This section contains the complete set of SFRs supported by VIOS.
6.1.5.1 Subset access control [ST] (VIOS only) (FDP_ACC.1(VIOS))
For VIOS, the The TSF shall enforce the VIOS Access Control Policy on FDP_ACC.1.1
a) Network: VIOS Ethernet device drivers acting on behalf of a group of LPAR partitions sharing a virtual network and VIOS Ethernet adapter device drivers (where either one can be the subject and the other the object) and the operations among subjects and objects as covered by the policy;
b) Volumes: VIOS SCSI device drivers acting on behalf of LPAR partitions as subjects with Logical Volumes and Physical Volumes as objects and the operations among subjects and objects as covered by the policy.
6.1.5.2 Subset access control [ST] (VIOS only) (FDP_ACC.1(VRBAC))
The TSF shall enforce the VIOS Role-based Access Control (VRBAC) Policy on
FDP_ACC.1.1
a) Subjects: Processes acting on the behalf of users;
b) Objects:
i. Persistent Storage Objects of the following type 1. Ordinary files;
2. Directories;
3. Device special files;
4. UNIX Domain socket special files;
5. Named pipes;
ii. Transient Storage Objects of the following type 1. Message queues;
2. SysV semaphores;
3. Shared memory segments;
4. TCP ports;
c) Operations: All operations among subjects and objects covered by this policy.
6.1.5.3 Security attribute based access control [ST] (VIOS only) (FDP_ACF.1(VIOS))
For VIOS, the The TSF shall enforce the VIOS Access Control Policy to objects based on the following:
FDP_ACF.1.1
a) Network: A VIOS Ethernet device driver acting on behalf of a group of LPAR partitions sharing a virtual network and a VIOS Ethernet adapter device driver (where either one can be the subject and the other the object) where both have the same security attribute of an inter-LPAR communication channel;
b) Volumes: A logical volume or physical volume (object) can only be mapped to (accessed by) one VIOS SCSI device driver acting on behalf of an LPAR partition (subject) and the security attribute is the mapping table entry that maps the subject and object together.
For VIOS, the The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed:
FDP_ACF.1.2
a) Network: If a VIOS Ethernet device driver acting on behalf of a group of LPAR partitions sharing a virtual network is mapped via an inter-LPAR communication channel to a VIOS Ethernet adapter device driver, then the device drivers can exchange untagged packets; otherwise, access is denied;
b) Volumes: If the logical volume or physical volume is mapped to a VIOS SCSI device driver acting on behalf of an LPAR partition, then the device driver can access the logical volume or physical volume, respectively; otherwise, access is denied.
For VIOS, the The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: none.
FDP_ACF.1.3
For VIOS, the The TSF shall explicitly deny access of subjects to objects based on the following additional rules: none.
FDP_ACF.1.4
6.1.5.4 Security attribute based access control [ST] (VIOS only) (FDP_ACF.1(VRBAC))
The TSF shall enforce the VIOS Role-based Access Control (VRBAC) Policy to objects based on the following:
FDP_ACF.1.1
a) Subjects: Processes acting on the behalf of users;
i. Attributes:
1. Subject identity;
2. Role(s) which can invoke the subject;
b) Authorized users;
i. Attributes:
1. User identity;
2. Authorized role(s) for the user;
c) Objects: As defined in FDP_ACC.1(VRBAC);
i. Attributes:
1. Object identity;
2. Operations permitted on the objects for various roles.
The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed:
FDP_ACF.1.2
a) The subject invoking the operation on an object is assigned to a role whose privilege set includes the operation on the object.
The TSF shall explicitly authorise access of subjects to objects based on the following additional rules:
FDP_ACF.1.3
a) Allow an access operation by a subject on an object only if the user associated with the subject belongs to a role that permits the access operation on the object.
The TSF shall explicitly deny access of subjects to objects based on the following additional rules:
FDP_ACF.1.4
a) The user associated with the subject not belonging to any role that permits the requested access operation on the object.
6.1.5.5 User attribute definition [ST] (VIOS only) (FIA_ATD.1(VIOS))
For VIOS, the The TSF shall maintain the following list of security attributes belonging to individual users:
FIA_ATD.1.1
a) User identifier;
b) Group memberships;
c) Security-relevant roles;
d) Authentication data.
6.1.5.6 Verification of secrets [ST] (VIOS only) (FIA_SOS.1(VIOS))
For VIOS, the The TSF shall provide a mechanism to verify that secrets meet the following quality metric: the probability that a secret can be obtained by an attacker during the lifetime of the secret is less than 2^-20.
