[Zope3-checkins] SVN: Zope3/trunk/doc/security/SecurityTarget.tex *
some SO rationale
Christian Zagrodnick
cz at gocept.com
Wed Apr 20 07:43:55 EDT 2005
Log message for revision 30054:
* some SO rationale
* table layout
Changed:
U Zope3/trunk/doc/security/SecurityTarget.tex
-=-
Modified: Zope3/trunk/doc/security/SecurityTarget.tex
===================================================================
--- Zope3/trunk/doc/security/SecurityTarget.tex 2005-04-20 11:18:16 UTC (rev 30053)
+++ Zope3/trunk/doc/security/SecurityTarget.tex 2005-04-20 11:43:55 UTC (rev 30054)
@@ -1,19 +1,16 @@
\documentclass[12pt,english]{scrbook}
\usepackage{babel}
-\usepackage{shortvrb}
\usepackage[latin1]{inputenc}
\usepackage{tabularx}
\usepackage{longtable}
-%\setlength{\extrarowheight}{2pt}
-\usepackage{amsmath}
\usepackage{graphicx}
-\usepackage{color}
-\usepackage{multirow}
-\usepackage{ifthen}
-\usepackage[colorlinks=true,linkcolor=blue,urlcolor=blue]{hyperref}
\usepackage{booktabs}
\usepackage{rotating}
+\usepackage{varioref}
+\usepackage[colorlinks=true,linkcolor=blue,urlcolor=blue]{hyperref}
+
+% 90 degrees rotated
\newcolumntype{R}{%
>{\begin{turn}{90}%
\hspace{0pt}}l%
@@ -21,8 +18,11 @@
}
\newcommand{\oh}{$\bullet$}
+
+
\title{Zope X3 Security Target for EAL 1 (Draft)}
-\author{Christian Theune, Steve Alexander, Jim Fulton, Christian Zagrodnick}
+\author{Christian Theune \and Steve Alexander \and Jim Fulton \and
+ Christian Zagrodnick}
\uppertitleback{}
\date{\today}
@@ -30,6 +30,8 @@
pdftitle={Zope X3 Security Target for EAL 1 (Draft)},
pdfauthor={Christian Theune {\textless}ct at gocept.com{\textgreater};Steve Alexander {\textless}steve at catbox.net{\textgreater};Jim Fulton {\textless}jim at zope.com{\textgreater}}
}
+
+
\begin{document}
\maketitle
@@ -49,8 +51,11 @@
\newpage
\tableofcontents
+\newpage
+\listoftables
+
%___________________________________________________________________________
@@ -420,101 +425,81 @@
\section{Assets}
-The following primary assets have been identified:
-\begin{quote}
+The following primary asssets have been identified:
-\begin{longtable}[c]{|l|l|}
-\hline
-\textbf{
-Asset Name
-} & \textbf{
-Description
-} \\
-\hline
-\endhead
+\begin{longtable}[c]{lp{10cm}}
+ \toprule
+ Asset Name & Description \\
+ \midrule\endhead
-(Content) Objects
- &
-Generic objects (instances of Python classes) that
-are stored and controlled by Zope and carry
-information that is to be protected. Objects are
-stored in a connected manner that is typically
-hierarchical and allows the derivation of
-information by the objects context.
- \\
-\hline
+ (Content) Objects &
+ Generic objects (instances of Python classes) that
+ are stored and controlled by Zope and carry
+ information that is to be protected. Objects are
+ stored in a connected manner that is typically
+ hierarchical and allows the derivation of
+ information by the objects context. \\
+ \bottomrule
+ \caption{Primary Assets}
+ \label{tab-assets}
\end{longtable}
-\end{quote}
The following secondary assets have been identified:
-\begin{quote}
-\begin{longtable}[c]{|l|l|}
-\hline
-\textbf{
-Asset Name
-} & \textbf{
-Description
-} \\
-\hline
-\endhead
+\begin{longtable}[c]{lp{10cm}}
+ \toprule
+ Asset Name & Description \\
+ \midrule\endhead
+ Host System
+ &
+ The unit of computer hardware and software that
+ forms the environment of Zope to run on. (E.g.
+ a PC server with Windows 2000 or Linux installed)
+ \\
-Host System
- &
-The unit of computer hardware and software that
-forms the environment of Zope to run on. (E.g.
