanagetheTOE
andthesecurityoftheinformationitcontains.
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page20of68
ASSUMPTION DESCRIPTIONA.NOEVIL Theauthorizedadministratorsarenotcareless,willfullynegligent,orhostile,
andwillfollowandabidebytheinstructionsprovidedbytheTOEdocumentation.
A.PROTCT TheTOEhardwareandsoftwarecriticaltosecuritypolicyenforcementwillbeprotectedfromunauthorizedphysicalmodification.
Table11–Assumptions
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page21of68
4 SecurityObjectives
4.1 SecurityObjectivesfortheTOE
TheITsecurityobjectivesfortheTOEareaddressedbelow:
OBJECTIVE DESCRIPTIONO.ACCESS TheTOEmustallowauthorizeduserstoaccessonlyauthorizedTOEfunctions
anddata.O.AUDITS TheTOEmustrecordauditrecordsfordataaccessesanduseoftheTOE
functionsonthemanagementsystem.O.AUDIT_PROTECT TheTOEwillprovidethecapabilitytoprotectauditinformationgeneratedbythe
TOE.O.CRYPTO TheTOEwillprovidecryptographicfunctionalityandprotocolsrequiredforthe
TOEtosecurelytransferinformationbetweendistributedportionsoftheTOE.O.EADMIN TheTOEmustincludeasetoffunctionsthatalloweffectivemanagementofits
functionsanddata.O.IDANLZ TheTOEmustapplyanalyticalprocessesandinformationtoderiveconclusions
aboutintrusions(past,present,orfuture).O.IDENTIFY TheTOEmustbeabletoidentifyandauthenticateuserspriortoallowingaccess
toTOEfunctionsanddataonthemanagementsystem.O.IDSCAN TheTOEmustcollectandstorestaticconfigurationinformationthatmightbe
indicativeofthepotentialforafutureintrusionortheoccurrenceofapastintrusionofanITSystem.
O.IMPORT TheTOEshallprovidemechanismstoimportsystemdatafromActiveDirectory(LDAPservers)andNTDomainControllers.
O.INTEGR TheTOEmustensuretheintegrityofallSystemdata.O.SCAP TheTOEshallprovidemechanismstoexchangeSCAPBenchmarkAssessment
data.O.SD_PROTECTION TheTOEwillprovidethecapabilitytoprotectsystemdata.Table12–TOESecurityObjectives
4.2 SecurityObjectivesfortheOperationalEnvironment
Thesecurityobjectivesfortheoperationalenvironmentareaddressedbelow:
OBJECTIVE DESCRIPTIONOE.PHYCAL ThoseresponsiblefortheTOEmustensurethatthosepartsoftheTOEcritical
tosecuritypolicyareprotectedfromanyphysicalattack.OE.CREDEN ThoseresponsiblefortheTOEmustensurethatallaccesscredentialsare
protectedbytheusersinamannerwhichisconsistentwithITsecurity.OE.INSTAL ThoseresponsiblefortheTOEmustensurethattheTOEisdelivered,
installed,managed,andoperatedinamannerwhichisconsistentwithITsecurity.
OE.INTROP TheTOEisinteroperablewiththemanagedsystemsitmonitors
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page22of68
OBJECTIVE DESCRIPTIONOE.PERSON Personnelworkingasauthorizedadministratorsshallbecarefullyselected
andtrainedforproperoperationoftheSystem.OE.AUDIT_PROTECT TheITEnvironmentwillprovidethecapabilitytoprotectauditinformation
generatedbytheTOEviamechanismsoutsidetheTSC.OE.AUDIT_REVIEW TheITEnvironmentwillprovidethecapabilityforauthorizedadministrators
toreviewauditinformationgeneratedbytheTOE.OE.DATABASE ThoseresponsiblefortheTOEmustensurethataccesstothedatabasevia
mechanismsoutsidetheTOEboundary(e.g.,DBMS)isrestrictedtoauthorizedusersonly.
OE.PROTECT TheITenvironmentwillprotectitselfandtheTOEfromexternalinterferenceortampering.
OE.SD_PROTECTION TheITEnvironmentwillprovidethecapabilitytoprotectsystemdataviamechanismsoutsidetheTSC.
OE.STORAGE TheITEnvironmentwillstoreTOEdatainthedatabaseandretrieveitwhendirectedbytheTOE.
OE.TIME TheITEnvironmentwillprovidereliabletimestampstotheTOETable13–OperationalEnvironmentSecurityObjectives
4.3 SecurityObjectivesRationale
Thissectionprovidesthesummarythatallsecurityobjectivesaretracedbacktoaspectsoftheaddressedassumptions,threats,andOrganizationalSecurityPolicies(ifapplicable).Thefollowingtableprovidesahighlevelmappingofcoverageforeachthreat,assumption,andpolicy:
OBJECTIVE
THREAT/ASSUMPTION O
.IDSC
AN
O.ID
ANLZ
O.EAD
MIN
O.ACC
ESS
O.CRY
PTO
O.ID
ENTIFY
O.IN
TEGR
OE.INSTAL
OE.PH
YCAL
OE.CR
EDEN
OE.PE
RSON
OE.INTR
OP
O.AUDITS
O.AUDIT_P
ROTECT
O.IM
PORT
O.SCA
PO.SD_P
ROTECT
ION
OE.TIME
OE.PR
OTECT
OE.SD
_PRO
TECT
ION
OE.DAT
ABAS
EOE.AU
DIT_P
ROTECT
OE.AU
DIT_R
EVIEW
OE.STORA
GE
A.ACCESS ! A.ASCOPE ! A.DATABASE ! A.DYNMIC ! ! A.LOCATE ! A.MANAGE ! A.NOEVIL ! ! ! A.PROTCT ! P.ACCACT ! ! ! P.ACCESS ! ! ! ! ! P.ANALYZ ! P.DETECT ! ! ! P.IMPORT ! P.INTGTY ! ! ! ! !P.MANAGE ! ! ! ! ! !
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page23of68
OBJECTIVE
THREAT/ASSUMPTION O
.IDSC
AN
O.ID
ANLZ
O.EAD
MIN
O.ACC
ESS
O.CRY
PTO
O.ID
ENTIFY
O.IN
TEGR
OE.INSTAL
OE.PH
YCAL
OE.CR
EDEN
OE.PE
RSON
OE.INTR
OP
O.AUDITS
O.AUDIT_P
ROTECT
O.IM
PORT
O.SCA
PO.SD_P
ROTECT
ION
OE.TIME
OE.PR
OTECT
OE.SD
_PRO
TECT
ION
OE.DAT
ABAS
EOE.AU
DIT_P
ROTECT
OE.AU
DIT_R
EVIEW
OE.STORA
GE
P.PROTCT ! ! ! !P.SCAP ! T.COMDIS ! ! ! ! T.COMINT ! ! ! ! ! T.FALREC ! T.IMPCON ! ! ! ! ! T.LOSSOF ! ! ! T.NOHALT ! ! ! ! T.PRIVIL ! ! T.SCNCFG ! T.SCNMLC ! T.SCNVUL ! Table14–MappingofAssumptions,Threats,andOSPstoSecurityObjectives
Thefollowingtableprovidesdetailedevidenceofcoverageforeachthreat,policy,andassumption:
THREATS,POLICIES,ANDASSUMPTIONS RATIONALE
A.ACCESS TheTOEhasaccesstoalltheITSystemdataitneedstoperformitsfunctions.TheOE.INTROPobjectiveensurestheTOEhastheneededaccess.
