Instruction manuals

BeyondTrust PowerBroker UNIX + Linux Edition V9.1. Security Target

Description
BeyndTrust PwerBrker UNI + Linux Editin V9.1 Security Target Versin August 2016 Prepared fr: BeyndTrust Sftware, Inc N. 40th Street Phenix, AZ Prepared by: Accredited Testing & Evaluatin
Published
of 47
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
BeyndTrust PwerBrker UNI + Linux Editin V9.1 Security Target Versin August 2016 Prepared fr: BeyndTrust Sftware, Inc N. 40th Street Phenix, AZ Prepared by: Accredited Testing & Evaluatin Labs 6841 Benjamin Franklin Drive Clumbia, Maryland 21046 1. SECURITY TARGET INTRODUCTION SECURITY TARGET, TOE AND CC IDENTIFICATION CONFORMANCE CLAIMS CONVENTIONS Terminlgy Abbreviatins TOE DESCRIPTION TOE OVERVIEW TOE ARCHITECTURE Physical Bundaries Lgical Bundaries TOE DOCUMENTATION SECURITY PROBLEM DEFINITION SECURITY OBJECTIVES SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT IT SECURITY REQUIREMENTS ETENDED REQUIREMENTS TOE SECURITY FUNCTIONAL REQUIREMENTS Enterprise Security Management (ESM) Security audit (FAU) Cmmunicatin (FCO) Access Cntrl Plicy (FDP) Identificatin and authenticatin (FIA) Security management (FMT) Prtectin f the TSF (FPT) Resurce Utilizatin (FRU_FLT.1) Trusted path/channels (FTP) TOE SECURITY ASSURANCE REQUIREMENTS TOE SUMMARY SPECIFICATION ENTERPRISE SECURITY MANAGEMENT SECURITY AUDIT COMMUNICATION USER DATA PROTECTION IDENTIFICATION AND AUTHENTICATION SECURITY MANAGEMENT PROTECTION OF THE TSF RESOURCE UTILIZATION TRUSTED PATH/CHANNELS PROTECTION PROFILE CLAIMS RATIONALE TOE SUMMARY SPECIFICATION RATIONALE LIST OF TABLES Table 1 TOE Security Functinal Cmpnents Table 2 Auditable Events Table 3: FDP Requirement Table fr Hst-Based Access Cntrl Table 4: Management Functins within the TOE Table 5 Assurance Cmpnents Table 6 SFR Prtectin Prfile Surces Table 7 Security Functins vs. Requirements Mapping 1. Security Target Intrductin This sectin identifies the Security Target (ST) and Target f Evaluatin (TOE) identificatin, ST cnventins, ST cnfrmance claims, and the ST rganizatin. The TOE is PwerBrker UNI + Linux Editin V9.1, prvided by BeyndTrust Sftware, Inc. BeyndTrust PwerBrker is a security management prduct that prvides the capability t delegate access t perating system functins available t specific privileged accunts (e.g., rt ) and ffer thse functins in a cntrlled and granular fashin t ther specific and suitably trusted users. The TOE prvides bth Enterprise Security Plicy Management and Access Cntrl functins. The fcus f this evaluatin is n the TOE functinality supprting the claims in the ESM Access Cntrl and Plicy Management Prtectin Prfiles (See sectin 1.2 fr specific versin infrmatin). The security functinality specified in [pp_esm_ac_v2.1] and [pp_esm_pm_v2.1] includes access cntrl plicy management and enfrcement, prtectin f cmmunicatin channels, reliance n enterprise authenticatin, and auditing f security-relevant events. The Security Target cntains the fllwing additinal sectins: UID Als referred t as uid: User ID r User Identity 46 TOE Descriptin (Sectin 2) Security Prblem Definitin (Sectin 3) Security Objectives (Sectin 4) IT Security Requirements (Sectin 5) TOE Summary Specificatin (Sectin 6) Prtectin Prfile Claims (Sectin 7) Ratinale (Sectin 8). 1.1 Security Target, TOE and CC Identificatin ST Title BeyndTrust PwerBrker UNI + Linux Editin Security Target ST Versin Versin 1.0 ST Date 3 August 2016 TOE Identificatin BeyndTrust PwerBrker UNI + Linux Editin V9.1 TOE Develper BeyndTrust Sftware, Inc. Evaluatin Spnsr BeyndTrust Sftware, Inc. CC Identificatin Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin, Versin 3.1, Revisin 4, September Cnfrmance Claims This TOE is cnfrmant t the fllwing CC specificatins: This ST is cnfrmant t the Standard Prtectin Prfile fr Enterprise Security Management Access Cntrl, Versin 2.1, 24 Octber 2013 (pp_esm_ac_v2.1) with n additinal ptinal SFRs. Standard Prtectin Prfile fr Enterprise Security Management Plicy Management, Versin 2.1, 24 Octber 2013 (pp_esm_pm_v2.1) and includes the additinal ptinal SFRs: FAU_SEL.1, and FMT_MTD.1. Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin Part 2: Security functinal cmpnents, Versin 3.1, Revisin 4, September Part 2 Extended Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin Part 3: Security assurance cmpnents, Versin 3.1 Revisin 4, September Cnventins Part 3 Cnfrmant The fllwing cnventins have been applied in this dcument: Security Functinal Requirements Part 2 f the CC defines the apprved set f peratins that may be applied t functinal requirements: iteratin, assignment, selectin, and refinement. Iteratin: allws a cmpnent t be used mre than nce with varying peratins. In the ST, iteratin is indicated by a number in parentheses placed at the end f the cmpnent. Fr example FDP_ACC.1(1) and FDP_ACC.1(2) indicate that the ST includes tw iteratins f the FDP_ACC.1 requirement, (1) and (2). Assignment: allws the specificatin f an identified parameter. Assignments are indicated using bld and are surrunded by brackets (e.g., [assignment]). Nte that an assignment within a selectin wuld be identified in italics and with embedded bld brackets (e.g., [[selectedassignment]]). Selectin: allws the specificatin f ne r mre elements frm a list. Selectins are indicated using bld italics and are surrunded by brackets (e.g., [selectin]). Refinement: allws the additin f details. Refinements are indicated using bld, fr additins, and strike-thrugh, fr deletins (e.g., all bjects r sme big things ). Nte that cases that are nt applicable in a given SFR have simply been remved withut any explicit identificatin. Other sectins f the ST Other sectins f the ST use blding t highlight text f special interest, such as captins; and unique fnt t identify specific TOE cmmands r entries in plicy files (e.g. accept ) Terminlgy This sectin identifies TOE-specific terminlgy. administratr AES ANSI authrized user Cmputername FIPS HMAC-SHA1 inetd Lg Server Master Hst OpenLDAP OpenSSL In the cntext f this ST and the TOE it describes, an administratr is a user, defined in the underlying perating system, that has been authrized t perfrm administrative functins n the underlying perating system and the TOE, by virtue f being granted rt r similar privileged access. Advanced Encryptin Standard a symmetric cryptgraphic algrithm, defined in FIPS American Natinal Standards Institute a private, nn-prfit rganizatin that versees the develpment f vluntary cnsensus standards fr prducts, services, prcesses, systems, and persnnel in the United States. In the cntext f this ST and the TOE it describes, an authrized user is a user defined in the TOE s peratinal envirnment and whse requests t invke cntrlled cmmands are mediated by the TOE. The attribute that cntains the name f the cmputer derived frm LDAP, RADIUS surces. Federal Infrmatin Prcessing Standard(s) a series f publicly annunced standards develped by the United States Federal gvernment. A keyed-hash Message Authenticatin Cde (HMAC) using the SHA-1 secure hash algrithm. SHA-1 is defined in FIPS 180-1, while HMAC-SHA1 is defined in FIPS 198. A super-server daemn n many Unix systems that manages Internet services. It has been replaced by xinetd in many systems, and by launchd in Mac OS v10.4. A cmpnent in the TOE architecture respnsible fr managing event lgs and I/O lgs. A cmpnent in the TOE architecture respnsible fr determining if requests t invke cntrlled cmmands will be accepted r rejected. A free, pen surce implementatin f the Lightweight Directry Access Prtcl (LDAP). A free, pen surce implementatin f the Secure Sckets Layer (SSL) and Transprt Layer Security (TLS) prtcls. 