-a PC server with Windows 2000 or Linux installed)
- \\
-\hline
+ Operations
+ &
+ Operations are the way of accessing and modifying
+ data provided by (content) objects.
+ \\
-Operations
- &
-Operations are the way of accessing and modifying
-data provided by (content) objects.
- \\
-\hline
+ Principals
+ &
+ Principals are the systems representation of acting
+ individuals. A principal acts in behalf of the user
+ and represents a (content) object of it's own.
+ \\
-Principals
- &
-Principals are the systems representation of acting
-individuals. A principal acts in behalf of the user
-and represents a (content) object of it's own.
- \\
-\hline
+ Permission
+ &
+ A permission is a name guarding an operation.
+ \\
-Permission
- &
-A permission is a name guarding an operation.
- \\
-\hline
+ Permission grants
+ &
+ A permission grant associates a principal with a
+ permission to allow or deny an operation in the context.
+ As a third state, permissions may be declared to
+ be acquired from the context.
+ \\
-Permission grants
- &
-A permission grant associates a principal with a
-permission to allow or deny an operation in the context.
-As a third state, permissions may be declared to
-be acquired from the context.
- \\
-\hline
+ Audit data
+ &
+ The data generated by the TOE audit subsystem.
+ \\
-Audit data
- &
-The data generated by the TOE audit subsystem.
- \\
-\hline
+ Transaction data
+ &
+ All operations within Zope are held within ACID
+ compatible transactions that are bound to each
+ request from the outside and associated with a
+ principal.
+ \\
+ \bottomrule
+ \caption{Secondary Assets}
+ \label{tab-sec-assets}
-Transaction data
- &
-All operations within Zope are held within ACID
-compatible transactions that are bound to each
-request from the outside and associated with a
-principal.
- \\
-\hline
\end{longtable}
-\end{quote}
-
-
%___________________________________________________________________________
@@ -539,12 +524,13 @@
class is defined in the Python programming language and is identified by a
fully qualified name.
-An operation is a name defined in a class. It may take a form of an attribute, a
-method or some other related python thing.
+An operation is a name defined in a class. It may take a form of an attribute,
+a method or some other related python thing.
There are two possible kinds of access to an operation: Reading such as
reading an attribute or calling a method. Writing such as setting or deleting
-an attribute. Reading and writing can be guarded with different permission grants.
+an attribute. Reading and writing can be guarded with different permission
+grants.
%___________________________________________________________________________
@@ -554,67 +540,44 @@
\section{Assumptions (about the environment)}
The following assumptions need to be made about the TOE environment:
-\begin{quote}
-\begin{longtable}[c]{|l|l|}
-\hline
-\textbf{
-Assumption Name
-} & \textbf{
-Description
-} \\
-\hline
-\endhead
+\begin{longtable}[c]{lp{10cm}}
+ \toprule
+ Assumption Name & Description \\
+ \midrule
-A.OS
- &
-The machine and the operating system Zope is
-running on is physically secure.
- \\
-\hline
+ A.OS &
+ The machine and the operating system Zope is running on is physically secure.
+ The system is administrated such that the system is free from malicious
+ software like viruses and Trojan horses. \\
-A.Admin
- &
-The ``system-administrator'' of the above
-mentioned machine is trustworthy.
- \\
-\hline
+ A.Admin &
+ The ``system-administrator'' of the above
+ mentioned machine is trustworthy.
+ \\
-A.Network
- &
-A network connection to the Zope services is
-present. All other network connection are
-secure in such a way that the integrity of
-the machine and operating system is preserved.
- \\
-\hline
+ A.Network &
+ A network connection to the Zope services is
+ present. All other network connection are
+ secure in such a way that the integrity of
+ the machine and operating system is preserved.
+ \\
-A.Client
- &
-The connection between client and Zope server is
-secure in a sense that the identification and
-authentication data is not monitored or interfered.
- \\
-\hline
+ A.Client &
+ The connection between client and Zope server is
+ secure in a sense that the identification and
+ authentication data is not monitored or interfered.
+ \\
-A.Credential
- &
-The user is keeping the credential to authenticate
-secret.
- \\
-\hline
+ A.Credential &
+ The user is keeping the credential to authenticate
+ secret. \\
-A.Integrity
- &
-The system is administrated such that the system is
-free from malicious software like viruses and
-Trojan horses.