A.ASCOPE TheTOEisappropriatelyscalabletotheITSystemtheTOEmonitors.TheOE.INTROPobjectiveensurestheTOEhasthenecessaryinteractionswiththeITSystemitmonitors.
A.DATABASE AccesstothedatabaseusedbytheTOEviamechanismsoutsidetheTOEboundaryisrestrictedtousebyauthorizedusers.TheOE.DATABASEobjectiveensuresthataccesstoanymechanismsoutsidetheTOEboundarythatmaybeusedtoaccessthedatabaseisconfiguredbytheadministratorssuchthatonlyauthorizedusersmayutilizethemechanisms.
A.DYNMIC TheTOEwillbemanagedinamannerthatallowsittoappropriatelyaddresschangesintheITSystemtheTOEmonitors.TheOE.INTROPobjectiveensurestheTOEhastheproperaccesstotheITSystem.TheOE.PERSONobjectiveensuresthattheTOEwillmanagedappropriately.
A.LOCATE TheprocessingresourcesoftheTOEwillbelocatedwithincontrolledaccessfacilities,whichwillpreventunauthorizedphysicalaccess.TheOE.PHYCALprovidesforthephysicalprotectionoftheTOE.
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page24of68
THREATS,POLICIES,ANDASSUMPTIONS RATIONALE
A.MANAGE TherewillbeoneormorecompetentindividualsassignedtomanagetheTOEandthesecurityoftheinformationitcontains.TheOE.PERSONobjectiveensuresallauthorizedadministratorsarequalifiedandtrainedtomanagetheTOE.
A.NOEVIL Theauthorizedadministratorsarenotcareless,willfullynegligent,orhostile,andwillfollowandabidebytheinstructionsprovidedbytheTOEdocumentation.TheOE.INSTALobjectiveensuresthattheTOEisproperlyinstalledandoperatedandtheOE.PHYCALobjectiveprovidesforphysicalprotectionoftheTOEbyauthorizedadministrators.TheOE.CREDENobjectivesupportsthisassumptionbyrequiringprotectionofallauthenticationdata.
A.PROTCT TheTOEhardwareandsoftwarecriticaltosecuritypolicyenforcementwillbeprotectedfromunauthorizedphysicalmodification.TheOE.PHYCALprovidesforthephysicalprotectionoftheTOEhardwareandsoftware.
P.ACCACT UsersoftheTOEshallbeaccountablefortheiractionswithintheTOE.TheO.AUDITSobjectiveimplementsthispolicybyrequiringauditingofalldataaccessesanduseofTOEfunctions.TheO.IDENTIFYobjectivesupportsthisobjectivebyensuringeachuserisuniquelyidentifiedandauthenticated.TheOE.AUDIT_REVIEWobjectiveprovidestheabilityforadministratorstoreviewtheauditrecordsgeneratedbytheTOEsothataccountabilityforadministratoractionscanbedetermined.
P.ACCESS AlldatacollectedandproducedbytheTOEshallonlybeusedforauthorizedpurposes.TheO.IDENTIFYobjectiveprovidesforidentificationandauthenticationofuserspriortoanyTOEfunctionaccessesviatheePOwebinterface.TheO.ACCESSobjectivebuildsupontheO.IDENTIFYobjectivebyonlypermittingauthorizeduserstoaccessTOEfunctions.TheOE.SD_PROTECTIONandOE.DATABASEobjectivesaddressthispolicyformechanismsoutsidetheTSCviaITEnvironmentprotectionsofthesystemdatatrailandthedatabaseusedtoholdTOEdata.TheO.SD_PROTECTIONandO.ACCESSobjectivesaddressthispolicyformechanismsinsidetheTSCviaTOEprotectionsofthesystemdatatrailandthedatabaseusedtoholdTOEdata.
P.ANALYZ Analyticalprocessesandinformationtoderiveconclusionsaboutintrusions(past,present,orfuture)mustbeappliedtodatareceivedfromdatasourcesandappropriateresponseactionstaken.TheO.IDANLZobjectiveaddressesthispolicybyrequiringtheTOEtoapplyanalyticalprocessesandinformationtoderiveconclusionsaboutintrusions(past,present,orfuture).
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page25of68
THREATS,POLICIES,ANDASSUMPTIONS RATIONALE
P.DETECT StaticconfigurationinformationthatmightbeindicativeofthepotentialforafutureintrusionortheoccurrenceofapastintrusionofanITSystemoreventsthatareindicativeofinappropriateactivitythatmayhaveresultedfrommisuse,access,ormaliciousactivityofITSystemassetsmustbecollected.TheO.AUDITSandO.IDSCANobjectivesaddressthispolicybyrequiringcollectionofauditandpolicyauditdata.TheOE.TIMEobjectivesupportsthispolicybyprovidingatimestampforinsertionintothesystemdatarecords.
P.IMPORT TheTOEshallbeabletoimportdataaboutmanagedsystemsfromLDAPserversandNTDomains.TheO.IMPORTobjectiveaddressesthispolicybyrequiringtheTOEtoprovidefunctionalitytoimportdataaboutmanagedsystemsfromLDAPserversandNTDomains.
P.INTGTY DatacollectedandproducedbytheTOEshallbeprotectedfrommodification.TheO.INTEGRobjectiveensurestheprotectionofSystemdatafrommodification.TheO.AUDIT_PROTECTandOE.AUDIT_PROTECTobjectivesensuretheintegrityofauditrecordsinthedatabasegeneratedbytheTOEusingaccessmechanismsinsideandoutsidetheTSCrespectively.TheO.CRYPTOobjectiverequirestheTOEtoprovidecryptographicfunctionalityandprotocolstoprotectthedataduringtransit.TheOE.STORAGEobjectiverequirestheITEnvironmenttoprovidestorageandretrievalmechanismsforSystemdataforusebytheTOE.
