Manuals
/
IBM
/
Computer Equipment
/
Server
IBM
10 SP1 EAL4
manual
Models:
10 SP1 EAL4
1
23
246
246
Download
246 pages
443 b
20
21
22
23
24
25
26
27
Signals
Login
Operation and administration
Configfs
Access Control Lists
Batch processing user commands
TOE services
Boot methods
Process switch
Real mode addressing
Page 23
Image 23
11
Page 22
Page 24
Page 23
Image 23
Page 22
Page 24
Contents
Page
EJR
Table of Contents
2.1 DAC AppArmor Programs with software privilege
Permission bits Access Control Lists
100
142
175
207
250
252
269
Terminology
Purpose of this document
Document overview
Conventions used in this document
System Overview
High-level product overview
Product history
Suse Linux Enterprise Server
EServer systems
Overall structure of the TOE
EServer host computer structure
Page
EServer system structure
TOE services
Security policy
Local and network services provided by Sles
TSF interfaces
Operation and administration
Approach to TSF identification
Page
Page
System x hardware overview System x hardware architecture
System
System p hardware architecture
System p
System p hardware overview
System z hardware overview System z hardware architecture
System z
EServer 326 hardware architecture
EServer
EServer 326 hardware overview
AMD x86-64 architecture in compatibility mode
Page
Privilege level
Hardware and software privilege
Hardware privilege
Levels of Privilege
Software privilege
AppArmor
2.1 DAC
Programs with software privilege
TOE Security Functions software structure
Kernel TSF software
Logical kernel subsystems and their interactions
Logical components
Kernel threads
Execution components
Base kernel
Kernel modules and device drivers
Non-kernel TSF software
Page
Definition of subsystems for the CC evaluation
TSF databases
Trusted process subsystems
Hardware
Firmware
Kernel subsystems
User-level audit subsystem
Page
File and I/O management
Functional descriptions
Ext3 and CD-ROM file systems before mounting
Virtual File System
Ext3 and CD-ROM file systems after mounting
Pathname translation
VFS pathname translation and access control checks
Open
Shared subtrees
Write
Mount
Extended Attributes
Disk-based file systems
2.1 Ext3 file system
Data structures
Page
Page
Data structures and algorithms
ISO 9660 file system for CD-ROM
Tmpfs
Pseudo file systems
Procfs
Rootfs
Sysfs
Devpts
Binfmtmisc
Discretionary Access Control DAC
Configfs
Inotify
Indicates read
Permission bits
ACL qualifier
Access Control Lists
Types of ACL tags
Aclmask
Default ACLs and ACL inheritance
ACL permissions
Relationship to file permission bits
ACL enforcement
7 I/O scheduler
Asynchronous I/O
Completely Fair Queuing scheduler
Deadline I/O scheduler
Anticipatory I/O scheduler
Bottom halves
8 I/O interrupts
Noop I/O scheduler
Top halves
Work queue
Processor interrupts
Machine check
Tasklets
Data structures
Process control and management
Page
DAC controls
Process creation and destruction
Control of child processes
Execve
Process switch
Kernel threads
Setresuidand setresgid
Hyperthreading scheduler
Scheduling
14 Hyperthreaded scheduling
Kernel preemption
Inter-process communication
Data structures and algorithms
Pipes
Fifo creation
First-In First-Out Named pipes
Common data structures
System V IPC
Fifo open
Message queues
Common functions
Semaphores
Shared memory regions
Algorithms
Signals
Sockets
Data structures
16 Object reuse handling in socket allocation
Network subsystem
Overview of the network protocol stack
18 How data travels through the Network protocol stack
Network layer protocols
Transport layer protocols
3.2.2 IPv6 Header
Addressing
IP Security IPsec
Flow Labels
Security
Transition between IPv4 and IPv6
AH Header
Functional Description of IPsec
An IP Packet with tunnel mode AH
An IP Packet with tunnel mode ESP
Link layer protocols
Internet Control Message Protocol Icmp
Address Resolution Protocol ARP
Network services interface
Bind
Socket
Connect
Listen
Accept
Generic calls
Access control
Memory management
Page
24 Previous three-level page-tables architecture
Four-Level Page Tables
System
Memory addressing
26 System x virtual addressing space
Segmentation
28 Access control through segmentation
Paging
30 Regular paging
32 Access control through paging
For more information about call gates, refer to
System p
33 Paging data structures
34 Logical partitions
Privilege State
36 Determination of processor mode in Lpar
Hypervisor
Real mode addressing
Address Translation on LPARs
Direct Memory Access addressing
Virtual mode addressing
Access to I/O address space
System p native mode
Run-Time Abstraction Services
Preventing denial of service
39 Effective address
Machine State Register
41 Block address
Block descriptor
Descriptor
Segment descriptor
Address translation mechanisms
45 Block Address Translation entry
Address Translation and access control
47 Block Address Translation access control
Page
48 Page Address Translation and access control
System z
