Secure communications, TSF protection | IBM 10 SP1 EAL4 specification

6.5.1Roles (SM.1)

Section 5.13 provides details on various commands that support the notion of an administrator and a normal user.

6.5.2Access control configuration and management (SM.2)

Sections 5.1.1 and 5.1.2.1 provide details on the system calls of the file system that are used to set attributes on objects to configure access control.

6.5.3Management of user, group and authentication data (SM.3)

Sections 5.11.2 and 5.13 provide details on various commands used to manage authentication databases.

6.5.4Management of audit configuration (SM.4)

Sections 5.15.1 and 5.15.2 describe utilities used to upload audit configuration parameters to the SLES kernel and utilities used by trusted processes to attach and detach from the audit subsystem.

6.5.5Reliable time stamps (SM.5)

Sections 3.1.1, 3.2.1, 3.3.1, and 3.4.1 describe the use of hardware clocks, by eServer hardware, to maintain reliable time stamps.

6.6Secure communications

Sections 5.12.1 and 5.12.2 describe secure communications protocols supported by SLES.

6.6.1Secure protocols (SC.1)

Section 5.12.2 describes the Secure Shell (SSH) protocol. Section 5.12.1 describes the Secure Socket Layer (SSL) protocol. Section 5.12.1.3 describes cipher suites and cryptographic algorithms supported by SLES.

6.7TSF protection

Chapter 4 provides details on TSF protection.

6.7.1TSF invocation guarantees (TP.1)

Section 4.2 provides details of the TSF structure. Section 4.2 also provides a mechanism to separate TSF software from non-TSF software.

6.7.2Kernel (TP.2)

Section 4.2.1 provides details on the SLES kernel.

6.7.3Kernel modules (TP.3)

Section 4.2.1.2 provides details on kernel modules on the SLES system.