P.MANAGE TheTOEshallonlybemanagedbyauthorizedusers.TheOE.PERSONobjectiveensurescompetentadministratorswillmanagetheTOEandtheO.EADMINobjectiveensuresthereisasetoffunctionsforadministratorstouse.TheOE.INSTALobjectivesupportstheOE.PERSONobjectivebyensuringadministratorfollowallprovideddocumentationandmaintainthesecuritypolicy.TheO.IDENTIFYobjectiveprovidesforidentificationandauthenticationofuserspriortoanyTOEfunctionaccesses.TheO.ACCESSobjectivebuildsupontheO.IDENTIFYobjectivebyonlypermittingauthorizeduserstoaccessTOEfunctions.TheOE.CREDENobjectiverequiresadministratorstoprotectallauthenticationdata.
P.PROTCT TheTOEshallbeprotectedfromunauthorizedaccessesanddisruptionsofTOEdataandfunctions.TheOE.PHYCALobjectiveprotectstheTOEfromunauthorizedphysicalmodifications.TheOE.PROTECTobjectivesupportstheTOEprotectionfromtheITEnvironment.TheO.CRYPTOobjectiverequirestheTOEtoprovidecryptographicfunctionalityandprotocolstoprotectthedataduringtransit.TheOE.STORAGEobjectiverequirestheITEnvironmenttoprovidestorageandretrievalmechanismsforSystemdataforusebytheTOE.
P.SCAP TheTOEshallbeabletoexchangeSCAPBenchmarkAssessmentdatawithexternalsystems.TheO.SCAPobjectiveaddressesthispolicybyrequiringtheTOEtoprovidemechanismstoexchangeSCAPdatawithexternalsources.
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page26of68
THREATS,POLICIES,ANDASSUMPTIONS RATIONALE
T.COMDIS AnunauthorizedusermayattempttodisclosethedatacollectedandproducedbytheTOEbybypassingasecuritymechanism.TheO.IDENTIFYobjectiveprovidesforidentificationandauthenticationofuserspriortoanyTOEdataaccess.TheO.ACCESSobjectivebuildsupontheO.IDENTIFYobjectivebyonlypermittingauthorizeduserstoaccessTOEdata.TheO.CRYPTOobjectiverequirestheTOEtoprovidecryptographicfunctionalityandprotocolstoprotectthedataduringtransit.TheOE.PROTECTobjectivesupportstheTOEprotectionfromtheITEnvironment.
T.COMINT AnunauthorizedusermayattempttocompromisetheintegrityofthedatacollectedandproducedbytheTOEbybypassingasecuritymechanism.TheO.IDENTIFYobjectiveprovidesforidentificationandauthenticationofuserspriortoanyTOEdataaccess.TheO.ACCESSobjectivebuildsupontheO.IDENTIFYobjectivebyonlypermittingauthorizeduserstoaccessTOEdata.TheO.INTEGRobjectiveensuresnoSystemdatawillbemodified.TheO.CRYPTOobjectiverequirestheTOEtoprovidecryptographicfunctionalityandprotocolstoprotectthedataduringtransit.TheOE.PROTECTobjectivesupportstheTOEprotectionfromtheITEnvironment.
T.FALREC TheTOEmayfailtorecognizevulnerabilitiesorinappropriateactivitybasedondatareceivedfromeachdatasource.TheO.IDANLZobjectiveprovidesthefunctionthattheTOEwillrecognizevulnerabilitiesorinappropriateactivityfromadatasource.
T.IMPCON AnunauthorizedusermayinappropriatelychangetheconfigurationoftheTOEcausingpotentialintrusionstogoundetected.TheOE.INSTALobjectivestatestheauthorizedadministratorswillconfiguretheTOEproperly.TheO.EADMINobjectiveensurestheTOEhasallthenecessaryadministratorfunctionstomanagetheproduct.TheO.IDENTIFYobjectiveprovidesforidentificationandauthenticationofuserspriortoanyTOEdataaccess.TheO.ACCESSobjectivebuildsupontheO.IDENTIFYobjectivebyonlypermittingauthorizeduserstoaccessTOEfunctions.TheO.CRYPTOobjectiverequirestheTOEtoprovidecryptographicfunctionalityandprotocolstoprotectthedataduringtransit.
T.LOSSOF AnunauthorizedusermayattempttoremoveordestroydatacollectedandproducedbytheTOE.TheO.IDENTIFYobjectiveprovidesforidentificationandauthenticationofuserspriortoanyTOEdataaccess.TheO.ACCESSobjectivebuildsupontheO.IDENTIFYobjectivebyonlypermittingauthorizeduserstoaccessTOEdata.TheO.INTEGRobjectiveensuresnoSystemdatawillbedeleted.
T.NOHALT AnunauthorizedusermayattempttocompromisethecontinuityoftheSystem’scollectionandanalysisfunctionsbyhaltingexecutionoftheTOE.TheO.IDENTIFYobjectiveprovidesforidentificationandauthenticationofuserspriortoanyTOEdataaccess.TheO.ACCESSobjectivebuildsupontheO.IDENTIFYobjectivebyonlypermittingauthorizeduserstoaccessTOEfunctions.TheO.IDSCANandO.IDANLZobjectivesaddressthisthreatbyrequiringtheTOEtocollectandanalyzeSystemdata,whichincludesattemptstohalttheTOE.
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page27of68
THREATS,POLICIES,ANDASSUMPTIONS RATIONALE
T.PRIVIL AnunauthorizedusermaygainaccesstotheTOEandexploitsystemprivilegestogainaccesstoTOEsecurityfunctionsanddata.TheO.IDENTIFYobjectiveprovidesforidentificationandauthenticationofuserspriortoanyTOEdataaccess.TheO.ACCESSobjectivebuildsupontheO.IDENTIFYobjectivebyonlypermittingauthorizeduserstoaccessTOEfunctions.
T.SCNCFG Impropersecurityconfigurationsettingsmayexistinthemanagedsystems.TheO.IDSCANobjectivecountersthisthreatbyrequiringaTOE,thatcontainsaScanner,collectandstorestaticconfigurationinformationthatmightbeindicativeofaconfigurationsettingchange.
T.SCNMLC UserscouldexecutemaliciouscodeonanITSystemthattheTOEmonitorswhichcausesmodificationoftheITSystemprotecteddataorunderminestheITSystemsecurityfunctions.TheO.IDSCANobjectivecountersthisthreatbyrequiringaTOE,thatcontainsaScanner,collectandstorestaticconfigurationinformationthatmightbeindicativeofmaliciouscode.
T.SCNVUL VulnerabilitiesmayexistinanITSystemtheTOEmonitors.TheO.IDSCANobjectivecountersthisthreatbyrequiringaTOEthatcontainsaScanner,collectandstorestaticconfigurationinformationthatmightbeindicativeofavulnerability.