Native hardware mode
Lpar mode
2.4.3 z/VM Guest mode
Address translations
Address sizes
Address spaces
49 System z address types and their translation
51 Address translation modes
52 64-bit or 31-bit Dynamic Address Translation
53 Low-address protection on effective address
Memory protection mechanisms
Table protection
113
114
56 Key match logic for key-controlled protection
Logical address
EServer
Physical address
Effective address
Linear address
59 Data access privilege checks
Access control through type check
Page
121
63 Page map level four entry
Translation Lookaside Buffers
Kernel memory management
Reverse map Virtual Memory
Support for Numa servers
Huge Translation Lookaside Buffers
65 Rmap VM
66 TLB Operation
Frame management
Remapfilepages
Noncontiguous memory area management
Process address space
Memory area management
68 Object reuse handling while allocating new linear address
Memory barriers
Symmetric multiprocessing and synchronization
Atomic operations
Kernel semaphores
Audit subsystem
Audit components
Spin locks
Kernel-userspace interface
Audit kernel components
Task structure
Syscall auditing
Filesystem watches
Audit context fields
71 Task Structure
File system audit components
User space audit components
Configuration
Audit operation and configuration options
Option Description Possible values
Operation
Kernel record generation
Audit records
Audit record generation
Syscall audit record generation
73 Audit Record Generation
File system audit record generation
74 Extension to system calls interface
Audit record format
Socket call and IPC audit record generation
Record generation by trusted programs
Page
Event Description LAF audit events
Auditctl
Login uid association
Audit tools
Kernel modules
Linux Security Module framework
Structure
AppArmor
LSM capabilities module
LSM AppArmor module
Var/log/boot.msg Rwl Var/run/klogd.pid
AppArmor administrative utilities
Securityfs
AppArmor access control functions
Interpretive-execution facility
Device drivers
1 I/O virtualization on System z
State description
Hardware virtualization and simulation
Character device driver
Block device driver
Init
System initialization
System
Boot process
Boot methods
Boot loader
Linuxrc
79 System x Sles boot sequence
System p
Page
System p in Lpar
80 System p Sles boot sequence
Etc/sysconfig/init script
81 System p Lpar Sles boot sequence
Control program
System z
82describes the boot process for Sles as a z/VM guest
EServer
82 System z Sles boot sequence
169
83schematically describes the boot process of eServer 170
83 eServer 326 Sles boot sequence
Identification and authentication
Overview
Pluggable Authentication Module
Modules
Configuration terminology
Etc/security/pamenv.conf
Protected databases
Agetty
Trusted commands and trusted processes
Access control rules
11.2.1.1 DAC
Gpasswd
Login
Newgrp
Mingetty
11.3.7 su
Passwd
OpenSSL Secure socket-layer interface
Interaction with audit
Network applications
84 SSL location in the network stack
Encryption
Concepts
87 Encryption Algorithm and Key
88 Asymmetric keys
SSL architecture
Message Authentication Code MAC
Message digest
Digital certificates and certificate authority
SSL handshake protocol
90 SSL Protocol
187
Symmetric ciphers
OpenSSL algorithms
Hash functions
Asymmetric ciphers
Certificates
Secure Shell
SSH server daemon
SSH client
Cups
Very Secure File Transfer Protocol daemon
Cupsd
Openssl
Ping
Ping6
Stunnel
Chage
System management
Account Management
Xinetd
Chsh
Chfn
Usermod
User management
Useradd
Userdel
Groupadd
Group management
Groupdel
Groupmod
202
Hwclock
System Time management
Other System Management
Date
13.5.1.3 I/O controller and network
Supervisor mode instructions
Memory
Memory separation
System p
Star
Amtu output
207
Batch processing
Batch processing user commands
13.6 I&A support
14.1.2 at
14.2.2 atd
Batch processing daemons
Cron
Aureport
User-level audit subsystem
Audit daemon
Audit utilities
Autrace
Audit configuration files
Audit logs
TSF libraries
Supporting functions
LibraryDescription
System call linking mechanism
Library linking mechanism
System call argument verification
Pageoffset
Audit
Security management
Discretionary Access Control
Object reuse
TSF protection
Secure communications
Internal TOE protection mechanisms TP.6
Testing the TOE protection mechanisms TP.7
Trusted processes TP.4
TSF Databases TP.5
External Interfaces
Summary of kernel subsystem interfaces
Kernel subsystem file and I/O
Internal function Interfaces defined
Internal Interfaces 1.1.3
External interfaces system calls
Kernel subsystem process control and management
Kernel subsystem inter-process communication
Internal Interfaces
Dopipe
Kernel subsystem memory management
Kernel subsystem networking
Internal interfaces
Kernel subsystem audit
Kernel subsystem device drivers
Other functions
Kernel subsystems kernel modules
Summary of trusted processes interfaces
References
RSA
234
Top
Page
Image
Contents