- \\
-\hline
+ \bottomrule
+ \caption{Assumptions about the TOE environment.}
+ \label{tab-A}
\end{longtable}
-\end{quote}
-
%___________________________________________________________________________
@@ -622,159 +585,151 @@
\section{Threats}
The following threat agents have been identified:
-\begin{quote}
-\begin{itemize}
-\item {}
-Users having correct authentication credentials who might try to
-acquire more permission grants to get access to operations they
-should not.
-\item {}
-Users without correct authentication credentials for a certain
-principal trying to authenticate as this.
+\begin{itemize}
+
+ \item Users having correct authentication credentials who might try to
+ acquire more permission grants to get access to operations they should not.
+ \item Users without correct authentication credentials for a certain
+ principal trying to authenticate as this.
+
\end{itemize}
-\end{quote}
+
The following threats against the assets have been identified:
-\begin{quote}
-\begin{longtable}[c]{|l|l|l|}
-\hline
-\textbf{
-Threat
-} & \textbf{
-Threat description
-} & \textbf{
-Asset
-} \\
-\hline
-\endhead
+\begin{longtable}[c]{lp{6cm}p{4cm}}
+ \toprule
+ Threat & Description & Asset\\
+ \midrule\endhead
-T.IA
- &
-An attacker might impersonate an authorized
-principal without providing the necessary
-credentials.
- &
-Principal
- \\
-\hline
+ T.IA
+ &
+ An attacker might impersonate an authorized
+ principal without providing the necessary
+ credentials.
+ &
+ Principal
+ \\
+
-T.Perm
- &
-A principal changes the permission grants
-without having the right to do so.
- &
-Permission grants,
- \\
-\hline
+ T.Perm
+ &
+ A principal changes the permission grants
+ without having the right to do so.
+ &
+ Permission grants
+ \\
+
-T.Operation
- &
-A principal performs an operation on an object
-without having the correct permission.
- &
-Operation, Object
- \\
-\hline
+ T.Operation
+ &
+ A principal performs an operation on an object
+ without having the correct permission.
+ &
+ Operation, Object
+ \\
+
-T.AuditFake
- &
-An attacker might convince the audit data
-generation functions to log false information
-(date, time, type of event, outcome, user)
- &
-Audit data
- \\
-\hline
+ T.AuditFake
+ &
+ An attacker might convince the audit data
+ generation functions to log false information
+ (date, time, type of event, outcome, user)
+ &
+ Audit data
+ \\
+
-T.Import
- &
-An attacker might try to make the system
-interpret imported security attributes in a
-not intended way to acquire a higher level of
-access to the system.
- &
-Secondary assets
- \\
-\hline
+ T.Import
+ &
+ An attacker might try to make the system
+ interpret imported security attributes in a
+ not intended way to acquire a higher level of
+ access to the system.
+ &
+ Secondary assets
+ \\
+
-T.RIP
- &
-An attacker might try to make the system use
-residual information for deciding to allow
-or deny access to an operation to gain more
-access than intended.
- &
-Secondary assets
- \\
-\hline
+ T.RIP
+ &
+ An attacker might try to make the system use
+ residual information for deciding to allow
+ or deny access to an operation to gain more
+ access than intended.
+ &
+ Secondary assets
+ \\
+
-T.Transaction
- &
-An attacker might try to perform commit or
-abort operations on foreign transactions to
-perform operations on the behalf of other
-users.
- &
-XXX was given by TUV. not sure if this really applies ...
-All assets in ZODB
- \\
-\hline
+ T.Transaction
+ &
+ An attacker might try to perform commit or
+ abort operations on foreign transactions to
+ perform operations on the behalf of other
+ users.
+ &
+ XXX was given by TUV. not sure if this really applies ...
+ All assets in ZODB
+ \\
+
-T.Undo
- &
-An attacker might try to perform an Undo
-operation to invalid revisions.
- &
-All assets in ZODB
- \\
-\hline
+ T.Undo
+ &
+ An attacker might try to perform an Undo
+ operation to invalid revisions.
+ &
+ All assets in ZODB
+ \\
+
-T.USB
- &
-An attacker might try to use executable code
-which runs on behalf of another user to perform
-unauthorized operations and maybe hide his
-traces.
- &
-XXX does this only apply to TTW code which we dropped anyway?
