COMMERCIAL-IN-CONFIDENCE XPCore Security Target DOCUMENT VERSION 1.0 DOCUMENT DATE 17-JUNE-2019 Prepared By: www.securelytics.my Document management Document identification Document ID XPCore_EAL2_ST Document title XPCore Security Target Document Version/Date Version 1.0, 17-JUNE-2019 Document history Version Date Description 0.1 21-JUNE-18 Released for internal review 0.2 16-AUG-18 Added Section 7 – TOE Summary Specification 0.3 07-SEPT-18 Revised Section 1.4 and Section 5 1.0 17-JUNE-19 Updated Section 1 until Section 5 to address comments from the evaluator and the certification body COMMERCIAL-IN-CONFIDENCE 3 of 30 Table of Contents 1 Security Target Introduction (ASE_INT.1) .................................................................................5 1.1 ST Reference...........................................................................................................................5 1.2 TOE Reference........................................................................................................................5 1.3 Document Organization .........................................................................................................5 1.4 TOE Overview.........................................................................................................................6 1.5 TOE Description......................................................................................................................8 2 Conformance Claim (ASE_CCL.1) ............................................................................................10 3 Security Problem Definition (ASE_SPD.1) ...............................................................................11 3.1 Overview ..............................................................................................................................11 3.2 Threats .................................................................................................................................11 3.3 Organisational Security Policies ...........................................................................................11 3.4 Assumptions.........................................................................................................................12 4 Security Objectives (ASE_OBJ.2).............................................................................................13 4.1 Overview ..............................................................................................................................13 4.2 Security Objectives for the TOE............................................................................................13 4.3 Security Objectives for the Environment .............................................................................13 4.4 TOE Security Objectives Rationale .......................................................................................14 4.5 Environment Security Objectives Rationale.........................................................................15 5 Security Requirements (ASE_REQ.2).......................................................................................17 5.1 Overview ..............................................................................................................................17 5.2 Security Functional Requirements .......................................................................................18 5.3 Security Requirements Rationale.........................................................................................24 6 TOE Security Assurance Requirements (ASE_REQ.2)...............................................................27 6.1 Overview ..............................................................................................................................27 6.2 Justification for SAR selection ..............................................................................................28 7 TOE Summary Specification (ASE_TSS.1) ................................................................................29 7.1 Overview ..............................................................................................................................29 7.2 Security Audit.......................................................................................................................29 7.3 Identification and Authentication ........................................................................................29 7.4 Security Management..........................................................................................................30 COMMERCIAL-IN-CONFIDENCE 4 of 30 7.5 Secure Communication ........................................................................................................30 COMMERCIAL-IN-CONFIDENCE 5 of 30 1 Security Target Introduction (ASE_INT.1) 1.1 ST Reference ST Title XPCore Security Target ST Identifier XPCore_EAL2_ST ST Version/Date Version 1.0, 17-JUNE-19 1.2 TOE Reference TOE Title XPCore TOE Version 1.0 1.3 Document Organization This document is organized into the following major sections: • Section 1 provides the introductory material for the ST as well as the TOE description (ASE_INT.1). • Section 2 provides the conformance claims for the evaluation (ASE_CCL.1). • Section 3 provides the definition of the security problem that the TOE has been designed to address (ASE_SPD.1). • Section 4 defines the security objectives for the TOE and the environment (ASE_OBJ.2). • Section 5 contains the security functional and assurance requirements derived from the Common Criteria Part 2 and 3 respectively, which are in turn satisfied by the TOE and the development lifecycle (ASE_REQ.2). • Section 6 contains the security assurance requirements derived from the Common Criteria, Part 3 (ASE_REQ.2). • Section 7 provides a summary of the TOE specification, identifying the IT security functions provided by the TOE (ASE_TSS.1). COMMERCIAL-IN-CONFIDENCE 6 of 30 1.4 TOE Overview 1.4.1 TOE Usage and Major Security Functions The Target of Evaluation (TOE) is XPCore version 1.0. XPCore is a platform that allows multiple software components, function modules or system to exchange data and communicate with each other through the XPCore API (Application Programming Interface). The TOE can be accessible by user via a web browser and can be deploy either in a cloud environment (hosted by MicroEngine Network) or in the customer’s premises/data center (hosted by the customers). Refer to Section 1.5.1 for more detail explanations. Authorized 3rd party developers will be able to integrate their own system/program with XPcore platform and utilize XPCore features. XPCore features include managing either third party or MicroEngine’s: • Alarm Monitoring System • CCTV Monitoring System • Door Access Control Management System • Time Attendance Management System • System User Authentication • And many more The following table highlights the range of security functions implemented by the TOE. Security functions Descriptions Security Audit The TOE generates audit records for security events. Only Administrator has the ability to view the audit and transaction logs. Identification and Authentication XPCore users (Administrator and Authorised User) are required to identify or authenticate with the TOE prior to any user action or information flow being permitted. Security Management The TOE provides functions that allow management of the TOE and its security functions. The TOE restricts access to the management functions based on the role of the user. Secure Communication The TOE can protect the user data from disclosure and modification by using Secure Socket Layer (SSL) as a secure communication 1.4.2 TOE Type The TOE is XPCore version 1.0 and it provides security functionality such as Security Audit, Identification and Authentication, Security Management and Secure Communication. The TOE can be categorised as Other Devices and Systems in accordance with the categories identified on the Common Criteria Portal (www.commoncriteriaportal.org) that lists all the certified products. 1.4.3 Supporting hardware, software and/or firmware Minimum System Requirements Web Browser Modern HTML 5 browser which include: • Microsoft Internet Explorer 11 • Mozilla Firefox 54 • Google Chrome 56 Operating System Microsoft Windows Server 2008 (64-bit) Memory 8 GB RAM Processor Intel Core i3-3220 @ 3.30GHz Storage 500GB Database Microsoft SQL Server 2008 1.5 TOE Description 1.5.1 Physical scope of the TOE Legend: TOE Boundary Figure 1 – TOE Deployment Architecture Below are the descriptions of the components stated in Figure 1 above. Component Descriptions XPCore XPCore is a platform that allows multiple software components, function modules or system to exchange data and communicate with each other through the XPCore API (Application Programming Interface). TOE Users There are two types of TOE users; Administrator and Authorized User. Web Browser A web browser is a software program that allows a user to locate, access, and display web pages. TOE Users interact with the TOE via a supported web browser stated in Section 1.4.3 Database A database is an electronic system that allows data to be easily accessed, manipulated and updated. a database is used as a method of storing, managing and retrieving data Operating System Operating System is a software program that enables the computer hardware to communicate and operate with the computer software. The TOE requires an operating system to function. Refer to Section 1.4.3 for minimum system requirement for operating system. COMMERCIAL-IN-CONFIDENCE 9 of 30 1.5.2 Logical scope of the TOE The logical boundary consists of the security functionality of TOE is summarized below. • Security Audit: The TOE generates audit records for security events. The Administrator has the ability to view the audit logs. Types of audit logs are: • User Login Success/Fail Event • Event type, date & time, user role and access origin Only Administrator has the capability to review these audit records via the web interface • Identification and Authentication: All users (Administrator and Authorised User) are required to perform identification and authentication with the TOE before any information flows are permitted. These users must be authenticated prior to performing any TOE functions by entering a username and password. • Security Management: The TOE contains various management functions to ensure efficient and secure management of the TOE. The TOE maintains role-based access control mechanisms to ensure that functions are restricted to those who have the privilege to access them. The Administrator has the ability to manage user and configure the TOE. • Secure communications. The TOE provides a secure SSL channel between the TOE User and the TOE. COMMERCIAL-IN-CONFIDENCE 10 of 30 2 Conformance Claim (ASE_CCL.1) The ST and TOE are conformant to version 3.1 (REV 5) of the Common Criteria for Information Technology Security Evaluation. The following conformance claims are made for the TOE and ST: • Part 2 conformant. Conformant with Common Criteria for Information Technology Security Evaluation Part 2: Security functional requirements, version 3.1 (REV 5), April 2017 • Part 3 conformant, EAL2. Conformant with Common Criteria for Information Technology Security Evaluation Part 3: Security assurance requirements, version 3.1 (REV 5). Evaluation is EAL2, April 2017. COMMERCIAL-IN-CONFIDENCE 11 of 30 3 Security Problem Definition (ASE_SPD.1) 3.1 Overview This section describes the nature of the security problem that the TOE is designed to address. The security problem is described through: a) a series of threats that the TOE has been designed to mitigate, b) specific assumptions about the security aspects of the environment (both IT related and non-IT related elements) in which the TOE will operate, and c) any relevant organisational security policies are any statements made in terms of rules or guidelines that must be followed by the TOE and/or the operational environment. 