220

Image 232

IBM 10 SP1 EAL4 manual Secure communications, TSF protection

Contents

Page EJR Table of Contents 2.1 DAC AppArmor Programs with software privilege Permission bits Access Control Lists 100 142 175 207 250 252 269 Purpose of this document Document overviewConventions used in this document Terminology System Overview Product history Suse Linux Enterprise ServerEServer systems High-level product overview EServer host computer structure Overall structure of the TOEPage TOE services EServer system structure Local and network services provided by Sles Security policy Operation and administration TSF interfaces Approach to TSF identification Page Page System System x hardware overview System x hardware architecture System p hardware overview System pSystem p hardware architecture System z System z hardware overview System z hardware architecture EServer 326 hardware overview EServerEServer 326 hardware architecture AMD x86-64 architecture in compatibility mode Page Hardware privilege Hardware and software privilegePrivilege level Levels of Privilege Software privilege 2.1 DAC AppArmor TOE Security Functions software structure Programs with software privilege Kernel TSF software Logical components Logical kernel subsystems and their interactions Base kernel Execution componentsKernel threads Non-kernel TSF software Kernel modules and device driversPage TSF databases Definition of subsystems for the CC evaluation Hardware FirmwareKernel subsystems Trusted process subsystems User-level audit subsystem Page Functional descriptions File and I/O management Virtual File System Ext3 and CD-ROM file systems before mounting Ext3 and CD-ROM file systems after mounting Pathname translation VFS pathname translation and access control checks Open Mount WriteShared subtrees 2.1 Ext3 file system Disk-based file systemsExtended Attributes Data structures Page Page ISO 9660 file system for CD-ROM Data structures and algorithms Procfs Pseudo file systemsTmpfs Devpts SysfsRootfs Discretionary Access Control DAC ConfigfsInotify Binfmtmisc Permission bits Indicates read Types of ACL tags Access Control ListsACL qualifier Default ACLs and ACL inheritance ACL permissionsRelationship to file permission bits Aclmask ACL enforcement Asynchronous I/O 7 I/O scheduler Anticipatory I/O scheduler Deadline I/O schedulerCompletely Fair Queuing scheduler 8 I/O interrupts Noop I/O schedulerTop halves Bottom halves Processor interrupts Machine checkTasklets Work queue Process control and management Data structuresPage Control of child processes Process creation and destructionDAC controls Process switch Kernel threadsSetresuidand setresgid Execve Scheduling Hyperthreading scheduler Kernel preemption 14 Hyperthreaded scheduling Inter-process communication Pipes Data structures and algorithms First-In First-Out Named pipes Fifo creation Fifo open System V IPCCommon data structures Common functions Message queues Semaphores Shared memory regions Signals SocketsData structures Algorithms Network subsystem 16 Object reuse handling in socket allocation Overview of the network protocol stack 18 How data travels through the Network protocol stack Transport layer protocols Network layer protocols Addressing 3.2.2 IPv6 Header Flow Labels SecurityTransition between IPv4 and IPv6 IP Security IPsec Functional Description of IPsec AH Header An IP Packet with tunnel mode AH An IP Packet with tunnel mode ESP Internet Control Message Protocol Icmp Link layer protocols Network services interface Address Resolution Protocol ARP Socket Bind Accept ListenConnect Memory management Access controlGeneric calls Page Four-Level Page Tables 24 Previous three-level page-tables architecture Memory addressing System 26 System x virtual addressing space 28 Access control through segmentation Segmentation Paging 30 Regular paging 32 Access control through paging For more information about call gates, refer to 33 Paging data structures System p 34 Logical partitions Privilege State 36 Determination of processor mode in Lpar Address Translation on LPARs Real mode addressingHypervisor Access to I/O address space Virtual mode addressingDirect Memory Access addressing Preventing denial of service Run-Time Abstraction ServicesSystem p native mode 39 Effective address 41 Block address Machine State Register Segment descriptor DescriptorBlock descriptor 45 Block Address Translation entry Address translation mechanisms 47 Block Address Translation access control Address Translation and access controlPage 48 Page Address Translation and access control Native hardware mode Lpar mode2.4.3 z/VM Guest mode System z Address spaces Address sizesAddress translations 49 System z address types and their translation 51 Address translation modes 52 64-bit or 31-bit Dynamic Address Translation Memory protection mechanisms 53 Low-address protection on effective address Table protection 113 114 56 Key match logic for key-controlled protection EServer Logical address Linear address Effective addressPhysical address 59 Data access privilege checks Access control through type check Page 121 63 Page map level four entry Kernel memory management Translation Lookaside Buffers Support for Numa servers Reverse map Virtual Memory 65 Rmap VM Huge Translation Lookaside Buffers 66 TLB Operation Remapfilepages Frame management Memory area management Process address spaceNoncontiguous memory area management 68 Object reuse handling while allocating new linear address Atomic operations Symmetric multiprocessing and synchronizationMemory barriers Audit subsystem Audit componentsSpin locks Kernel semaphores Audit kernel components Kernel-userspace interface Filesystem watches Syscall auditingTask structure 71 Task Structure Audit context fields File system audit components User space audit components Audit operation and configuration options Configuration Option Description Possible values Operation Audit record generation Audit recordsKernel record generation 73 Audit Record Generation Syscall audit record generation 74 Extension to system calls interface File system audit record generation Record generation by trusted programs Socket call and IPC audit record generationAudit record format Page Event Description LAF audit events Login uid association Audit toolsKernel modules Auditctl Linux Security Module framework Structure LSM AppArmor module LSM capabilities moduleAppArmor AppArmor administrative utilities Var/log/boot.msg Rwl Var/run/klogd.pid AppArmor access control functions Securityfs 1 I/O virtualization on System z Device driversInterpretive-execution facility State description Character device driver Hardware virtualization and simulation Block device driver System initialization Init System Boot loader Boot methodsBoot process Linuxrc 79 System x Sles boot sequence System p Page 80 System p Sles boot sequence System p in Lpar Etc/sysconfig/init script 81 System p Lpar Sles boot sequence System z Control program 82describes the boot process for Sles as a z/VM guest 82 System z Sles boot sequence EServer 169 83schematically describes the boot process of eServer 170 Identification and authentication 83 eServer 326 Sles boot sequence Pluggable Authentication Module Overview Configuration terminology Modules Etc/security/pamenv.conf Protected databases Trusted commands and trusted processes Access control rules11.2.1.1 DAC Agetty Login Gpasswd Mingetty Newgrp Passwd 11.3.7 su Network applications Interaction with auditOpenSSL Secure socket-layer interface 84 SSL location in the network stack Concepts Encryption 87 Encryption Algorithm and Key 88 Asymmetric keys Message Authentication Code MAC Message digestDigital certificates and certificate authority SSL architecture 90 SSL Protocol SSL handshake protocol 187 OpenSSL algorithms Symmetric ciphers Certificates Asymmetric ciphersHash functions Secure Shell SSH client SSH server daemon Very Secure File Transfer Protocol daemon Cups Cupsd Ping6 PingOpenssl Stunnel System management Account ManagementXinetd Chage Chfn Chsh Useradd User managementUsermod Userdel Group management Groupadd Groupmod Groupdel 202 System Time management Other System ManagementDate Hwclock Supervisor mode instructions MemoryMemory separation 13.5.1.3 I/O controller and network System p Amtu output Star 207 13.6 I&A support Batch processing user commandsBatch processing 14.1.2 at Cron Batch processing daemons14.2.2 atd User-level audit subsystem Audit daemonAudit utilities Aureport Audit logs Audit configuration filesAutrace Supporting functions TSF libraries LibraryDescription Library linking mechanism System call linking mechanism System call argument verification Pageoffset Audit Object reuse Discretionary Access ControlSecurity management Secure communications TSF protection Testing the TOE protection mechanisms TP.7 Trusted processes TP.4TSF Databases TP.5 Internal TOE protection mechanisms TP.6 Kernel subsystem file and I/O Summary of kernel subsystem interfacesExternal Interfaces Internal Interfaces 1.1.3 Internal function Interfaces defined Kernel subsystem process control and management External interfaces system calls Internal Interfaces Kernel subsystem inter-process communication Dopipe Kernel subsystem networking Kernel subsystem memory management Kernel subsystem audit Internal interfaces Kernel subsystem device drivers Other functions Summary of trusted processes interfaces Kernel subsystems kernel modules References RSA 234