- \\
-\hline
+ T.USB
+ &
+ An attacker might try to use executable code
+ which runs on behalf of another user to perform
+ unauthorized operations and maybe hide his
+ traces.
+ &
+ XXX does this only apply to TTW code which we dropped anyway?
+ \\
+
-T.Timestamps
- &
-An attacker might try to hide his actions
-by making the system create false timestamps
-which would result in wrong association to a
-user on dynamic IP address ranges.
- &
-Audit data
- \\
-\hline
+ T.Timestamps
+ &
+ An attacker might try to hide his actions
+ by making the system create false timestamps
+ which would result in wrong association to a
+ user on dynamic IP address ranges.
+ &
+ Audit data
+ \\
+
-T.TrustedPath
- &
-An attacker might try to use ``user data import''
-or ``user data export'' without being a local
-user and using the trusted path.
- &
-Object
- \\
-\hline
+ T.TrustedPath
+ &
+ An attacker might try to use ``user data import''
+ or ``user data export'' without being a local
+ user and using the trusted path.
+ &
+ Object
+ \\
+
-T.Host
- &
-An attacker might use Python functions that
-result in direct access to the host environment
-therefore compromising the host and Zope itself.
- &
-Host, Object
- \\
-\hline
+ T.Host
+ &
+ An attacker might use Python functions that
+ result in direct access to the host environment
+ therefore compromising the host and Zope itself.
+ &
+ Host, Object
+ \\
+ \bottomrule
+\caption{Threats Against Assets}
+\label{tab-threats}
\end{longtable}
-\end{quote}
+
%___________________________________________________________________________
@@ -802,94 +757,81 @@
\section{Security objectives for the TOE}
The following security objectives have been defined for the TOE:
-\begin{quote}
-\begin{longtable}[c]{|l|l|}
-\hline
-\textbf{
-Objective Name
-} & \textbf{
-Description
-} \\
-\hline
-\endhead
+\begin{longtable}[c]{lp{10cm}}
+ \toprule
+ Objective Name & Description \\
+ \midrule\endhead
+
+ O.IA
+ &
+ All principals must be accurately identified and
+ authenticated with the exception of the ``unauthenticated''
+ principal.
+ \\
-O.IA
- &
-All principals must be accurately identified and
-authenticated with the exception of the ``unauthenticated''
-principal.
- \\
-\hline
+ O.Delegation
+ &
+ Provide the ability to securely delegate control. Users can
+ delegate the ability to control access to selected
+ operations to others. To delegate a permission, a meta permission
+ that allows you to delegate this permission must be granted.
+ \\
-O.Delegation
- &
-Provide the ability to securely delegate control. Users can
-delegate the ability to control access to selected
-operations to others. To delegate a permission, a meta permission
-that allows you to delegate this permission must be granted.
- \\
-\hline
+ O.Audit
+ &
+ The TOE will provide the means of recording any
+ security relevant events, so as to assist an
+ administrator in the detection of potential attacks
+ or misconfiguration of the TOE security features
+ that would leave the TOE susceptible to attack, and
+ also to hold users accountable for any actions
+ they perform that are relevant to security.
+ \\
-O.Audit
- &
-The TOE will provide the means of recording any
-security relevant events, so as to assist an
-administrator in the detection of potential attacks
-or misconfiguration of the TOE security features
-that would leave the TOE susceptible to attack, and
-also to hold users accountable for any actions
-they perform that are relevant to security.
- \\
-\hline
+ O.Protect
+ &
+ The TOE will protect itself against external
+ interference or tampering by untrusted subjects or
+ attempts by untrusted subjects to bypass the TOE
+ security functions.
+ \\
-O.Protect
- &
-The TOE will protect itself against external
-interference or tampering by untrusted subjects or
-attempts by untrusted subjects to bypass the TOE
-security functions.
- \\
-\hline
+ O.Access
+ &
+ The TOE ensures that access to objects is always
+ mediated by operations and guarded by permissions.
+ \\
-O.Access
- &
-The TOE ensures that access to objects is always
-mediated by operations and guarded by permissions.
- \\
-\hline
+ O.Integrity
+ &
+ Whenever an unhandled error within the context of a
+ running transaction occurs (related or unrelated
+ to security) the transaction will be rolled back
+ and the system will be in the state before the
+ transaction started.