6 PAM PRNG RADIUS RFC RSA Run Hst secured task setuid SMF Submit Hst TLS Pluggable Authenticatin Mdule a mechanism t integrate multiple lw-level authenticatin schemes int a high-level applicatin prgramming interface (API). It allws prgrams that rely n authenticatin t be written independently f the underlying authenticatin scheme. Pseud-Randm Number Generatr specificatins fr PRNGs that can be used in FIPS validated cryptgraphic mdules are defined in ANSI Remte Authenticatin Dial-In User Service Request fr Cmments a memrandum published by the Internet Engineering Task Frce (IETF) describing methds, behavirs, research, r innvatins applicable t the wrking f the Internet and Internet-cnnected systems. Rivest-Shamir-Adleman an asymmetric cryptgraphic algrithm that supprts public key cryptgraphy. A cmpnent in the TOE architecture n which an accepted cntrlled cmmand will be executed. A request t invke a cntrlled cmmand, submitted t the TOE by an authrized user. Shrt fr set user ID upn executin, it is a Unix access rights flag that allws users t run an executable file with the permissins f the file s wner. Service Management Facility a feature f the Slaris perating system that creates a supprted, unified mdel fr services and service management. A cmpnent in the TOE architecture n which an authrized user submits a secured task. Transprt Layer Security a cryptgraphic prtcl that prvides cnfidentiality and integrity f data cmmunicated ver a cmputer netwrk Abbreviatins This sectin identifies abbreviatins and acrnyms used in this ST. AC Access Cntrl API Applicatin Prgramming Interface CC Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin ESM Enterprise Security Management ESM AC Enterprise Security Management Access Cntrl ESM PM Enterprise Security Management Plicy Management ESMPPs The ESM AC and ESM PM Prtectin Prfiles GID Als referred t as gid: Grup ID r Grup Identity GUI Graphical User Interface HMAC Hashed Message Authenticatin Cde HTTP(S) Hypertext Transfer Prtcl (Secure) LDAP Lightweight Directry Access Prtcl OpenLDAP A free, pen surce implementatin f the Lightweight Directry Access Prtcl (LDAP). OS Operating System PB PwerBrker PM Plicy Management PP Prtectin Prfile SAR Security Assurance Requirement SFR Security Functinal Requirement SMF Service Management Facility ST Security Target 7 TOE TSF UID Target f Evaluatin TOE Security Functins Als referred t as uid: User ID r User Identity 8 2. TOE Descriptin The Target f Evaluatin (TOE) is BeyndTrust PwerBrker UNI + Linux Editin V9.1 (PBUL). PBUL is a security management prduct that prvides the capability t delegate access t perating system functins available t specific privileged accunts (e.g., rt ) and ffer thse functins in a cntrlled and granular fashin t ther specific and suitably trusted users. The TOE prvides bth Enterprise Security Plicy Management and Access Cntrl functins. 2.1 TOE Overview A characteristic f Unix/Linux perating systems is the existence f a single administrative accunt (e.g., rt ) that has cmplete administrative access t the perating system. Any user that has a requirement t access system resurces r run a privileged cmmand needs t be given the rt passwrd. This can result in many users having mre privileges than they necessarily require fr perfrming their wrk. PwerBrker addresses this prblem by prviding the capability t selectively delegate Unix/Linux administrative privileges t trusted users withut divulging the rt passwrd. PwerBrker is a security management prduct that prvides the capability t partitin the functins available t specific privileged accunts (such as rt ) and ffer thse functins in a granular fashin t ther specific and trusted users. PwerBrker prvides granular delegatin f administrative privileges n Unix and Linux hsts (e.g., thse assciated with the rt accunt), with an audit trail f attempts t exercise functins assciated with thse privileges. PwerBrker allws administrative capabilities f rt and ther privileged accunts t be accessed by authrized users withut having t prvide direct access t thse privileged accunts. PwerBrker plicies are written t selectively allw specific users access t specific cmmands n specific hsts. Access t privileged functinality can be allwed r revked at any time withut cncern fr the status f the underlying privileged accunt. Users and administratrs are required t authenticate in rder t access the TOE and subsequently run a privileged cmmand. The peratinal envirnment authenticates the user and administratrs and the TOE enfrces the results. Authenticatin attempts and attempts t exercise privileged functins are always audited. In additin, the input and utput stream f a privileged functin can be lgged. In summary, PwerBrker allws the administratr t grant r deny ther authrized users access t privileged functins f the managed perating system and audit the use f thse functins. The TOE uses FIPS validated OpenSSL cryptgraphic mdules prvided in the peratinal envirnment. In the evaluated cnfiguratin, the FIPS 140 mde f peratin will be required. 