Table15–RationaleforMappingofThreats,Policies,andAssumptionstoObjectives
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page28of68
5 ExtendedComponentsDefinition
5.1 IDSClassofSFRs
AllofthecomponentsinthissectionweretakenfromtheU.S.GovernmentProtectionProfileIntrusionDetectionSystemSystemForBasicRobustnessEnvironments.
ThisclassofrequirementsiscopiedfromtheIDSSystemPPtospecificallyaddressthedatacollectedandanalysedbyanIDSscannerandanalyzer.TheauditfamilyoftheCC(FAU)wasusedasamodelforcreatingtheserequirements.Thepurposeofthisclassofrequirementsistoaddresstheuniquenatureofsystemdataandprovideforrequirementsaboutcollecting,reviewingandmanagingthedata.
5.1.1 IDS_SDC.1SystemDataCollection
Management:IDS_SDC.1
ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a) Configurationoftheeventstobecollected
Audit:IDS_SDC.1
Therearenoauditableeventsforeseen.
IDS_SDC.1SystemDataCollection
Hierarchicalto: Noothercomponents
Dependencies: Nodependencies
IDS_SDC.1.1 TheSystemshallbeabletocollectthefollowinginformationfromthetargetedITSystemresource(s):
a)[selection:Start-upandshutdown,identificationandauthenticationevents,dataaccesses,servicerequests,networktraffic,securityconfigurationchanges,dataintroduction,detectedmaliciouscode,accesscontrolconfiguration,serviceconfiguration,authenticationconfiguration,accountabilitypolicyconfiguration,detectedknownvulnerabilities];and
b)[assignment:otherspecificallydefinedevents].
IDS_SDC.1.2 Ataminimum,theSystemshallcollectandrecordthefollowinginformation:
a) Dateandtimeoftheevent,typeofevent,subjectidentity,andtheoutcome(successorfailure)oftheevent;and
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page29of68
b) TheadditionalinformationspecifiedintheDetailscolumnofthetablebelow:
COMPONENT EVENT DETAILSIDS_SDC.1 Startupandshutdown NoneIDS_SDC.1 Identificationandauthentication
eventsUseridentity,location,sourceaddress,destinationaddress
IDS_SDC.1 Dataaccesses ObjectIDS,requestedaccess,sourceaddress,destinationaddress
IDS_SDC.1 Servicerequests Specificservice,sourceaddress,destinationaddress
IDS_SDC.1 Networktraffic Protocol,sourceaddress,destinationaddress
IDS_SDC.1 Securityconfigurationchanges Sourceaddress,destinationaddress
IDS_SDC.1 Dataintroduction ObjectIDS,locationofobject,sourceaddress,destinationaddress
IDS_SDC.1 Startupandshutdownofauditfunctions
None
IDS_SDC.1 Detectedmaliciouscode Location,identificationofcode
IDS_SDC.1 Accesscontrolconfiguration Location,accesssettingsIDS_SDC.1 Serviceconfiguration Serviceidentification
(nameorport),interface,protocols
IDS_SDC.1 Authenticationconfiguration Accountnamesforcrackedpasswords,accountpolicyparameters
IDS_SDC.1 Accountabilitypolicyconfiguration Accountabilitypolicyconfigurationparameters
IDS_SDC.1 Detectedknownvulnerabilities Identificationoftheknownvulnerability
Table16–SystemDataCollectionEventsandDetails
ApplicationNote:TherowsinthistablemustberetainedthatcorrespondtotheselectionsinIDS_SDC.1.1whenthatoperationiscompleted.IfadditionaleventsaredefinedintheassignmentinIDS_SDC.1.1,thencorrespondingrowsshouldbeaddedtothetableforthiselement.
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page30of68
5.1.2 IDS_ANL.1AnalyzerAnalysis
Management:IDS_ANL.1
ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a) Configurationoftheanalysistobeperformed
Audit:IDS_ANL.1
ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedintheST:
a) Minimal:Enablinganddisablingofanyoftheanalysismechanisms
IDS_ANL.1AnalyzerAnalysis
Hierarchicalto: Noothercomponents
Dependencies: Nodependencies
IDS_ANL.1.1 TheSystemshallperformthefollowinganalysisfunction(s)onallIDSdatareceived:
a)[selection:statistical,signature,integrity];and
b)[assignment:otheranalyticalfunctions].
IDS_ANL.1.2 TheSystemshallrecordwithineachanalyticalresultatleastthefollowinginformation:
a.Dateandtimeoftheresult,typeofresult,identificationofdatasource;and
b.[assignment:othersecurityrelevantinformationabouttheresult].(EXT)
5.1.3 IDS_RDR.1RestrictedDataReview(EXT)
Management:IDS_RDR.1
ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a) maintenance(deletion,modification,addition)ofthegroupofuserswithreadaccessrighttothesystemdatarecords.
Audit:IDS_RDR.1
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page31of68
ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedintheST:
a) Basic:Attemptstoreadsystemdatathataredenied.
b) Detailed:Readingofinformationfromthesystemdatarecords.
IDS_RDR.1RestrictedDataReview
Hierarchicalto: Noothercomponents
Dependencies: IDS_SDC.1 SystemDataCollectionIDS_ANL.1 AnalyzerAnalysis
IDS_RDR.1.1 TheSystemshallprovide[assignment:authorizedusers]withthecapabilitytoread[assignment:listofSystemdata]fromtheSystemdata.
IDS_RDR.1.2 TheSystemshallprovidetheSystemdatainamannersuitablefortheusertointerprettheinformation.
IDS_RDR.1.3 TheSystemshallprohibitallusersreadaccesstotheSystemdata,exceptthoseusersthathavebeengrantedexplicitread-access.
5.1.4 IDS_STG.1GuaranteeofSystemDataAvailability
Management:IDS_STG.1
ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:
a) maintenanceoftheparametersthatcontrolthesystemdatastoragecapability.
Audit:IDS_STG.1
Therearenoauditableeventsforeseen.
IDS_STG.1GuaranteeofSystemDataAvailability
Hierarchicalto: Noothercomponents
Dependencies: IDS_SDC.1 SystemDataCollectionIDS_ANL.1 AnalyzerAnalysis
IDS_STG.1.1 TheSystemshallprotectthestoredSystemdatafromunauthorizeddeletion.
IDS_STG.1.2 TheSystemshallprotectthestoredSystemdatafrommodification.
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page32of68
ApplicationNote:AuthorizeddeletionofdataisnotconsideredamodificationofSystemdatainthiscontext.ThisrequirementappliestotheactualcontentoftheSystemdata,whichshouldbeprotectedfromanymodifications.
IDS_STG.1.3 TheSystemshallensurethat[assignment:metricforsavingSystemdata]Systemdatawillbemaintainedwhenthefollowingconditionsoccur:[selection:Systemdatastorageexhaustion,failure,attack].
