[Zope3-checkins] SVN: Zope3/trunk/doc/security/SecurityTarget.tex
Removed the requirement FMT_MSA.2 to avoid the security
policy model. Secure
Christian Theune
ct at gocept.com
Thu Nov 8 06:00:03 EST 2007
Log message for revision 81601:
Removed the requirement FMT_MSA.2 to avoid the security policy model. Secure
security attributes are explained and covered by FMT_MSA.1 now.
Changed:
U Zope3/trunk/doc/security/SecurityTarget.tex
-=-
Modified: Zope3/trunk/doc/security/SecurityTarget.tex
===================================================================
--- Zope3/trunk/doc/security/SecurityTarget.tex 2007-11-08 09:58:30 UTC (rev 81600)
+++ Zope3/trunk/doc/security/SecurityTarget.tex 2007-11-08 11:00:03 UTC (rev 81601)
@@ -1221,16 +1221,7 @@
\end{description}
-\minisec{FMT{\_}MSA.2 Secure security attributes}
-\begin{description}
-
-\item[FMT{\_}MSA.2.1]
-
- The TSF shall ensure that only secure values are accepted for security
- attributes.
-\end{description}
-
%___________________________________________________________________________
@@ -1409,8 +1400,6 @@
ADV{\_}RCR.1 & Representation correspondence: Information correspondence
demonstration & None \\
- ADV{\_}SPM.1 & Informal TOE security policy model & ADV\_FSP.1 \\
-
\textbf{AGD} & Guidance documents & \\
AGD{\_}ADM.1 & Administrator guidance & ADV{\_}FSP.1 \\
AGD{\_}USR.1 & User guidance (for developers) & ADV{\_}FSP.1 \\
@@ -1633,8 +1622,7 @@
\subsection{AM{\_}ADV: Development}
-A functional specification, an RCR document and an informal security policy model
-(ADV\_SPM.1) will be provided.
+A functional specification, and an RCR document will be provided.
%___________________________________________________________________________
@@ -1836,10 +1824,8 @@
\cline{2-10}
FMT\_MOF.1 & & & & & \oh & & & & \\
\cline{2-10}
-FMT\_MSA.1 & \oh & & \oh & & & & & & \\
+FMT\_MSA.1 & \oh & & \oh & & & & & \oh & \\
\cline{2-10}
-FMT\_MSA.2 & & & & & & & & \oh & \\
-\cline{2-10}
FMT\_MSA.3 & & & & & \oh & & & \oh & \\
\cline{2-10}
FMT\_SMF.1 & & & \oh & & & & & & \\
@@ -1876,7 +1862,6 @@
FIA\_USB.1 & FIA\_ATD.1 \\
FMT\_MOF.1 & FMT\_SMF.1, FMT\_SMR.1 \\
FMT\_MSA.1 & FMT\_SMF.1, FMT\_SMR.1 \\
-FMT\_MSA.2 & ADV\_SPM.1, FMT\_MSA.1, FMT\_SMR.1 \\
FMT\_MSA.3 & FMT\_MSA.1, FMT\_SMR.1 \\
FMT\_SMF.1 & -- \\
FMT\_SMR.1 & FIA\_UID.1 \\
@@ -2023,9 +2008,18 @@
\subsection{O.Attributes --- Ensure consistent security attributes}
- To assure an enduring consistent state of all security attributes we
- enforce the security policy model upon any changes to security attributes.
- (FMT\_MSA.2) Additionally static security attribute initialization assures
+ The management of security attributes (FMT\_MSA.1) is restricted to
+ administrators and users granted the ``Sharing'' privilege. Administrators
+ must be trustworthy and can create any state in the system but are relied
+ on not to create inconsistent states on purpose.
+
+ Users with the ``Sharing'' privilege can not create inconsistent states as
+ they are only allowed to freely modify the privilege grants for the objects
+ they have the ``Sharing'' privilege for. Privilege grants can not result
+ in inconsistent states as all possible settings (principal id and privilege
+ assignment) are allowed.
+
+ Additionally, static security attribute initialization assures
a predictable and secure state if no specific attributes are given.
(FMT\_MSA.3)
@@ -2136,8 +2130,6 @@
\cline{2-11}
FMT\_MSA.1 & & & \oh & & \oh & & & & \\
\cline{2-11}
-FMT\_MSA.2 & & & & & \oh & & & & \\
-\cline{2-11}
FMT\_MSA.3 & & & \oh & & \oh & & & & \\
\cline{2-11}
FMT\_SMF.1 & \oh & \oh & \oh & & \oh & & & & \\
@@ -2284,17 +2276,18 @@
Managing security attributes is a normal operation and therefore protected.
-\minisec{FMT\_MSA.2 --- Secure Security Attributes}
+The mechanism of allowing users to modify privilege grants is granted for
+individual objects. Being able to modify privilege grants can not result in
+access elevation because:
-The \textbf{Configuration} subsystems API for managing security functions and
-attributes perform consistency checks upon the change of any security
-attributes. This includes for example the check of dependencies that the
-removal of principals also has the effect of removal of all dependent
-privilege grants.
+\begin{itemize}
+ \item Granting is restricted to the specific object(s) users have
+the ``Sharing'' privilege for
+ \item Privilege grants are only valid for the object that the grant is
+ registered for (plus sub-objects without sharing support according to
+ the rules of FDP\_ACF.1.2.
+\end{itemize}
-Also only already existing identifiers (user names, permission names) may
-be used as references.
-
\minisec{FMT\_MSA.3 --- Static Attribute Initialization}
A set of fixed rules that are used whenever an attribute definition is missing
@@ -2369,8 +2362,7 @@
\subsection{Assurance measures}
-The assurance measures are selected in accordance to EAL 1. Additionally due to
-the selection of FMT\_MSA.2 the document ADV\_SPM has been selected.
+The assurance measures are selected in accordance to EAL 1.
%___________________________________________________________________________
More information about the Zope3-Checkins
mailing list