Manuals
Brands
Computer Equipment
Server
IBM
Computer Equipment
Server
IBM
10 SP1 EAL4
- page 23
1
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
246
Download on canonical page
246
pages
, 2.94 Mb
11
1
6
18
21
22
23
24
25
26
246
MENU
Models
10 SP1 EAL4
Contents
3
Table of Contents
13
1 Introduction
1.1 Purpose of this document
1.2 Document overview
1.3 Conventions used in this document
1.4 Terminology
14
2 System Overview
Figure 2-1: Series of TOE systems connected by a physically protected LAN
15
2.1 Product history
2.1.1 SUSE Linux Enterprise Server
2.1.2 eServer systems
2.2 High-level product overview
16
2.2.1 eServer host computer structure
Figure 2-2: Overall structure of the TOE
18
2.2.2 eServer system structure
2.2.3 TOE services
19
2.2.4 Security policy
Figure 2-3: Local and network services provided by SLES
20
2.2.5 Operation and administration
2.2.6 TSF interfaces
21
2.3 Approach to TSF identification
24
3 Hardware architecture
3.1 System x
3.1.1 System x hardware overview
3.1.2 System x hardware architecture
25
3.2 System p
3.2.1 System p hardware overview
3.2.2 System p hardware architecture
26
3.3 System z
3.3.1 System z hardware overview
3.3.2 System z hardware architecture
27
3.4 eServer 326
Figure 3-1: z/VM as hypervisor
3.4.1 eServer 326 hardware overview
3.4.2 eServer 326 hardware architecture
28
Figure 3-2: AMD x86-64 architecture in compatibility mode
30
4 Software architecture
4.1 Hardware and software privilege
4.1.1 Hardware privilege
4.1.1.1 Privilege level
31
Figure 4-1: Levels of Privilege
32
4.1.2 Software privilege
33
4.1.2.1 DAC
4.1.2.1.1 Subjects and objects
4.1.2.1.2 Attributes
4.1.2.1.3 Access control rules
4.1.2.1.4 Software privilege
4.1.2.2 AppArmor
4.1.2.3 Programs with software privilege
34
4.2 TOE Security Functions software structure
Figure 4-2: TSF and non-TSF software
35
4.2.1 Kernel TSF software
4.2.1.1 Logical components
36
Figure 4-3: Logical kernel subsystems and their interactions
4.2.1.2 Execution components
37
Figure 4-4: Kernel execution components
4.2.1.2.1 Base kernel
4.2.1.2.2 Kernel threads
4.2.1.2.3 Kernel modules and device drivers
38
4.2.2 Non-kernel TSF software
40
4.3 TSF databases
4.4 Definition of subsystems for the CC evaluation
41
4.4.1 Hardware
4.4.2 Firmware
4.4.3 Kernel subsystems
4.4.4 Trusted process subsystems
42
4.4.5 User-level audit subsystem
44
5 Functional descriptions
5.1 File and I/O management
Figure 5-1: File and I/O subsystem and its interaction with other subsystems
45
5.1.1 Virtual File System
Figure 5-2: ext3 and CD-ROM file systems before mounting
46
Figure 5-3: ext3 and CD-ROM file systems after mounting
Figure 5-4: Virtual file system
47
5.1.1.1 Pathname translation
5.1.1.2 open()
49
Figure 5-6: VFS data structures and their relationships with each other
50
5.1.1.3 write()
5.1.1.4 mount()
5.1.1.5 Shared subtrees
51
5.1.2 Disk-based file systems
5.1.2.1 Ext3 file system
5.1.2.1.1 Extended Attributes
5.1.2.1.2 Data structures
52
Figure 5-7: Security attributes, extended security attributes, and data blocks for the ext3 inode
55
Figure 5-9: Access control on ext3 file system
5.1.2.2 ISO 9660 file system for CD-ROM