+ \\
-O.Integrity
- &
-Whenever an unhandled error within the context of a
-running transaction occurs (related or unrelated
-to security) the transaction will be rolled back
-and the system will be in the state before the
-transaction started.
- \\
-\hline
+ O.Attributes
+ &
+ Whenever attributes are set using identifiers
+ (e.g. principal or permission identifiers), the
+ identifiers must have been defined previously.
+ \\
-O.Attributes
- &
-Whenever attributes are set using identifiers
-(e.g. principal or permission identifiers), the
-identifiers must have been defined previously.
- \\
-\hline
-
-O.ManageRisk
- &
-Provide the ability to manage risk by trading off
-functionality against risk. For example, we can
-make it easier to access the system to perform
-operations whose potential negative impact is
-low, but make it more difficult to access the
-system in a way that allows operations with high
-negative impact.
- \\
-\hline
+ O.ManageRisk
+ &
+ Provide the ability to manage risk by trading off
+ functionality against risk. For example, we can
+ make it easier to access the system to perform
+ operations whose potential negative impact is
+ low, but make it more difficult to access the
+ system in a way that allows operations with high
+ negative impact.
+ \\
+ \bottomrule
+ \caption{Security Objectives for the TOE}
\end{longtable}
-\end{quote}
%___________________________________________________________________________
@@ -900,79 +842,71 @@
The following security objectives have been defined for the TOE environment:
-\begin{tabularx}{\linewidth}{|l|X|}
-\hline
-Assumption Name & Description \\
-\hline
+\begin{longtable}[c]{lp{10cm}}
+ \toprule
+ Assumption Name & Description \\
+ \midrule\endhead
-OE.OS
- &
-The machine and the operating system Zope is running
-on is physically secure.
- \\
-\hline
+ OE.OS
+ &
+ The machine and the operating system Zope is running
+ on is physically secure.
+ \\
-OE.Trust
- &
-Those responsible for the TOE must be trustworthy.
- \\
-\hline
+ OE.Trust
+ &
+ Those responsible for the TOE must be trustworthy.
+ \\
-OE.Manage
- &
-Those responsible for the TOE must ensure that the TOE
-is delivered, installed, managed, and operated in a
-manner which maintains IT security.
- \\
-\hline
+ OE.Manage
+ &
+ Those responsible for the TOE must ensure that the TOE
+ is delivered, installed, managed, and operated in a
+ manner which maintains IT security.
+ \\
-OE.AUDITLOG
- &
-Administrators of the TOE must ensure that audit
-facilities are used and managed effectively. In
-particular:
+ OE.AUDITLOG
+ &
+ Administrators of the TOE must ensure that audit
+ facilities are used and managed effectively. In
+ particular:
-\begin{itemize}
-\item
-Appropriate action must be taken to ensure continued
-audit logging, e.g. by regular archiving of logs
-before audit trail exhaustion to ensure sufficient
-free space.
+ \begin{itemize}
+
+ \item Appropriate action must be taken to ensure continued audit logging,
+ e.g. by regular archiving of logs before audit trail exhaustion to ensure
+ sufficient free space.
-\item
-Audit logs should be inspected on a regular basis,
-and appropriate action should be taken on the
-detection of breaches of security, or events that
-are likely to lead to a breach in the future.
+ \item Audit logs should be inspected on a regular basis, and appropriate
+ action should be taken on the detection of breaches of security, or events
+ that are likely to lead to a breach in the future.
-\end{itemize}
- \\
-\hline
+ \end{itemize}
+ \\
-OE.Network
- &
-A network connection to the Zope services is present.
-All other network connections are secure in such a
-way that the integrity of the machine and operating
-system is preserved.
- \\
-\hline
+ OE.Network
+ &
+ A network connection to the Zope services is present.
+ All other network connections are secure in such a
+ way that the integrity of the machine and operating
+ system is preserved.
+ \\
-OE.Client
- &
-The connection between client and Zope server is secure
-in a sense that the identification and authentication
-data is not monitored or interfered.
- \\
-\hline
+ OE.Client
+ &
+ The connection between client and Zope server is secure
+ in a sense that the identification and authentication
+ data is not monitored or interfered.
+ \\
-OE.Credential
- &
-The user is keeping the credentials to authenticate
-secret.
- \\
-\hline
-\end{tabularx}
+ OE.Credential
+ &
+ The user is keeping the credentials to authenticate
+ secret.
