search

DBMS-iTC / InterpretationsTeam

1 stars 0 forks source link

FMT_MSA and FMT_REV.1 Consitency #1

Open bharveyTX opened 1 month ago

bharveyTX commented 1 month ago

The following SFRs may need refinement or an application note:

FMT_MSA.1.1

The TSF (Trusted Security Functionality) shall enforce the Discretionary Access Control policy to restrict the ability to manage all the security attributes to authorized administrators.

FMT_REV.1.1(1)

The TSF shall restrict the ability to revoke [assignment: list of security attributes] associated with the users under the control of the TSF to the authorized administrator.

FMT_REV.1.1(2)

The TSF shall restrict the ability to revoke [assignment: list of security attributes] associated with the objects under the control of the TSF to the authorized administrator and database users with sufficient privileges as allowed by the Discretionary Access Control policy.

MSA.1.1 requires that only authorized administrators have the ability to manage all security attributes. However, FMT_REV1.1(2) opens up the ability to revoke security attributes to database users with sufficient privileges, as allowed by the Discretionary Access Control policy.

This appears to be an inconsistency between the two Security Functional Requirements (SFRs).

Do you agree that this is an inconsistency? If not, what argument supports the consistency of the SFRs, considering they limit access rights on partly overlapping assets (“all” in MSA.1 vs. “[assignment: list of security attributes] associated with the objects under the control of the TSF” in REV.1.1(2)) for different roles?

If you do find it inconsistent, do you plan to update the cPP (Collaborative Protection Profile)? What corrective action will be taken?

kenhake commented 1 month ago

Where FMT_REV.1.1(1) says only the authorized administrator may revoke users’ security attributes then FMT_REV.1.1(2) says that the authorized administrator and USERS with privileges may revoke security attributes of OBJECTS ( not users specified here) . Are we treating users=objects ? If users=objects then I see an inconsistency but If users NOT= objects then there may not be an inconsistency. (KH)

AndersStaaf-CAB commented 4 weeks ago

One solution could maybe be to iterate FMT_MSA.1:

FMT_MSA.1.1(1) (Users) The TSF shall enforce the [Discretionary Access Control policy] to restrict the ability to [manage] the security attributes [associated with users] to [authorized administrators].

FMT_MSA.1.1(2) (Objects) The TSF shall enforce the [Discretionary Access Control policy] to restrict the ability to [manage] the security attributes [associated with objects] to [authorized administrators and database users with sufficient privileges as allowed by the Discretionary Access Control policy].