Open dundiddat opened 1 year ago
KSinitski
commented
1 year ago I have seen multiple cases when defining a default RBAC role as not Security Administrator substantially changed the scope of the evaluation. Clarifying which roles are considered Security Administrator is a fundamental question of unambiguously defining the scope of the evaluation.
michaelvogelatsec
commented
1 year ago I am wondering why Application Note 23 "This implies that a user that can perform only a single security management function defined in FMT_SMF.1 needs to be regarded as Security Administrator of the TOE." should be insufficient to clearly define which roles have to be regarded as Security Administrator and which don't...
KSinitski
commented
1 year ago The Application Note 23 only provides definition, as such it is informative. A corresponding normative assurance activity would be along these lines: "The evaluator examines all default roles, any role that has access to any security management function defined in FMT_SMF.1 shall be considered in the scope of the evaluation."
kr15tyk
commented
1 year ago The NIT discussed this issue and put together a proposed resolution that will be handed back to the MiNT for discussion and implementation. Resolution proposal for MINT activity 248.docx
Provide the location of the issue Section 2.4.4.1 para 168 (FMT_SMF.1 Specification of Management Functions, TSS) Section 2.4.5.1 para 174 (FMT_SMR.2 Restrictions on security roles, TSS)
What is the enhancement request for the cPP? Please describe. FMT_SMF.1 and FMT_SMR.2 One of the key activities is determining which roles implemented by a network device are considered Security Administrators. Currently, such determination is made by an evaluator as part of carrying out FMT_SMF.1 EAs. Such determination could conceivably redefine the scope of the evaluation by altering Security Administrator definition.
To improve consistency of evaluation of role definitions, there needs to be a requirement to produce evaluation evidence (i.e., TSS or Guidance) documenting all default roles and explicit evidence requirement to declare which of these are considered Security Administrators. This would focus the evaluator’s activity on performing a consistency check (i.e., comparing what is documented vs. how it works) from a more open-ended investigation to define the TOE’s evaluated configuration.
Describe the solution you'd like Please introduce a requirement to produce evaluation evidence (i.e., TSS or Guidance) documenting all default roles and declare which of these are considered Security Administrators.