5.1.2.2.1 Data structures and algorithms
56
5.1.3 Pseudo file systems
Figure 5-10: File lookup on CD-ROM file system
5.1.3.1 procfs
5.1.3.2 tmpfs
57
5.1.3.3 sysfs
5.1.3.4 devpts
5.1.3.5 rootfs
5.1.3.6 binfmt_misc
5.1.3.7 securityfs
5.1.3.8 configfs
58
5.1.4 inotify
5.1.5 Discretionary Access Control (DAC)
59
5.1.5.1 Permission bits
60
5.1.5.2 Access Control Lists
5.1.5.2.1 Types of ACL tags
5.1.5.2.2 ACL qualifier
61
5.1.5.2.3 ACL permissions
5.1.5.2.4 Relationship to file permission bits
5.1.5.2.5 ACL_MASK
5.1.5.2.6 Default ACLs and ACL inheritance
5.1.5.2.7 ACL representations and interfaces
62
5.1.5.2.8 ACL enforcement
63
5.1.6 Asynchronous I/O
5.1.7 I/O scheduler
64
5.1.7.1 Deadline I/O scheduler
5.1.7.2 Anticipatory I/O scheduler
5.1.7.3 Completely Fair Queuing scheduler
5.1.7.4 Noop I/O scheduler
65
5.1.8 I/O interrupts
5.1.8.1 Top halves
5.1.8.2 Bottom halves
5.1.8.3 Softirqs
5.1.8.4 Tasklets
5.1.8.5 Work queue
66
5.1.9 Processor interrupts
5.1.10 Machine check
67
5.2 Process control and management
Figure 5-11: Process subsystem and its interaction with other subsystems
5.2.1 Data structures
Figure 5-12: The task structure
69
5.2.2 Process creation and destruction
5.2.2.1 Control of child processes
5.2.2.2 DAC controls 5.2.2.2.1 setuid()and setgid()
5.2.2.2.2 seteuid()and setegid()
5.2.2.2.3 setreuid()and setregid()
5.2.2.2.4 setresuid()and setresgid()
5.2.2.3 execve()
5.2.2.4 do_exit()
70
5.2.3 Process switch
5.2.4 Kernel threads
71
5.2.5 Scheduling
Figure 5-13: O(1) scheduling
72
5.2.6 Kernel preemption
Figure 5-14: Hyperthreaded scheduling
73
5.3 Inter-process communication
74
5.3.1 Pipes
Figure 5-15: Pipes Implementation
5.3.1.1 Data structures and algorithms
75
5.3.2 First-In First-Out Named pipes
5.3.2.1 FIFO creation
5.3.2.2 FIFO open
76
5.3.3 System V IPC
5.3.3.1 Common data structures
77
5.3.3.2 Common functions
5.3.3.2.1 ipc_alloc()
5.3.3.2.2 ipcperms()
5.3.3.3 Message queues
5.3.3.3.1 msg_queue
5.3.3.3.2 msg_msg
80
5.3.4 Signals
5.3.4.1 Data structures
5.3.4.2 Algorithms
5.3.5 Sockets
81
5.4 Network subsystem
Figure 5-16: Object reuse handling in socket allocation
82
5.4.1 Overview of the network protocol stack
Figure 5-17: Network subsystem and its interaction with other subsystems
83
Figure 5-18: How data travels through the Network protocol stack
84
5.4.2 Transport layer protocols
5.4.2.1 TCP
5.4.2.2 UDP
5.4.3 Network layer protocols
5.4.3.1 Internet Protocol Version 4 (IPv4)
5.4.3.2 Internet Protocol Version 6 (IPv6)
85
5.4.3.2.1 Addressing
5.4.3.2.2 IPv6 Header
86
5.4.3.2.3 Flow Labels
5.4.3.2.4 Security
5.4.3.3 Transition between IPv4 and IPv6
5.4.3.4 IP Security (IPsec)
87
5.4.3.4.1 Functional Description of IPsec
90
5.4.4 Internet Control Message Protocol (ICMP)
5.4.4.1 Link layer protocols
5.4.4.1.1 Address Resolution Protocol (ARP)
91
5.4.5 Network services interface
Figure 5-19: Server and client operations using socket interface
5.4.5.1 socket()
92
Figure 5-20: bind() function for internet domain TCP socket
5.4.5.2 bind()
93
Figure 5-21: bind() function for UNIX domain TCP socket
5.4.5.3 listen()
5.4.5.4 accept()
5.4.5.5 connect()
5.4.5.6 Generic calls
5.4.5.7 Access control
94