FIA_SOS.1.1
6.1.5.7 User authentication before any action [ST] (VIOS only) (FIA_UAU.2)
For VIOS, the The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user.
FIA_UAU.2.1
6.1.5.8 Protected authentication feedback [ST] (VIOS only) (FIA_UAU.7(VIOS))
For VIOS, the The TSF shall provide only obscured feedback to the user while the authentication is in progress.
FIA_UAU.7.1
6.1.5.9 User identification before any action [ST] (VIOS only) (FIA_UID.2(VIOS))
For VIOS, the The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user.
FIA_UID.2.1
6.1.5.10 User-subject binding [ST] (VIOS only) (FIA_USB.1(VIOS))
For VIOS, the The TSF shall associate the following user security attributes with subjects acting on the behalf of that user:
FIA_USB.1.1
a) User identity;
b) Group memberships;
c) Security-relevant roles.
For VIOS, the The TSF shall enforce the following rules on the initial association of user security attributes with subjects acting on the behalf of users:
FIA_USB.1.2
a) Upon successful identification and authentication, the real user identifier, the effective user identifier and login user identifier shall be those specified in the user entry for the user that has authenticated successfully.
b) Upon successful identification and authentication, the real group identifier, and the effective group identifier shall be those
specified via the group membership attribute in the user entry.
For VIOS, the The TSF shall enforce the following rules governing changes to the user security attributes associated with subjects acting on the behalf of users:
FIA_USB.1.3
a) The effective userID of a user can be changed by the use of an executable with the setuid bit set. In this case the program is executed with the effective userID of the program owner. Access rights are then evaluated using the effective userID of the program owner. The login userID is not changed with this process.
b) The effective userID of a user can be changed by the su command.
In this case the effective userID of the user is changed to the user specified in the su command (provided authentication is
successful). The login userID remains unchanged.
c) The effective groupID of a user can be changed by the use of an executable with the setgid bit set. In this case the program is executed with the effective groupID of the program owning group.
Access rights are then evaluated using the effective groupID of the program owner. The login userID is not changed with this process.
6.1.5.11 Management of security attributes [ST] (VIOS only) (FMT_MSA.1(VIOS))
For VIOS, the The TSF shall enforce the VIOS Access Control Policy to restrict the ability to modify the security attributes
FMT_MSA.1.1
a) For Network: mapping of Ethernet device drivers acting on behalf of a group of LPAR partitions sharing a virtual network to Ethernet adapter device drivers;
b) For Volumes: mapping SCSI device drivers acting on behalf of LPAR partitions to logical volumes and physical volumes to the System Administrator role.
6.1.5.12 Management of object security attributes [ST] (VIOS only) (FMT_MSA.1(VRBAC-ADM))
The TSF shall enforce the VIOS Role-based Access Control (VRBAC) Policy to restrict the ability to modify the security attributes of objects to object owners and the set of VRBAC administrative roles.
FMT_MSA.1.1
6.1.5.13 Management of object security attributes [ST] (VIOS only) (FMT_MSA.1(VRBAC-AUTH))
The TSF shall enforce the VIOS Role-based Access Control (VRBAC) Policy to restrict the ability to modify, delete, create instances of the security attributes User Role Authorizations to a set of VRBAC administrative roles.
FMT_MSA.1.1
6.1.5.14 Management of object security attributes [ST] (VIOS only) (FMT_MSA.1(VRBAC-DFLT))
The TSF shall enforce the VIOS Role-based Access Control (VRBAC) Policy to restrict the ability to modify, create the security attributes Default Active Role Set to a set of VRBAC administrative roles.
FMT_MSA.1.1
6.1.5.15 Management of object security attributes [ST] (VIOS only) (FMT_MSA.1(VRBAC-USR))
The TSF shall enforce the VIOS Role-based Access Control (VRBAC) Policy to restrict the ability to modify the composition of the session security attributes Active Role set for a user to the session owner.
FMT_MSA.1.1
6.1.5.16 Secure security attributes [ST] (VIOS only) (FMT_MSA.2(VRBAC))
The TSF shall ensure that only secure values are accepted for VRBAC security attributes.
FMT_MSA.2.1
6.1.5.17 Static attribute initialisation [ST] (VIOS only) (FMT_MSA.3(VIOS))
For VIOS, the The TSF shall enforce the VIOS Access Control Policy to provide restrictive default values for security attributes that are used to enforce the SFP.