2.2 TOE Architecture PwerBrker is a sftware-nly prduct suite that runs n numerus Unix and Linux perating systems withut mdifying the kernel. The purpse f the prduct is t act as the brker between the user and the privileged peratins n the system. T achieve this, the PwerBrker security plicy is cnsulted each time the user attempts t run a privileged cmmand thrugh PwerBrker. The prduct prvides tw mechanisms thrugh which this can be accmplished: the pbrun cmmand and the PB Shells. The pbrun cmmand is used in a standard Unix shell just like any ther cmmand. A user wishing t execute a privileged cmmand invkes the desired privileged cmmand thrugh pbrun. Fr example, if the cmmand munt is a privileged cmmand delegated by PwerBrker, a user wishing t run munt wuld execute the cmmand pbrun munt munt ptins frm the regular shell. PBRun sends the secured task request t a plicy server fr prcessing. The TOE determines whether r nt the user has permissin t execute the munt cmmand n the target hst. If permissin is granted, the cmmand is executed n behalf f the user. Privileged cmmands requested by a user and authrized and executed by PwerBrker are knwn as secured tasks. The PB Shells are custmized versins f the public dmain pdksh 88 Krn shell (pbksh) and Burne shell (pbsh). These mdified shells cntain the full functinality and features f the standard public dmain shells, but they have been mdified t verify all cmmand peratins thrugh PwerBrker befre allwing executin. Any user running pbsh r pbksh as the shell will be under the cntrl f the PwerBrker access cntrl mechanisms. All attempted actins mediated by PwerBrker are lgged in a detailed audit lg. The administratr has cntrl ver whether r nt the keystrkes and utput f a particular actin are audited. Security audit data is stred in the fllwing: Event Lg this PwerBrker audit file recrds when each requested task was accepted r rejected. Fr tasks nt run in lcal mde, it als lgs when the task terminated, and any cnfigured keystrke-mnitring events that were triggered by that task attempt. These events are knwn as ACCEPT, REJECT, FINISH, and KEYSTROKE events. The Event Lg is a binary file that can be encrypted, but is nt encrypted by default. IO Lgs ptinal lgs that recrd I/O (i.e., keystrkes and utput) infrmatin fr specific secured tasks. Auditing f this type f data is nt within the scpe f the evaluatin. Cnfiguratin Database this database is a versin cntrlled database that stres key cnfiguratin, settings and plicy files, including auditing f activities such as the creatin f new files and versin changes within cntrlled files. A typical PwerBrker cnfiguratin cnsists f the fllwing primary cmpnents: pbrun (r pbsh, pbksh) requests that a secured task is run in a cntrlled envirnment pbmasterd receives secured task requests frm pbrun, pbksh, and pbsh and evaluates them accrding t the current security plicies. If the request is accepted, it directs pblcald t run the secured task pblcald the daemn that runs secured tasks n behalf f the user, when instructed t d s by the master daemn (pbmasterd) pblgd the lg server daemn recrds event lgs and I/O lgs as directed by ther PB prgrams. A secured task is submitted Security Plicy Files Event Lg Submit Hst Rejected Task Master Hst Lg Server I/O Lg pbrun PB Shells New Task pbmasterd pblgd I/O Lg and Event Lg Recrds Run Hst pblcald Secured Task is executed, I/O is captured Figure 1: PwerBrker Cmpnent Interactins 10 Figure 1 depicts the interactins between the primary TOE cmpnents. Each blue bx represents a lgical perating envirnment (e.g., Submit Hst ) fr the listed TOE cmpnents (identified by italics, e.g., pbrun ). The plicy files used by the TOE and the lgs generated by the TOE are stred in files in the peratinal envirnment (the green disk drives ). The machine frm which a task is submitted is referred t as the Submit Hst. The machine n which the Cnfiguratin Database resides and n which the Security Plicy File prcessing takes place is referred t as the Master Hst. The machine n which a task is actually executed is referred t as the Run Hst. The machine n which Event Lg recrds and I/O lg recrds are written is referred t as the Lg Server (r Hst). It is pssible t install any r all f these cmpnents n a single machine, r t distribute them between different machines. Use f a separate lg server and pblgd daemn is ptinal, but highly recmmended. When pblgd is nt used, pbmasterd lgs the audit recrds. Fr ptimal security, the master hsts and lg servers shuld be separate machines that are islated frm nrmal user activity. When the TOE cmpnents are deplyed n separate machines, the TOE must be cnfigured t encrypt cmmunicatins between the separate cmpnents. The TOE uses TLS and FIPS validated algrithms prvided by OpenSSL in the peratinal envirnment. The typical sequence f PwerBrker prcessing is as fllws: A user (r administratr) establishes a sessin with the Unix/Linux machine running the Submit Hst The user is authenticated by an authenticatin server in the peratinal envirnment Frm a nrmal shell n the Submit Hst, a user submits a request via pbrun pbmasterd n the Master Hst prcesses the security plicy and either accepts r rejects the request The request acceptance r rejectin is audited and an event sent t the Lg Server. Fr rejected requests, prcessing ends here An accepted request is executed via pblcald n the Run Hst If I/O lgging was designated by the security plicy, this data is sent t the Lg Server. Cmmn variatins t this prcessing sequence are as fllws: If the Submit Hst is the same server as the Run Hst, lcal mde r Optimized Run Mde can be enabled. In these cases, if pbmasterd accepts the cmmand, it is executed frm the pbrun prcess rather than launching pblcald If there is n separate Lg Server, pbmasterd perfrms the lgging services pbmasterd, pblcald and pblgd can be cnfigured t run cntinuusly as daemns, r alternately can be cnfigured t launch n a per-use basis by inetd r equivalent (e.g., xinetd, SMF, launchd). The pbmasterd, pblcald, and pblgd cmpnents all run as rt (r equivalent, depending n the peratinal envirnment). The pbrun, pbsh, and pbksh cmpnents run as the invking user but with setuid rt. As indicated abve, all TOE cmpnents can be installed n a single machine, r can be deplyed acrss a number f machines. Any machine that is t be used as a Submit Hst requires pbrun, pbsh, r pbksh t be installed n it. Each Submit Hst will have (in its cnfiguratin file) a list f ne r mre Master Hsts. Each Master Hst requires pbmasterd t be installed n it t prcess secured task requests. Any machine that will be used as a Run Hst requires pblcald t be installed n it. Use f a Lg Hst is ptinal in the absence f a Lg Hst, pbmasterd is respnsible fr lgging activities. Any machine that will be used as a Lg Hst requires pblgd t be installed n it. In summary, in the TOE mdel, an access request riginates at a netwrk hst (Submit Hst) and is transmitted t the central Plicy Manager (Master Hst), which als acts as the plicy decisin pint. If the Plicy Manager determines the access cntrl request cmplies with the defined plicy, it frwards the access request (secured task) t the target hst (Run Hst) fr actin. The Run Hst is part f the Access Cntrl prtin f the TOE that perfrms the requested peratin and cmmunicates the results back t the Submit Hst. If the access request des nt cnfrm with plicy, it is rejected and the riginatr (Submit Hst) is ntified. As such, the TOE mdel inverts the ESM mdel fr PM and AC presented in the PP in that the ESM mdel assumes a central pint where access cntrl plicies are created and managed and then distributed as apprpriate t ther cmputers n the netwrk where the plicy is enf
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x