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page33of68
6 SecurityRequirements
ThesecurityrequirementsthatareleviedontheTOEarespecifiedinthissectionoftheST.
6.1 SecurityFunctionalRequirements
ThefunctionalsecurityrequirementsforthisSecurityTargetconsistofthefollowingcomponentsfromPart2oftheCC,andtheextendedcomponentsdefinedinsection5ofthisST,allofwhicharesummarizedinthefollowingtable:
CLASSHEADING CLASS_FAMILY DESCRIPTIONSecurityAudit FAU_GEN.1 AuditDataGeneration
FAU_GEN.2 UserIdentityAssociationFAU_SAR.1 AuditReviewFAU_SAR.2 RestrictedAuditReviewFAU_STG.1 ProtectedAuditTrailStorageFAU_STG.4 PreventionofAuditTrailDataLoss
CryptographicSupport FCS_CKM.1(1-4) CryptographicKeyGenerationFCS_CKM.4 CryptographicKeyDestructionFCS_COP.1 CryptographicOperation
IdentificationandAuthentication
FIA_ATD.1 UserAttributeDefinitionFIA_UAU.2 UserAuthenticationBeforeAnyActionFIA_UID.2 UserIdentificationBeforeAnyactionFIA_USB.1 User-SubjectBinding
SecurityManagement FMT_MTD.1 ManagementofTSFDataFMT_SMF.1 SpecificationofManagementFunctionsFMT_SMR.1 SecurityRoles
ProtectionoftheTSF FPT_TDC.1(1) Inter-TSFBasicTSFDataConsistencyFPT_TDC.1(2) Inter-TSFBasicTSFDataConsistency
IDSComponentRequirements
IDS_SDC.1 SystemDataCollectionIDS_ANL.1 AnalyzerAnalysisIDS_RDR.1 RestrictedDataReviewIDS_STG.1 GuaranteeofSystemDataAvailability
Table17–TOEFunctionalComponents
6.1.1 SecurityAudit(FAU)
6.1.1.1 FAU_GEN.1AuditDataGeneration
FAU_GEN.1.1 TheTSFshallbeabletogenerateanauditrecordofthefollowingauditableevents:
a) Start-upandshutdownoftheauditfunctions;
b) Allauditableeventsforthenotspecifiedlevelofaudit;and
c) Theeventsidentifiedinthefollowingtable
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page34of68
FAU_GEN.1.2 TheTSFshallrecordwithineachauditrecordatlastthefollowinginformation:
a) Dateandtimeoftheevent,typeofevent,subjectidentity,andtheoutcome(successorfailure)oftheevent;and
b) Foreachauditeventtype,basedontheauditableeventdefinitionsofthefunctionalcomponentsincludedinthePP/ST,theinformationdetailedinthefollowingtable.
ApplicationNote:Theauditableeventsfortherespectivelevelofauditingareincludedinthefollowingtable:COMPONENT EVENT DETAILSFAU_GEN.1 Start-upandshutdownofauditfunctions FAU_GEN.1 AccesstotheTOEandSystemdata ObjectIDs,
RequestedaccessFAU_SAR.2 Note:Unsuccessfulattemptstoread
informationfromtheauditrecordsdonotoccurbecausetheTOEdoesnotpresentthatcapabilitytousersthatarenotauthorizedtoreadtheauditrecords.
FAU_STG.4 Note:Newauditrecordsarediscardedwhenstoragespaceisexhausted,theITEnvironmentalarmstheadministratorwithanotificationindicatinglowdiskspace.
FIA_ATD.1
AllchangestoTSFdata(excludingpasswordchanges)resultinanauditrecordbeinggenerated.Notethatpasswordsarenotconfigured,sonoauditrecordsforrejectionofatestedsecretwillbegenerated.
FIA_UAU.2 Useoftheuserauthenticationmechanism
Useridentity,location
FIA_UID.2 Alluseoftheuseridentificationmechanism
Useridentity,location
FIA_USB.1
Successfulbindingofattributestosubjectsisreflectedintheauditrecordforsuccessfulauthentication.UnsuccessfulbindingdoesnotoccurintheTOEdesign.
FMT_MTD.1 AllmodificationstothevaluesofTSFdata,withtheexceptionofWaiverManagementfunctions.
FMT_SMF.1 Useofthemanagementfunctions,withtheexceptionofWaiverManagementfunctions.
Useridentity,functionused
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page35of68
COMPONENT EVENT DETAILSFMT_SMR.1 Modificationstothegroupofusersthat
arepartofaroleUseridentity
FPT_TDC.1 Useoftheassetimportfunction DataSource,result,identificationofwhichTSFdatahavebeenimported
DetectionofmodifiedTSFdata DataSource,IdentificationofwhichTSFdatahavebeenmodified
IDS_ANL.1 None(theanalysisfunctionisalwaysenabled)
IDS_RDR.1 None(theuserisnotgiventheoptionofaccessingunauthorizedsystemdata)
Table18–AuditEventsandDetails
6.1.1.2 FAU_GEN.2UserIdentityAssociation
FAU_GEN.2.1 TheTSFshallbeabletoassociateeachauditableeventwiththeidentityoftheuserthatcausedtheevent.
6.1.1.3 FAU_SAR.1AuditReview
FAU_SAR.1.1 TheTSFshallprovideauthorizeduserswithGlobalAdministratorpermissionorassignedtooneofExecutiveReviewer,GlobalReviewer,GroupAdmin,GroupReviewerpermissionsetswiththecapabilitytoreadallinformationfromtheauditrecords.
FAU_SAR.1.2 TheTSFshallprovidetheauditrecordsinamannersuitablefortheusertointerprettheinformation.
6.1.1.4 FAU_SAR.2RestrictedAuditReview
FAU_SAR.2.1 TheTSFshallprohibitallusersreadaccesstotheauditrecords,exceptthoseusersthathavebeengrantedexplicitread-access.
6.1.1.5 FAU_STG.1ProtectedAuditTrailStorage
FAU_STG.1.1 TheTSFshallprotectthestoredauditrecordsintheaudittrailfromunauthorizeddeletion.
FAU_STG.1.2 TheTSFshallbeabletopreventunauthorizedmodificationstotheauditrecordsintheaudittrail.
6.1.1.6 FAU_STG.4PreventionofAuditDataLoss
FAU_STG.4.1 TheTSFshallignoreauditableeventsandperformnullactioniftheaudittrailisfull.
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page36of68
ApplicationNote:TheTOEreliesontheITEnvironmenttomonitordiskspaceandsendtheappropriatealarm.TheTOEsendsauditeventstotheITEnvironment,andiffull,thedatabaseignoresthenewauditeventsandalarmstheadministratorwithanotificationindicatinglowdiskspace.