5.5 Memory management
Figure 5-22: Mapping read, write and close calls for sockets
95
Figure 5-23: Memory subsystem and its interaction with other subsystems
96
5.5.1 Four-Level Page Tables
Figure 5-24: Previous three-level page-tables architecture
97
5.5.2 Memory addressing
5.5.2.1 System x
Figure 5-25: New page-table implementation: the four-level page-table architecture
98
Figure 5-26: System x virtual addressing space
Figure 5-27: Logical Address Translation
5.5.2.1.1 Segmentation
99
Figure 5-28: Access control through segmentation
5.5.2.1.2 Paging
100
Figure 5-29: Contiguous linear addresses map to contiguous physical addresses
102
Figure 5-32: Access control through paging
104
Figure 5-33: Paging data structures
5.5.2.2 System p
105
Figure 5-34: Logical partitions
Figure 5-35: Machine state register
108
5.5.2.2.1 Address Translation on LPARs
5.5.2.2.2 Hypervisor
5.5.2.2.3 Real mode addressing
109
5.5.2.2.4 Virtual mode addressing
5.5.2.2.5 Access to I/O address space
5.5.2.2.6 Direct Memory Access addressing
110
Figure 5-38: DMA addressing
5.5.2.2.7 Run-Time Abstraction Services
5.5.2.2.8 Preventing denial of service
5.5.2.3 System p native mode
111
Figure 5-39: Effective address
Figure 5-40: Virtual address
5.5.2.3.1 Machine State Register
112
Figure 5-41: Block address
Figure 5-42: Machine state register
5.5.2.3.2 Page descriptor
5.5.2.3.3 Segment descriptor
5.5.2.3.4 Block descriptor
113
Figure 5-43: Page table entry
Figure 5-44: Segment Table Entry
5.5.2.3.5 Address translation mechanisms
114
Figure 5-46: Address translation method selection
Figure 5-45: Block Address Translation entry
115
Figure 5-47: Block Address Translation access control
5.5.2.3.6 Page Address Translation and access control
118
5.5.2.4 System z
5.5.2.4.1 Native hardware mode
5.5.2.4.2 LPAR mode
5.5.2.4.3 z/VM Guest mode
5.5.2.4.4 Address types
119
5.5.2.4.5 Address sizes
5.5.2.4.6 Address spaces
5.5.2.4.7 Address translations
121
Figure 5-51: Address translation modes
5.5.2.4.8 Memory protection mechanisms
123
Figure 5-53: Low-address protection on effective address
127
Figure 5-56: Key match logic for key-controlled protection
128
Figure 5-57: Fetch protection override for key-controlled
5.5.2.5 eServer 326
5.5.2.5.1 Logical address
5.5.2.5.2 Effective address
129
Figure 5-58: eServer 326 address types and their conversion units
5.5.2.5.3 Linear address
5.5.2.5.4 Physical address
5.5.2.5.5 Segmentation
130
Figure 5-59: Data access privilege checks
131
5.5.2.5.6 Paging
5.5.2.5.7 Translation Lookaside Buffers
135
5.5.3 Kernel memory management
5.5.3.1 Support for NUMA servers
136
Figure 5-64: NUMA Design
5.5.3.2 Reverse map Virtual Memory
137
Figure 5-65: Rmap VM
5.5.3.3 Huge Translation Lookaside Buffers
138
Figure 5-66: TLB Operation
5.5.3.4 Remap_file_pages
139
Figure 5-67: Remap_ file_ pages for database applications
5.5.3.5 Page frame management
5.5.3.6 Memory area management
5.5.3.7 Noncontiguous memory area management
140
5.5.4 Process address space
141
Figure 5-68: Object reuse handling while allocating new linear address
142
5.5.5 Symmetric multiprocessing and synchronization
5.5.5.1 Atomic operations
5.5.5.2 Memory barriers