+ \\
+ \bottomrule
+ \caption{Security Objectives for the Environment}
+\end{longtable}
%___________________________________________________________________________
@@ -2340,39 +2274,75 @@
-\section{Security objectives rationale}
+\section{Security Objectives Rationale}
+% bullet: finished
+% X: todo
+
+\begin{table}
+ \scriptsize
+ \begin{tabular}{rRRRRRRRRRRRRRRRRRR}
+ \toprule
+ & T.IA & T.Perm &T.Operation&T.AuditFake&T.Import & T.RIP&T.Transaction&T.Undo & T.USB&T.Timestamps & T.Trustedpath & T.Host & A.OS & A.Admin & A.Network & A.Client & A.Credential & A.Integrity \\
+ \midrule
+O.IA & \oh & & & & & & & & & & & \\
+O.Delegation & & \oh & & & & & & & & & & \\
+O.Audit & \oh & & & \oh & & & & & & & & \\
+O.Protect & & & & \oh & & & & & & & & \\
+O.Access & & & \oh & & & & & & & & & \oh \\
+O.Integrity & & & & & & \oh & & & & & & \\
+O.Attributes & & & & & & & & \oh & & & & \\
+O.ManageRisk & \oh & & & & & & & & & & & \\
+\midrule
+OE.OS & & & & & & & & & & \oh & & & \oh \\
+OE.Trust & & & & & & & & & & & & & & \oh \\
+OE.Manage & & & & & & & & & & & & & & & & & & \oh \\
+OE.AUDITLOG \\
+OE.Network & & & & & & & & & & & & & & & \oh & & & \oh \\
+OE.Client & & & & & & & & & & & & & & & & & X & \\
+OE.Credential& & & & & & & & & & & & & & & & & X & \\
+
+\bottomrule
+ \end{tabular}
+ \label{tab-SOR}
+ \caption{Mapping of Threats and Assumptions to Security Objectives}
+\end{table}
+
+Table~\vref{tab-SOR} shows that all threads and assumptions are covered
+by a security objectives. The following list explains why the objectives cover
+the threads and assumptions.
+
\begin{description}
- \item[O.IA:] This security objective is necessary to counter the threat T.IA
- because it requires that users must be accurately identified and
- authenticated or incorporate the anonymous principal.
+ \item[O.IA:] This security objective is necessary to counter the threat
+ \textbf{T.IA} because it requires that users must be accurately identified
+ and authenticated or incorporate the anonymous principal.
-
\item[O.Delegation:] This security objective is necessary to counter the
- threat T.Perm because a user must only be able to delegate the permissions
+ threat \textbf{T.Perm} because a user must only be able to delegate the permissions
he is allowed to delegate. It must not be possible for him to gain any extra
permissions.
- \item[O.Audit:] This security objective is necessary to detect an recover
- from most threats: T.IA, T.Perm
-
+ \item[O.Audit:] This security objective is necessary to detect and recover
+ from most threats: \textbf{T.IA, T.Perm, T.Operation, T.RIP, T.Transaction
+ and T.Undo}. XXX
- T.AuditFake because it loggs security relevant events and thus supports an
+ T.AuditFake because it logs security relevant events and thus supports an
administrator in finding those events.
\item[O.Protect:] This security objective is necessary to counter the threat
- T.AuditFake because it protects the audit data generation function and
- thereby prevents logging of false information.
+ \textbf{T.AuditFake} because it protects the audit data generation function
+ and thereby prevents logging of false information.
\item[O.Access:] This security objective is necessary to counter the threat
T.Operation because it prevents performing operations on an object without
- having the correct permission. It also counters the threat T.Host because
- functions are objects which are protected. XXX: T.USB?
+ having the correct permission. It also counters the threats \textbf{T.Host}
+ and \textbf{T.Tiemstamps} because functions are objects which are protected.
+ % XXX: T.USB?
\item[O.Integrity:] This security objective is necessary to counter the
threat T.RIP because it prevents that any data will be written if an
- unhandled error occours.
+ unhandled error occurs.
\item[O.Attributes:] This security objective is necessary to counter the
threat T.Undo because it prevents using undefined identifiers which could
@@ -2383,48 +2353,27 @@
principal which allows operations with high negaitive impact since those
principals are better protected.