6.1.2 ClassFCS:CryptographicSupport
6.1.2.1 FCS_CKM.1(1)Cryptographickeygeneration(ePOAES)
FCS_CKM.1.1(1) TheTSFshallgeneratecryptographickeysinaccordancewithaspecifiedcryptographickeygenerationalgorithmCTR_DRBGfordeterministicrandombitgenerationandspecifiedcryptographickeysizes256bitsforencryption/decryptionthatmeetthefollowingNISTSpecialPublication800-90(CAVPalgorithmcertificate#540).
6.1.2.2 FCS_CKM.1(2)Cryptographickeygeneration(ePORSA)
FCS_CKM.1.1(2) TheTSFshallgeneratecryptographickeysinaccordancewithaspecifiedcryptographickeygenerationalgorithmCTR_DRBGfordeterministicrandombitgenerationandspecifiedcryptographickeysizes2048bitsforkeytransportthatmeetthefollowingNISTSpecialPublication800-90(CAVPalgorithmcertificate#540).
6.1.2.3 FCS_CKM.1(3)Cryptographickeygeneration(MAAES)
FCS_CKM.1.1(3) TheTSFshallgeneratecryptographickeysinaccordancewithaspecifiedcryptographickeygenerationalgorithmHMAC_DRBGforrandomnumbergenerationandspecifiedcryptographickeysizes256bitsforencryption/decryptionthatmeetthefollowingNISTSpecialPublication800-90A(CAVPalgorithmcertificate#191).
6.1.2.4 FCS_CKM.1(4)Cryptographickeygeneration(MARSA)
FCS_CKM.1.1(4) TheTSFshallgeneratecryptographickeysinaccordancewithaspecifiedcryptographickeygenerationalgorithmHMAC_DRBGforrandomnumbergenerationandspecifiedcryptographickeysizes2048bitsforkeytransportthatmeetthefollowingNISTSpecialPublication800-90A(CAVPalgorithmcertificate#191).
6.1.2.5 FCS_CKM.4 Cryptographickeydestruction
FCS_CKM.4.1 TheTSFshalldestroycryptographickeysinaccordancewithaspecifiedcryptographickeydestructionmethodzeroizationthatmeetsthefollowing:FIPS140-2level1.
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page37of68
6.1.2.6 FCS_COP.1 Cryptographicoperation
FCS_COP.1.1 TheTSFshallperform[listofcryptographicoperations–seeTable19below]inaccordancewithaspecifiedcryptographicalgorithm[cryptographicalgorithm–seeTable19below]andcryptographickeysizes[cryptographickeysizes–seeTable19below]thatmeetthefollowing:[listofstandards–seeTable19below].
Table19-CryptographicOperations
CryptographicOperations
CryptographicAlgorithm
KeySizes(bits) Standards
KeyTransport RSAencrypt/decrypt 2048 AllowedinFIPSmode
Symmetricencryptionanddecryption
AdvancedEncryptionStandard(AES)(operating
inGCMmode)
256 FIPS197
SecureHashing SHA-384 NotApplicable FIPS180-3
6.1.3 IdentificationandAuthentication(FIA)
6.1.3.1 FIA_ATD.1UserAttributeDefinition
FIA_ATD.1.1 TheTSFshallmaintainthefollowinglistofsecurityattributesbelongingtoindividualusers:
a) ePOUsername;
b) Enabledordisabled;
c) Authenticationconfiguration;
d) Hashed password (when Local ePO authentication is configured);
e) PermissionSets.
6.1.3.2 FIA_UAU.2Userauthenticationbeforeanyaction
FIA_UAU.2.1 TheTSFshallrequireeachusertobesuccessfullyauthenticatedbeforeallowinganyotherTSF-mediatedactionsonbehalfofthatuser.
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page38of68
6.1.3.3 FIA_UID.2UserIdentificationbeforeanyaction
FIA_UID.2.1 TheTSFshallrequireeachusertobesuccessfullyidentifiedbeforeallowinganyotherTSF-mediatedactionsonbehalfofthatuser.
6.1.3.4 FIA_USB.1User-SubjectBinding
FIA_USB.1.1 TheTSFshallassociatethefollowingusersecurityattributeswithsubjectsactingonbehalfofthatuser:
a) Permissionsets.
FIA_USB.1.2 TheTSFshallenforcethefollowingrulesontheinitialassociationofuser
securityattributeswithsubjectsactingonthebehalfofusers:usersecurityattributesarebounduponsuccessfulloginwithavalidePOUserName.
FIA_USB.1.3 TheTSFshallenforcethefollowingrulesgoverningchangestotheusersecurityattributesassociatedwithsubjectsactingonthebehalfofusers:usersecurityattributesdonotchangeuntiltheuserrefreshesthemenuoftheGUImanagementsession.
ApplicationNote:Permissionsaredeterminedbytheunionofallpermissionsinanypermissionsetassociatedwithauser.
ApplicationNote:Ifthesecurityattributesforauserarechangedwhilethatuserhasanactivesession,thenewsecurityattributesarenotboundtoasessionuntilthenextpagerefresh.
6.1.4 SecurityManagement(FMT)
6.1.4.1 FMT_MTD.1ManagementofTSFData
FMT_MTD.1.1 TheTSFshallrestricttheabilitytoquery,modify,delete,clear,create,exportandusetheTSFdataidentifiedinthefollowingtabletoauserwiththepermissionsidentifiedinthefollowingtableoraGlobalAdministrator.