5.5.5.3 Spin locks
5.5.5.4 Kernel semaphores
143
5.6 Audit subsystem
5.6.1 Audit components
144
Figure 5-69: Audit framework components
5.6.1.1 Audit kernel components
5.6.1.1.1 Kernel-userspace interface
5.6.1.1.2 Syscall auditing
145
Figure 5-70: Audit Kernel Components
5.6.1.1.3 Filesystem watches
5.6.1.1.4 Task structure
146
Figure 5-71: Task Structure
5.6.1.1.5 Audit context fields
147
5.6.1.2 File system audit components
148
5.6.1.3 User space audit components
149
5.6.2 Audit operation and configuration options
Figure 5-72: Audit User Space Components
5.6.2.1 Configuration
151
5.6.2.2 Operation
152
5.6.3 Audit records
5.6.3.1 Audit record generation
5.6.3.1.1 Kernel record generation
153
Figure 5-73: Audit Record Generation
5.6.3.1.2 Syscall audit record generation
154
Figure 5-74: Extension to system calls interface
5.6.3.1.3 File system audit record generation
5.6.3.1.4 Socket call and IPC audit record generation
155
Figure 5-75: User Space Record Generation
5.6.3.1.5 Record generation by trusted programs
5.6.3.2 Audit record format
158
5.6.4 Audit tools
5.6.4.1 auditctl
5.6.4.2 ausearch
5.6.5 Login uid association
5.7 Kernel modules
159
5.7.1 Linux Security Module framework
161
5.7.2 LSM capabilities module
Figure 5-76: LSM hook architecture
5.7.3 LSM AppArmor module
5.8 AppArmor
162
5.8.1 AppArmor administrative utilities
163
5.8.2 AppArmor access control functions
5.8.3 securityfs
164
5.9 Device drivers
5.9.1 I/O virtualization on System z
5.9.1.1 Interpretive-execution facility
165
5.9.1.2 State description
5.9.1.3 Hardware virtualization and simulation
166
5.9.2 Character device driver
167
5.9.3 Block device driver
Figure 5-77: Setup of f_op for character device specific file operations
168
5.10 System initialization
Figure 5-78: Setup of f_op for block device specific file operations
5.10.1 init
169
5.10.2 System x
170
5.10.2.1 Boot methods
5.10.2.2 Boot loader
5.10.2.3 Boot process
173
5.10.3 System p
5.10.3.1 Boot methods
5.10.3.2 Boot loader
5.10.3.3 Boot process
176
5.10.4.1 Boot process
178
5.10.5 System z
5.10.5.1 Boot methods
5.10.5.2 Control program
5.10.5.3 Boot process
180
5.10.6 eServer 326
Figure 5-82: System z SLES boot sequence
5.10.6.1 Boot methods
181
5.10.6.2 Boot loader
5.10.6.3 Boot process
183
5.11 Identification and authentication
Figure 5-83: eServer 326 SLES boot sequence
184
5.11.1 Pluggable Authentication Module
5.11.1.1 Overview
185
5.11.1.2 Configuration terminology
5.11.1.3 Modules
187
5.11.2 Protected databases
5.11.2.1 Access control rules 5.11.2.1.1 DAC
5.11.2.1.2 Software privilege
188
5.11.3 Trusted commands and trusted processes
5.11.3.1 agetty
189
5.11.3.2 gpasswd
5.11.3.3 login
190
5.11.3.4 mingetty
5.11.3.5 newgrp
191
5.11.3.6 passwd
5.11.3.7 su
192
5.11.4 Interaction with audit
5.12 Network applications
5.12.1 OpenSSL Secure socket-layer interface
193
Figure 5-84: SSL location in the network stack
5.12.1.1 Concepts
5.12.1.1.1 Encryption
194
Figure 5-86: Decryption
Figure 5-85: Encryption
195
Figure 5-87: Encryption Algorithm and Key
197
5.12.1.1.2 Message digest
5.12.1.1.3 Message Authentication Code (MAC)
5.12.1.1.4 Digital certificates and certificate authority
