[Zope3-checkins] SVN: Zope3/trunk/doc/security/SecurityTarget.tex
more of the security objectives rationale;
only OE.Auditlog is missing
Christian Zagrodnick
cz at gocept.com
Wed Apr 20 09:09:50 EDT 2005
Log message for revision 30057:
more of the security objectives rationale; only OE.Auditlog is missing
changed O.Access definition
Changed:
U Zope3/trunk/doc/security/SecurityTarget.tex
-=-
Modified: Zope3/trunk/doc/security/SecurityTarget.tex
===================================================================
--- Zope3/trunk/doc/security/SecurityTarget.tex 2005-04-20 12:12:21 UTC (rev 30056)
+++ Zope3/trunk/doc/security/SecurityTarget.tex 2005-04-20 13:09:49 UTC (rev 30057)
@@ -812,12 +812,8 @@
transaction started.
\\
- O.Attributes
- &
- Whenever attributes are set using identifiers
- (e.g. principal or permission identifiers), the
- identifiers must have been defined previously.
- \\
+ O.Attributes & All security attributes (e.g. principal or permission
+ identifiers) together must form a meaningful whole at all times. \\
O.ManageRisk
&
@@ -858,7 +854,7 @@
Those responsible for the TOE must be trustworthy.
\\
- OE.AUDITLOG
+ OE.Auditlog
&
Administrators of the TOE must ensure that audit
facilities are used and managed effectively. In
@@ -2278,16 +2274,16 @@
\midrule
O.IA & \oh & & & & & & & & & & & \\
O.Delegation & & \oh & & & & & & & & & & \\
-O.Audit & \oh & & & \oh & & & & & & & & \\
+O.Audit & \oh & \oh & \oh & & \oh & & & \oh & & & & \\
O.Protect & & & & \oh & & & & & & & & \\
-O.Access & & & \oh & & & & & & & & & \oh \\
+O.Access & & & \oh & & & & \oh & & & \oh & & \\
O.Integrity & & & & & & \oh & & & & & & \\
-O.Attributes & & & & & & & & \oh & & & & \\
+O.Attributes & & & & & \oh & \oh & & \oh & & & & \\
O.ManageRisk & \oh & & & & & & & & & & & \\
\midrule
OE.OS & & & & & & & & & \oh & & \oh & & & & \\
OE.Trust & & & & & & & & & & & & \oh & & & \\
-OE.AUDITLOG & & & & & & & & & & & & & & & \\
+OE.Auditlog & & & & & & & & & & & & & & & \\
OE.Network & & & & & & & & & & & & & \oh & & \\
OE.Client & & & & & & & & & & & & & & \oh & \\
OE.Credential& & & & & & & & & & & & & & & \oh \\
@@ -2312,33 +2308,33 @@
permissions.
\item[O.Audit:] This security objective is necessary to detect and recover
- from most threats: \textbf{T.IA, T.Perm, T.Operation, T.RIP, T.Transaction
- and T.Undo}. XXX
+ from most threats: \textbf{T.IA, T.Perm, T.Operation, T.Transaction
+ and T.Undo} as those events are logged by the audit log.
- T.AuditFake because it logs security relevant events and thus supports an
- administrator in finding those events.
-
\item[O.Protect:] This security objective is necessary to counter the threat
\textbf{T.AuditFake} because it protects the audit data generation function
and thereby prevents logging of false information.
\item[O.Access:] This security objective is necessary to counter the threat
- T.Operation because it prevents performing operations on an object without
- having the correct permission. It also counters the threats \textbf{T.Host}
- and \textbf{T.Tiemstamps} because functions are objects which are protected.
- % XXX: T.USB?
+ \textbf{T.Operation} because it prevents performing operations on an object
+ without having the correct permission. It also counters the threats
+ \textbf{T.Host} because functions are objects, too, which are protected.
+ O.Access also counters the threat \textbf{T.Transaction} because transaction
+ managing functions are also objects and therefor protected.
+
\item[O.Integrity:] This security objective is necessary to counter the
- threat T.RIP because it prevents that any data will be written if an
- unhandled error occurs.
+ threat \textbf{T.RIP} because it prevents that any data will be written if
+ an unhandled error occurs.
\item[O.Attributes:] This security objective is necessary to counter the
- threat T.Undo because it prevents using undefined identifiers which could
- allow an attacker to gain more access than intended.
+ threats \textbf{T.Undo}, \textbf{T.Import} and \textbf{T.RIP} because it
+ prevents an attacker form setting inconsistend security attributes from
+ which he could gain more access than intended.
- \item[O.ManagerRisk:] This security objective is necessary to counter the
- threat T.IA because it makes ist less likely an attacker impersonates a
- principal which allows operations with high negaitive impact since those
+ \item[O.ManageRisk:] This security objective is necessary to counter the
+ threat \textbf{T.IA} because it makes it less likely an attacker impersonates a
+ principal which allows operations with high negative impact since those
principals are better protected.
\item[OE.OS:] This security objective is necessary to both counter the
@@ -2350,7 +2346,7 @@
\item[OE.Trust:] This security objective covers the assumption
\textbf{A.Admin}.
- \item[OE.AUDITLOG:] XXX
+ \item[OE.Auditlog:] XXX
\item[OE.Network:] This security objective covers the assumptions
\textbf{A.Network} because it asserts that all
@@ -2362,7 +2358,7 @@
authentication data is not monitored or interfered.
\item[OE.Credential:] This security objective covers the assumption
- \textbf{A.Credentialt} because it demands that the user is keeping the
+ \textbf{A.Credentials} because it demands that the user is keeping the
credentials to authenticate secret.
\end{description}
More information about the Zope3-Checkins
mailing list