TSFDATA ASSOCIATEDPERMISSION OPERATIONSPERMITTEDBenchmarks Activatebenchmarks Modify(activate)
benchmarksApplylabels Queryandmodify(apply)
labelsCreate,deleteandapplylabels
Query,create,deleteandmodify(apply)labels
Create,deleteandimportchecks
Query,create(manuallyorbyimporting)anddeletechecks
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page39of68
TSFDATA ASSOCIATEDPERMISSION OPERATIONSPERMITTEDCreate,delete,modifyandimportbenchmarks
Query,create(manuallyorbyimporting),deleteandmodifybenchmarks
Create,delete,modify,importandunlockbenchmarks
Query,create(manually),delete,andmodify(unlock)benchmarks
Editbenchmarktailoring Queryandmodifybenchmarktailoring
Editexistingbenchmarks Queryandmodifybenchmarks
Viewandexportbenchmarks Queryandexportbenchmarks
Viewandexportchecks QueryandexportchecksAuditLog Viewauditlog View
Viewandpurgeauditlog ViewanddeleteDashboards Usepublicdashboards Queryandusepublic
dashboardsUsepublicdashboards;createandeditprivatedashboards
Queryandusepublicdashboards;createandmodifyprivatedashboards
Usepublicdashboards;createandeditprivatedashboards;makeprivatedashboardspublic
Queryandusepublicdashboards;create,deleteandmodifyprivatedashboards;makeprivatedashboardspublic
DataRetentionSettings
n/a(onlyallowedbyaGlobalAdministrator)
Queryandmodify
EventRecords(PolicyAudit)
Add,removeandchangeAuditsandAssignments
Querypolicyauditeventrecords
ViewAuditsandAssignments Querypolicyauditeventrecords
ePOUserAccounts
n/a(onlyallowedbyaGlobalAdministrator)
Query,create,deleteandmodify
EventFiltering
n/a(onlyallowedbyaGlobalAdministrator)
Queryandmodify
GlobalAdministratorStatus
n/a(onlyallowedbyaGlobalAdministrator)
Queryandmodify
Groups View"SystemTree"tab QueryView"SystemTree"tabalongwithEditSystemTreegroupsandsystems
Query,create,deleteandmodify
MaximumLowScore
n/a(onlyallowedbyaGlobalAdministrator)
Queryandmodify
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page40of68
TSFDATA ASSOCIATEDPERMISSION OPERATIONSPERMITTEDPermissionSet
n/a(onlyallowedbyaGlobalAdministrator)
Query,create,delete,modify,andassign(toauser)permissions
PolicyAudit Add,removeandchangeAuditsandAssignments
Query,create,deleteandmodifypolicyaudits
ViewAuditsandAssignments QuerypolicyauditsProductPolicy
Viewsettings(McAfeeAgentand/orPolicyAuditorAgent)
Query
Viewandchangesettings(McAfeeAgentand/orPolicyAuditorAgent)
Query,create,delete,andmodify(includingenable)
n/a(onlyallowedbyaGlobalAdministrator)
Query,create,delete,andmodify(includingassignandenable)
QueriesandReports
Usepublicgroups QueryandusepublicgroupsUsepublicqueries;createandeditprivatequeries
Queryandusepublicqueries;createandmodifyprivatequeries
Editpublicgroups;createandeditprivategroups;makeprivatequeries/reportspublic
Editpublicgroups;create,deleteandmodify(includingmakepublic)privatequeries/reports;makeprivatequeries/reportspublic
ScoringModel
n/a(onlyallowedbyaGlobalAdministrator)
Queryandmodify
ServerSettings
n/a(onlyallowedbyaGlobalAdministrator)
Queryandmodify
SystemInformation
Createandeditsystems Query,create,deleteandmodify
Systems View“SystemTree”tab QueryActions WakeupAgents;viewAgent
ActivityLog;EditSystemTreegroupsandsystems;Deployagents
SystemTreeAccess
AccessnodesandportionsoftheSystemTree
AccessnodesandportionsoftheSystemTree
Waivers ViewWaivers Queryandcreate(request)GrantandmodifyWaivers Query,modify(expireor
grant),anddeleteFileIntegrityMonitoring
ViewFileIntegrityMonitoring QueryManageFileIntegrityMonitoring
Create,apply,query,modify,anddelete
Table20–TSFDataAccessPermissions
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page41of68
6.1.4.2 FMT_SMF.1SpecificationofManagementFunctions
FMT_SMF.1.1 TheTSFshallbecapableofperformingthefollowingsecuritymanagementfunctions:
a) ePOUserAccountmanagement,
b) PermissionSetmanagement,
c) AuditLogmanagement,
d) EventLogmanagement,
e) EventFilteringmanagement,
f) SystemTreemanagement,
g) Tagmanagement,
h) ProductPolicymanagement,
i) Querymanagement,
j) Dashboardmanagement,
k) Benchmarkmanagement,
l) PolicyAuditormanagement,
m) PolicyAuditmanagement,
n) Waivermanagement,and
o) FileIntegrityMonitoringmanagement.
6.1.4.3 FMT_SMR.1SecurityRoles
FMT_SMR.1.1 TheTSFshallmaintaintheroles:[GlobalAdministratorandUserswithSelectedPermissions].
FMT_SMR.1.2 TheTSFshallbeabletoassociateuserswithroles.
ApplicationNote:AGlobalAdministratorisadefineduseraccountwithGlobalAdministratorstatus.UsersaredefineduseraccountswithoutGlobalAdministratorstatusbutwithspecificpermissions.
6.1.5 ProtectionoftheTSF(FPT)
6.1.5.1 FPT_TDC.1Inter-TSFBasicTSFDataConsistency
FPT_TDC.1.1(1) TheTSFshallprovidethecapabilitytoconsistentlyinterpretsysteminformationwhensharedbetweentheTSFandanothertrustedITproduct.
FPT_TDC.1.2(1) TheTSFshallusethefollowingruleswheninterpretingtheTSFdatafromanothertrustedITproduct.
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page42of68
a) ForActiveDirectory(LDAPservers),thedataisinterpretedaccordingtotheLDAPversion3protocol.
b) ForNTDomains,thedataisinterpretedaccordingtotheNetBIOSprotocol.
c) Whenconflictinginformationisreceivedfromdifferentsources,highestpriorityisgiventoinformationlearnedfromtheMcAfeeAgent,thentoActiveDirectory,andfinallytoNTDomains.
FPT_TDC.1.1(2) TheTSFshallprovidethecapabilitytoconsistentlyinterpretSCAPBenchmarkAssessmentswhensharedbetweentheTSFandanothertrustedITproduct.
FPT_TDC.1.2(2) TheTSFshallusetheSCAPBenchmarkAssessmentXCCDFandOVALstandardswheninterpretingtheTSFdatafromanothertrustedITproduct.
6.1.6 IDSComponentRequirements(IDS)
6.1.6.1 IDS_SDC.1 SystemDataCollection
IDS_SDC.1.1 TheSystemshallbeabletocollectthefollowinginformationfromthetargetedITSystemresource(s):
a) accesscontrolconfiguration,serviceconfiguration,authenticationconfiguration,detectedknownvulnerabilitiesand
b) nootherevents.IDS_SDC.1.2 Ataminimum,theSystemshallcollectandrecordthefollowinginformation:
a) Dateandtimeoftheevent,typeofevent,subjectidentity,andtheoutcome(successorfailure)oftheevent;and
b) TheadditionalinformationspecifiedintheDetailscolumnofthetablebelow.
COMPONENT EVENT DETAILSIDS_SDC.1 Accesscontrol
configurationLocation,accesssettings
IDS_SDC.1 Serviceconfiguration Serviceidentification(nameorport),interface,protocols
IDS_SDC.1 Authenticationconfiguration
Accountpolicyparameters
IDS_SDC.1 Detectedknownvulnerabilities
Identificationoftheknownvulnerability
Table21–SystemDataCollectionEventsandDetails
ApplicationNote:Accesscontrolconfigurationreferstoconfigurationsettingsusedtorestrictaccessforindividualusers/roles.Serviceconfigurationreferstoservicesmadeavailabletousersviathenetworkinterfaceandprotocolstack.Authenticationconfigurationreferstosettingsregardingpasswordcontentparametersandauthenticationattempts.Theinformationcollectedforeachmanagedsystemisdeterminedbythebenchmarksappliedagainstthatmanagedsystem.
