Manuals
/
IBM
/
Computer Equipment
/
Server
IBM
10 SP1 EAL4
manual
202
Models:
10 SP1 EAL4
1
214
246
246
Download
246 pages
443 b
211
212
213
214
215
216
217
218
Signals
Login
Operation and administration
Configfs
Access Control Lists
Batch processing user commands
TOE services
Boot methods
Process switch
Real mode addressing
Page 214
Image 214
202
Page 213
Page 215
Page 214
Image 214
Page 213
Page 215
Contents
Page
EJR
Table of Contents
2.1 DAC AppArmor Programs with software privilege
Permission bits Access Control Lists
100
142
175
207
250
252
269
Conventions used in this document
Purpose of this document
Document overview
Terminology
System Overview
EServer systems
Product history
Suse Linux Enterprise Server
High-level product overview
EServer host computer structure
Overall structure of the TOE
Page
TOE services
EServer system structure
Local and network services provided by Sles
Security policy
Operation and administration
TSF interfaces
Approach to TSF identification
Page
Page
System
System x hardware overview System x hardware architecture
System p hardware overview
System p
System p hardware architecture
System z
System z hardware overview System z hardware architecture
EServer 326 hardware overview
EServer
EServer 326 hardware architecture
AMD x86-64 architecture in compatibility mode
Page
Hardware privilege
Hardware and software privilege
Privilege level
Levels of Privilege
Software privilege
2.1 DAC
AppArmor
TOE Security Functions software structure
Programs with software privilege
Kernel TSF software
Logical components
Logical kernel subsystems and their interactions
Base kernel
Execution components
Kernel threads
Non-kernel TSF software
Kernel modules and device drivers
Page
TSF databases
Definition of subsystems for the CC evaluation
Kernel subsystems
Hardware
Firmware
Trusted process subsystems
User-level audit subsystem
Page
Functional descriptions
File and I/O management
Virtual File System
Ext3 and CD-ROM file systems before mounting
Ext3 and CD-ROM file systems after mounting
Pathname translation
VFS pathname translation and access control checks
Open
Mount
Write
Shared subtrees
2.1 Ext3 file system
Disk-based file systems
Extended Attributes
Data structures
Page
Page
ISO 9660 file system for CD-ROM
Data structures and algorithms
Procfs
Pseudo file systems
Tmpfs
Devpts
Sysfs
Rootfs
Inotify
Discretionary Access Control DAC
Configfs
Binfmtmisc
Permission bits
Indicates read
Types of ACL tags
Access Control Lists
ACL qualifier
Relationship to file permission bits
Default ACLs and ACL inheritance
ACL permissions
Aclmask
ACL enforcement
Asynchronous I/O
7 I/O scheduler
Anticipatory I/O scheduler
Deadline I/O scheduler
Completely Fair Queuing scheduler
Top halves
8 I/O interrupts
Noop I/O scheduler
Bottom halves
Tasklets
Processor interrupts
Machine check
Work queue
Process control and management
Data structures
Page
Control of child processes
Process creation and destruction
DAC controls
Setresuidand setresgid
Process switch
Kernel threads
Execve
Scheduling
Hyperthreading scheduler
Kernel preemption
14 Hyperthreaded scheduling
Inter-process communication
Pipes
Data structures and algorithms
First-In First-Out Named pipes
Fifo creation
Fifo open
System V IPC
Common data structures
Common functions
Message queues
Semaphores
Shared memory regions
Data structures
Signals
Sockets
Algorithms
Network subsystem
16 Object reuse handling in socket allocation
Overview of the network protocol stack
18 How data travels through the Network protocol stack
Transport layer protocols
Network layer protocols
Addressing
3.2.2 IPv6 Header
Transition between IPv4 and IPv6
Flow Labels
Security
IP Security IPsec
Functional Description of IPsec
AH Header
An IP Packet with tunnel mode AH
An IP Packet with tunnel mode ESP
Internet Control Message Protocol Icmp
Link layer protocols
Network services interface
Address Resolution Protocol ARP
Socket
Bind
Accept
Listen
Connect
Memory management
Access control
Generic calls
Page
Four-Level Page Tables
24 Previous three-level page-tables architecture
Memory addressing
System
26 System x virtual addressing space
28 Access control through segmentation
Segmentation
Paging
30 Regular paging
32 Access control through paging
For more information about call gates, refer to
33 Paging data structures
System p
34 Logical partitions
Privilege State
36 Determination of processor mode in Lpar
Address Translation on LPARs
Real mode addressing
Hypervisor
Access to I/O address space
Virtual mode addressing
Direct Memory Access addressing
Preventing denial of service
Run-Time Abstraction Services
System p native mode
39 Effective address
41 Block address
Machine State Register
Segment descriptor
Descriptor
Block descriptor
45 Block Address Translation entry
Address translation mechanisms
47 Block Address Translation access control
Address Translation and access control
Page
48 Page Address Translation and access control