5.12.1.2 SSL architecture
198
Figure 5-90: SSL Protocol
5.12.1.2.1 SSL handshake protocol
200
Figure 5-92: SSL protocol action
5.12.1.3 OpenSSL algorithms
5.12.1.4 Symmetric ciphers
201
5.12.1.4.1 Asymmetric ciphers
5.12.1.4.2 Certificates
5.12.1.4.3 Hash functions
202
5.12.2 Secure Shell
203
5.12.2.1 SSH client
5.12.2.2 SSH server daemon
204
5.12.3 Very Secure File Transfer Protocol daemon
5.12.4 CUPS
205
5.12.4.1 cupsd
206
5.12.4.2 ping
5.12.4.3 ping6
5.12.4.4 openssl
207
5.12.4.5 stunnel
5.12.4.6 xinetd
208
5.13 System management 5.13.1 Account Management
5.13.1.1 chage
209
5.13.1.2 chfn
5.13.1.3 chsh
210
5.13.2 User management
5.13.2.1 useradd
5.13.2.2 usermod
211
5.13.2.3 userdel
212
5.13.3 Group management
5.13.3.1 groupadd
213
5.13.3.2 groupmod
5.13.3.3 groupdel
215
5.13.4 System Time management
5.13.4.1 date
5.13.4.2 hwclock
5.13.5 Other System Management
5.13.5.1 AMTU
216
5.13.5.1.1 Memory
5.13.5.1.2 Memory separation
5.13.5.1.3 I/O controller and network
5.13.5.1.4 I/O controller and disk
5.13.5.1.5 Supervisor mode instructions
218
5.13.5.1.6 AMTU output
5.13.5.2 star
220
5.13.6 I&A support
5.13.6.1 pam_tally
5.13.6.2 unix_chkpwd
5.14 Batch processing
5.14.1 Batch processing user commands
5.14.1.1 crontab
221
5.14.1.2 at
222
5.14.2 Batch processing daemons
5.14.2.1 cron
5.14.2.2 atd
223
5.15 User-level audit subsystem
5.15.1 Audit daemon
5.15.2 Audit utilities
5.15.2.1 aureport
5.15.2.2 ausearch
5.15.2.3 autrace
224
5.15.3 Audit configuration files
5.15.4 Audit logs
225
5.16 Supporting functions
5.16.1 TSF libraries
226
Library Description
227
5.16.2 Library linking mechanism
5.16.3 System call linking mechanism
5.16.3.1 System x
5.16.3.2 System p
5.16.3.3 System z
5.16.3.4 eServer 326
228
5.16.4 System call argument verification
230
6 Mapping the TOE summary specification to the High-Level Design
233
6.7.4 Trusted processes (TP.4)
6.7.5 TSF Databases (TP.5)
6.7.6 Internal TOE protection mechanisms (TP.6)
6.7.7 Testing the TOE protection mechanisms (TP.7)
6.8 Security enforcing interfaces between subsystems
234
6.8.1 Summary of kernel subsystem interfaces
6.8.1.1 Kernel subsystem file and I/O
6.8.1.1.1 External Interfaces
235
6.8.1.1.2 Internal Interfaces 6.8.1.1.3
236
6.8.1.1.4 Data Structures
6.8.1.2 Kernel subsystem process control and management
6.8.1.2.1 External interfaces (system calls)
237
6.8.1.2.2 Internal Interfaces
6.8.1.2.3 Data Structures
6.8.1.3 Kernel subsystem inter-process communication
238
6.8.1.3.1 External interfaces (system calls)
6.8.1.3.2 Internal Interfaces
6.8.1.3.3 Data Structures
239
6.8.1.4 Kernel subsystem networking
6.8.1.4.1 External interfaces (system calls)
6.8.1.4.2 Internal interfaces
6.8.1.4.3 Data Structures
6.8.1.5 Kernel subsystem memory management
6.8.1.5.1 External interfaces (system calls)
240
6.8.1.5.2 Internal interfaces
6.8.1.5.3 Data Structures
6.8.1.6 Kernel subsystem audit
6.8.1.6.1 External interfaces
6.8.1.6.2 Internal interfaces
241
6.8.1.6.3 Data structures
6.8.1.7 Kernel subsystem device drivers 6.8.1.7.1 External interfaces (system calls)
6.8.1.7.2 Internal interfaces
243
6.8.2 Summary of trusted processes interfaces
244
7 References