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page43of68
6.1.6.2 IDS_ANL.1 Analyzeranalysis
IDS_ANL.1.1 TheSystemshallperformthefollowinganalysisfunction(s)onallsystemdatareceived:
a) signature;and
b) scoring.
IDS_ANL.1.2 TheSystemshallrecordwithineachanalyticalresultatleastthefollowinginformation:
a) Dateandtimeoftheresult,typeofresult,identificationofdatasource;and
b) Thescoreforthesystemdata.
6.1.6.3 IDS_RDR.1 RestrictedDataReview(EXT)
IDS_RDR.1.1 TheSystemshallprovideauserwiththeViewSystemTreepermissionoraGlobalAdministratorwiththecapabilitytoreadeventrecordsandscoresfromtheSystemdata.
IDS_RDR.1.2 TheSystemshallprovidetheSystemdatainamannersuitablefortheusertointerprettheinformation.
IDS_RDR.1.3 TheSystemshallprohibitallusersreadaccesstotheSystemdata,exceptthoseusersthathavebeengrantedexplicitread-access.
6.1.6.4 IDS_STG.1GuaranteeofSystemDataAvailability
IDS_STG.1.1 TheSystemshallprotectthestoredSystemdatafromunauthorizeddeletion.
IDS_STG.1.2 TheSystemshallprotectthestoredSystemdatafrommodification.
ApplicationNote:AuthoriseddeletionofdataisnotconsideredamodificationofSystemdatainthiscontext.ThisrequirementappliestotheactualcontentoftheSystemdata,whichshouldbeprotectedfromanymodifications.
IDS_STG.1.3 TheSystemshallensurethat(tothelimitsofthestoragespacefortheconfigureddataretentionperiod)theoldestSystemdatawillbemaintainedwhenthefollowingconditionsoccur:Systemdatastorageexhaustion.
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page44of68
6.2 SecurityAssuranceRequirements
TheassurancesecurityrequirementsforthisSecurityTargetaretakenfromPart3oftheCC.TheseassurancerequirementscomposeanEvaluationAssuranceLevel2(EAL2)augmentedbyALC_FLR.2.Theassurancecomponentsaresummarizedinthefollowingtable:
CLASSHEADING CLASS_FAMILY DESCRIPTIONADV:Development ADV_ARC.1 SecurityArchitectureDescription
ADV_FSP.2 Security-enforcingFunctionalSpecificationADV_TDS.1 BasicDesign
AGD:GuidanceDocuments AGD_OPE.1 OperationalUserGuidanceAGD_PRE.1 PreparativeProcedures
ALC:LifecycleSupport ALC_CMC.2 UseofaCMSystemALC_CMS.2 PartsoftheTOECMcoverageALC_DEL.1 DeliveryProceduresALC_FLR.2 FlawReportingProcedures
ATE:Tests ATE_COV.1 EvidenceofCoverageATE_FUN.1 FunctionalTestingATE_IND.2 IndependentTesting-Sample
AVA:VulnerabilityAssessment AVA_VAN.2 VulnerabilityAnalysisTable22–SecurityAssuranceRequirementsatEAL2
6.3 CCComponentHierarchiesandDependencies
ThissectionoftheSTdemonstratesthattheidentifiedSFRsincludetheappropriatehierarchyanddependencies.ThefollowingtableliststheTOESFRsandtheSFRseacharehierarchicalto,dependentuponandanynecessaryrationale.
SFR HIERARCHICALTO DEPENDENCY RATIONALEFAU_GEN.1 Noother
componentsFPT_STM.1 SatisfiedbyOE.TIMEintheenvironment
FAU_GEN.2 Noothercomponents
FAU_GEN.1,FIA_UID.1
SatisfiedSatisfied
FAU_SAR.1 Noothercomponents
FAU_GEN.1 Satisfied
FAU_SAR.2 Noothercomponents
FAU_SAR.1 Satisfied
FAU_STG.1 Noothercomponents
FAU_GEN.1 Satisfied
FAU_STG.4 FAU_STG.3 FAU_STG.1 SatisfiedFCS_CKM.1 Noother
componentsFCS_CKM.2orFCS_COP.1,FCS_CKM.4
Satisfied
FCS_CKM.4 Noothercomponents
FDP_ITC.1orFDP_ITC.2orFCS_CKM.1
Satisfied
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7 ©McAfee Page45of68
SFR HIERARCHICALTO DEPENDENCY RATIONALEFCS_COP.1 Noother
componentsFDP_ITC.1orFDP_ITC.2orFCS_CKM.1,FCS_CKM.4
Satisfied
FIA_ATD.1 Noothercomponents
None n/a
FIA_UAU.2 FIA_UAU.1 FIA_UID.1 SatisfiedFIA_UID.2 FIA_UID.1 None n/aFIA_USB.1 Noother
componentsFIA_ATD.1 Satisfied
FMT_MTD.1 Noothercomponents
FMT_SMF.1FMT_SMR.1
SatisfiedSatisfied
FMT_SMF.1 Noothercomponents
None n/a
FMT_SMR.1 Noothercomponents
FIA_UID.1 Satisfied
FPT_TDC.1 Noothercomponents
None n/a
IDS_SDC.1 Noothercomponents
None None
IDS_ANL.1 Noothercomponents
None None
IDS_RDR.1 Noothercomponents
IDS_SDC.1,IDS_ANL.1
SatisfiedSatisfied
IDS_STG.1 Noothercomponents
IDS_SDC.1,IDS_ANL.1
SatisfiedSatisfied
Table23–TOESFRDependencyRationale
6.4 SecurityRequirementsRationale
ThissectionprovidesrationalefortheSecurityFunctionalRequirementsdemonstratingthattheSFRsaresuitabletoaddressthesecurityobjectives
6.4.1 SecurityFunctionalRequirementsfortheTOE
Thefollowingtableprovidesahighlevelmappingofcoverageforeachsecurityobjective:
OBJECTIVE
SFR
O.ACC
ESS
O.AUDITS
O.AUDIT_P
ROTECT
O.CRY
PTO
O.EAD
MIN
O.ID
ANLZ
O.ID
ENTIFY
O.ID
SCAN
O.IM
PORT
O.IN
TEGR
O.SCA
P
O.SD_P
ROTECT
ION
FAU_GEN.1 !
-
SecurityTarget:McAfeePolicyAuditor6.2andMcAfeeePolicyOrchestrator5.1.3
DocumentVersion1.7