FMT_MSA.3.1
For VIOS, the The TSF shall allow the none to specify alternative initial values to override the default values when an object or information is created.
FMT_MSA.3.2
6.1.5.18 Static attribute initialisation [ST] (VIOS only) (FMT_MSA.3(VRBAC))
The TSF shall enforce the VIOS Role-based Access Control (VRBAC) Policy to provide administrative user defined default values for security attributes that are used to enforce the SFP.
FMT_MSA.3.1
The TSF shall allow the set of VRBAC administrative roles to specify alternative initial values to override the default values when an object or information is created.
FMT_MSA.3.2
6.1.5.19 Management of TSF data [ST] (VIOS only) (FMT_MTD.1(VIOS-ADI))
For VIOS, the The TSF shall restrict the ability to initialize the authentication data to authorized administrators.
FMT_MTD.1.1
6.1.5.20 Management of TSF data [ST] (VIOS only) (FMT_MTD.1(VIOS-ADM))
For VIOS, the The TSF shall restrict the ability to modify the authentication data to
FMT_MTD.1.1
a) Authorized administrators;
b) All users can modify their own authentication data.
6.1.5.21 Management of TSF data [ST] (VIOS only) (FMT_MTD.1(VIOS-NV))
For VIOS, the The TSF shall restrict the ability to create, modify, and delete the
FMT_MTD.1.1
a) For Network: mapping of VIOS Ethernet adapter device drivers to VIOS Ethernet device drivers acting on behalf of groups of LPAR partitions sharing virtual networks;
b) For Volumes: mappings of logical volumes and physical volumes to VIOS SCSI device drivers acting on behalf of LPAR partitions to authorized administrators.
6.1.5.22 Management of TSF data [ST] (VIOS only) (FMT_MTD.1(VIOS-SA))
For VIOS, the The TSF shall restrict the ability to initialize, modify the user security attributes defined in FIA_ATD.1(VIOS) except for authentication data to authorized administrators.
FMT_MTD.1.1
6.1.5.23 Management of TSF data [ST] (VIOS only) (FMT_MTD.1(VRBAC))
The TSF shall restrict the ability to modify, create the TSF data FMT_MTD.1.1
a) All user passwords;
b) Role definition and role attributes;
c) Role hierarchies (by assigning one or more roles to other roles);
d) Constraints among role relationships to a set of VRBAC administrative roles.
6.1.5.24 Secure TSF data [ST] (VIOS only) (FMT_MTD.3(VRBAC))
The TSF shall ensure that only secure values are accepted for role definitions, role hierarchies, and role relationship constraints.
FMT_MTD.3.1
6.1.5.25 Revocation [ST] (VIOS only) (FMT_REV.1(VIOS))
For VIOS, the The TSF shall restrict the ability to revoke FMT_REV.1.1
a) Authentication data;
b) Group memberships;
c) Security-relevant roles
associated with the users under the control of the TSF to authorized administrators.
For VIOS, the The TSF shall enforce the rules FMT_REV.1.2
a) The immediate revocation of security-relevant authorizations.
b) Revocations/modifications made by an administrator to security attributes of a user, such as the user identifier, user name, user group(s), user password, or user login shell, shall be effective the next time the user logs in.
6.1.5.26 Specification of management functions [ST] (VIOS only) (FMT_SMF.1(VIOS))
For VIOS, the The TSF shall be capable of performing the following management functions:
FMT_SMF.1.1
a) User attribute management;
b) Authentication data management;
c) VIOS network and volume management.
6.1.5.27 Security roles [ST] (VIOS only) (FMT_SMR.1)
For VIOS, the The TSF shall maintain the roles FMT_SMR.1.1
a) User role with the following rights:
i. Users are authorized to modify their own user password;
ii. Users are authorized to modify the access control permissions for the named objects they own;
iii. Other rights as assigned by an authorized administrator via the VRBAC mechanism;
b) The set of VRBAC administrative roles.
For VIOS, the The TSF shall be able to associate users with roles.
FMT_SMR.1.2
6.1.5.28 Limitation on scope of selectable attributes [ST] (VIOS only) (FTA_LSA.1(VRBAC))
The TSF shall restrict the scope of the session security attributes active role set for the user, based on the set of authorized roles for the user.
FTA_LSA.1.1
6.1.5.29 TOE session establishment [ST] (VIOS only) (FTA_TSE.1(VRBAC))
The TSF shall be able to deny session establishment based on the default active role set for the user being empty.
FTA_TSE.1.1