+ \item[OE.OS:] This security objective is necessary to both counter the
+ threat \textbf{T.Timestamps} and cover the assumption \textbf{A.OS} because
+ it asserts that the machine and the operating system the TOE is running on
+ are physically secure. This means an attacker cannot access the machine
+ directly, i.e. around Zope.
-% bullet: finished
-% X: todo
+ \item[OE.Trust:] This security objective covers the assumption
+ \textbf{A.Admin}.
-\end{description}
+ \item[OE.Manage:] This security objective covers the assumption
+ \textbf{A.Integrity} because it ensures the TOE is administered in a way to
+ maintain IT security preventing malicious software.
-\begin{table}
- \scriptsize
- \begin{tabular}{rRRRRRRRRRRRRRRRRRR}
- \toprule
- & T.IA & T.Perm &T.Operation&T.AuditFake&T.Import & T.RIP&T.Transaction&T.Undo & T.USB&T.Timestamps & T.Trustedpath & T.Host & A.OS & A.Admin & A.Network & A.Client & A.Credential & A.Integrity \\
- \midrule
-O.IA & \oh & & & & & & & & & & & \\
-O.Delegation & & \oh & & & & & & & & & & \\
-O.Audit & \oh & & & \oh & & & & & & & & \\
-O.Protect & & & & \oh & & & & & & & & \\
-O.Access & & & \oh & & & & & & & & & \oh \\
-O.Integrity & & & & & & \oh & & & & & & \\
-O.Attributes & & & & & & & & \oh & & & & \\
-O.ManageRisk & \oh & & & & & & & & & & & \\
-\midrule
-OE.OS & & & & & & & & & & X & & & X \\
-OE.Trust & & & & & & & & & & & & & & X \\
-OE.Manage & & & & & & & & & & & & & & & X \\
-OE.AUDITLOG \\
-OE.Network & & & & & & & & & & & & & & & X & X & & X \\
-OE.Client & & & & & & & & & & & & & & & & & X & \\
-OE.Credential& & & & & & & & & & & & & & & & & X & \\
+ \item[OE.AUDITLOG:] XXX
-\bottomrule
- \end{tabular}
- \caption{Mapping of Threats to Security Objectives}
-\end{table}
-
-\begin{quote}
-\begin{quote}
-
-\end{quote}
-
-\end{quote}
-
-
+ \item[OE.Network:] This security objective covers the assumptions
+ \textbf{A.Network} and \textbf{A.Integrity} because it asserts that all
+ network connections which are not related to the TOE are secure in way not
+ compromising the integrity.
+
+\end{description}
%___________________________________________________________________________
@@ -2922,66 +2871,19 @@
\chapter{Glossary}
+
\begin{description}
-%[visit_definition_list_item]
-\item[CC]
-%[visit_definition]
-Common Criteria (referenced as {[}CC])
+ \item[CC] Common Criteria (referenced as {[}CC])
+ \item[SF] Security Function
+ \item[SFP] Security Function Policy
+ \item[SFR] Security Functional Requirement
+ \item[ST] Security Targets
+ \item[TOE] Target of Evaluation
+ \item[TSF] TOE Security Functions
-%[depart_definition]
-%[depart_definition_list_item]
-%[visit_definition_list_item]
-\item[SF]
-%[visit_definition]
+\end{description}
-Security Function
-
-%[depart_definition]
-%[depart_definition_list_item]
-%[visit_definition_list_item]
-\item[SFP]
-%[visit_definition]
-
-Security Function Policy
-
-%[depart_definition]
-%[depart_definition_list_item]
-%[visit_definition_list_item]
-\item[SFR]
-%[visit_definition]
-
-Security Functional Requirement
-
-%[depart_definition]
-%[depart_definition_list_item]
-%[visit_definition_list_item]
-\item[ST]
-%[visit_definition]
-
-Security Targets
-
-%[depart_definition]
-%[depart_definition_list_item]
-%[visit_definition_list_item]
-\item[TOE]
-%[visit_definition]
-
-Target of Evaluation
-
-%[depart_definition]
-%[depart_definition_list_item]
-%[visit_definition_list_item]
-\item[TSF]
-%[visit_definition]
-
-TOE Security Functions
-
-%[depart_definition]
-%[depart_definition_list_item]
-\end{description}
-
-
%___________________________________________________________________________
More information about the Zope3-Checkins
mailing list