2.4.3 z/VM Guest mode
Native hardware mode
Lpar mode
System z
Address spaces
Address sizes
Address translations
49 System z address types and their translation
51 Address translation modes
52 64-bit or 31-bit Dynamic Address Translation
Memory protection mechanisms
53 Low-address protection on effective address
Table protection
113
114
56 Key match logic for key-controlled protection
EServer
Logical address
Linear address
Effective address
Physical address
59 Data access privilege checks
Access control through type check
Page
121
63 Page map level four entry
Kernel memory management
Translation Lookaside Buffers
Support for Numa servers
Reverse map Virtual Memory
65 Rmap VM
Huge Translation Lookaside Buffers
66 TLB Operation
Remapfilepages
Frame management
Memory area management
Process address space
Noncontiguous memory area management
68 Object reuse handling while allocating new linear address
Atomic operations
Symmetric multiprocessing and synchronization
Memory barriers
Spin locks
Audit subsystem
Audit components
Kernel semaphores
Audit kernel components
Kernel-userspace interface
Filesystem watches
Syscall auditing
Task structure
71 Task Structure
Audit context fields
File system audit components
User space audit components
Audit operation and configuration options
Configuration
Option Description Possible values
Operation
Audit record generation
Audit records
Kernel record generation
73 Audit Record Generation
Syscall audit record generation
74 Extension to system calls interface
File system audit record generation
Record generation by trusted programs
Socket call and IPC audit record generation
Audit record format
Page
Event Description LAF audit events
Kernel modules
Login uid association
Audit tools
Auditctl
Linux Security Module framework
Structure
LSM AppArmor module
LSM capabilities module
AppArmor
AppArmor administrative utilities
Var/log/boot.msg Rwl Var/run/klogd.pid
AppArmor access control functions
Securityfs
1 I/O virtualization on System z
Device drivers
Interpretive-execution facility
State description
Character device driver
Hardware virtualization and simulation
Block device driver
System initialization
Init
System
Boot loader
Boot methods
Boot process
Linuxrc
79 System x Sles boot sequence
System p
Page
80 System p Sles boot sequence
System p in Lpar
Etc/sysconfig/init script
81 System p Lpar Sles boot sequence
System z
Control program
82describes the boot process for Sles as a z/VM guest
82 System z Sles boot sequence
EServer
169
83schematically describes the boot process of eServer 170
Identification and authentication
83 eServer 326 Sles boot sequence
Pluggable Authentication Module
Overview
Configuration terminology
Modules
Etc/security/pamenv.conf
Protected databases
11.2.1.1 DAC
Trusted commands and trusted processes
Access control rules
Agetty
Login
Gpasswd
Mingetty
Newgrp
Passwd
11.3.7 su
Network applications
Interaction with audit
OpenSSL Secure socket-layer interface
84 SSL location in the network stack
Concepts
Encryption
87 Encryption Algorithm and Key
88 Asymmetric keys
Digital certificates and certificate authority
Message Authentication Code MAC
Message digest
SSL architecture
90 SSL Protocol
SSL handshake protocol
187
OpenSSL algorithms
Symmetric ciphers
Certificates
Asymmetric ciphers
Hash functions
Secure Shell
SSH client
SSH server daemon
Very Secure File Transfer Protocol daemon
Cups
Cupsd
Ping6
Ping
Openssl
Stunnel
Xinetd
System management
Account Management
Chage
Chfn
Chsh
Useradd
User management
Usermod
Userdel
Group management
Groupadd
Groupmod
Groupdel
202
Date
System Time management
Other System Management
Hwclock
Memory separation
Supervisor mode instructions
Memory
13.5.1.3 I/O controller and network
System p
Amtu output
Star
207
13.6 I&A support
Batch processing user commands
Batch processing
14.1.2 at
Cron
Batch processing daemons
14.2.2 atd
Audit utilities
User-level audit subsystem
Audit daemon
Aureport
Audit logs
Audit configuration files
Autrace
Supporting functions
TSF libraries
LibraryDescription
Library linking mechanism
System call linking mechanism
System call argument verification
Pageoffset
Audit
Object reuse
Discretionary Access Control
Security management
Secure communications
TSF protection
TSF Databases TP.5
Testing the TOE protection mechanisms TP.7
Trusted processes TP.4
Internal TOE protection mechanisms TP.6
Kernel subsystem file and I/O
Summary of kernel subsystem interfaces
External Interfaces
Internal Interfaces 1.1.3
Internal function Interfaces defined
Kernel subsystem process control and management
External interfaces system calls
Internal Interfaces
Kernel subsystem inter-process communication
Dopipe
Kernel subsystem networking
Kernel subsystem memory management
Kernel subsystem audit
Internal interfaces
Kernel subsystem device drivers
Other functions
Summary of trusted processes interfaces
Kernel subsystems kernel modules
References
RSA
234
Top
Page
Image
Contents