3.2 Threats Identifier Threat statement T.MANAGEMENT An unauthorized user modifies configuration data that they are not authorised to access resulting in a loss of integrity of the data that the TOE uses to enforce the security functions. T.UNAUTHORISED_A CCESS A user may gain unauthorized access to the TOE and residing data by sending impermissible information through the TOE (such as Brute Force Attacks) resulting the exploitation of protected resources T.CONFIG An unauthorized person may read, modify, or destroy TOE configuration data. T.TOECOM An unauthorized person or unauthorized external IT entity may be able to view, modify, and/or delete security related information or information properties sent between distributed components of the TOE. 3.3 Organisational Security Policies No organisational security policies have been defined regarding the use of the TOE. COMMERCIAL-IN-CONFIDENCE 12 of 30 3.4 Assumptions Identifier Assumption statement A.PLATFORM The TOE relies upon a trustworthy platform and local network from which it provides administrative capabilities. The TOE relies on this platform to provide logon services via a local or network directory service, and to provide basic audit log management functions. The platform is expected to be configured specifically to provide TOE services, employing features such as a host-based firewall which limits its network role to providing TOE functionality. A.ADMIN One or more competent, trusted personnel who are not careless, wilfully negligent, or hostile, are assigned and authorized as the Administrator, and do so using and abiding by guidance documentation. A.USER Users are not wilfully negligent or hostile and use the device within compliance of a reasonable enterprise security policy. A.TIMESTAMP The platforms on which the TOE operate shall be able to provide reliable time stamps. A.PHYSICAL It is assumed that the appliance hosting the operating system and database are in a secure operating facility with restricted physical access and non-shared hardware. COMMERCIAL-IN-CONFIDENCE 13 of 30 4 Security Objectives (ASE_OBJ.2) 4.1 Overview The security objectives are a concise statement of the intended response to the security problem defined in Section 3. There are security objectives for the TOE to address and additional objectives that provide specific direction for the intended in environment in which the TOE is to operate. 4.2 Security Objectives for the TOE Identifier Objective statements O.ACCESS The TOE must ensure that only authorised users are able to access protected resources or functions and to explicitly deny access to specific users when appropriate O.CONFIG TOE shall prevent unauthorized person to access TOE functions and configuration data. Only authorized TOE Super user shall have access to TOE management interface. O.MANAGE The TOE must allow Administrator to effectively manage the TOE, while ensuring that appropriate controls are maintained over those functions. O.USER The TOE must ensure that all users are identified and authenticated before accessing protected resources or functions. O.TOECOM The TOE must protect the confidentiality of its dialogue between distributed components. 4.3 Security Objectives for the Environment Identifier Objective statements OE.PLATFORM The TOE relies upon the trustworthy platform and hardware to provide policy enforcement as well as cryptographic services and data protection. OE.ADMIN The owners of the TOE must ensure that the Administrator who manages the TOE is not hostile, competent and apply all super user guidance in a trusted manner. OE.USER Users of the TOE are trained to securely use the system, controller and device and apply all guidance in a trusted manner. COMMERCIAL-IN-CONFIDENCE 14 of 30 Identifier Objective statements OE.TIMESTAMP Reliable timestamp is provided by the operational environment for the TOE. OE.PHYSICAL Those responsible for the TOE must ensure that the appliance hosting the operating system and database are in a secure operating facility with restricted physical access and non-shared hardware. 4.4 TOE Security Objectives Rationale This section provides the summary that all security objectives are traced back to aspects of the addressed assumptions, threats and OSPs. THREATS/ ASSUMPTIONS/OSPs OBJECTIVES T.MANAGEMENT T.UNAUTHORISED_ACCESS T.CONFIG T.TOECOM A.PLATFORM A.ADMIN A.USER A.TIMESTAMP A.PHYSICAL O.ACCESS a a O.CONFIG a O.MANAGE a O.USER a a O.TOECOM a OE.PLATFORM a OE.ADMIN a OE.USER a OE. TIMESTAMP a OE. PHYSICAL a The following table demonstrates that all security objectives for the TOE trace back to the threats and OSPs in the security problem definition. COMMERCIAL-IN-CONFIDENCE 15 of 30 Threats/OSPs Objectives Rationale T.CONFIG O.CONFIG The objective ensures that the TOE only allowed authorized person such as TOE Administrator to access TOE functions and configuration data. T.MANAGEMENT O.USER The objective ensures that the TOE identifies and authenticates all users before they access a protected resources or functions. O.MANAGE This objective ensures that the TOE provides the tools necessary for the authorized system admin to manage the security-related functions and that those tools are usable only by users with appropriate authorizations. O.ACCESS The objective ensures that the TOE restricts access to the TOE objects to the authorized users and deny access to specific users when appropriate T.UNAUTHORISED_AC CESS O.ACCESS The objective ensures that the TOE restricts access to the TOE objects to the authorized users and deny access to specific users when appropriate O.USER The objective ensures that the TOE identifies and authenticates all users before they access a protected resources or functions. T.TOECOM O.TOECOM The objective ensures that the TOE protect the confidentiality of its communication between distributed components. 4.5 Environment Security Objectives Rationale The following table demonstrates that all security objectives for the operational environment all trace back to assumptions or OSPs in the security problem definition. Assumptions Objective Rationale A.PLATFORM OE.PLATFORM This objective ensures that the underlying platforms are trustworthy and hardened to protect against known vulnerabilities and security configuration issues. COMMERCIAL-IN-CONFIDENCE 16 of 30 Assumptions Objective Rationale A.ADMIN OE.ADMIN This objective ensures that those responsible for the TOE are competent and trustworthy individuals, capable of managing the TOE and the security of the information it contains. A.USER OE.USER This objective ensures that those responsible for the TOE are competent and trustworthy individuals, capable of operating the TOE and the security of the information it contains in a secure manner. A.TIMESTAMP OE.TIMESTAMP This objective ensures that reliable timestamps are provided by the TOE. A.PHYSICAL OE.PHYSICAL This objective ensures that the appliance that hosts the operating system and database are hosted in a secure operating facility with restricted physical access with non-shared hardware. COMMERCIAL-IN-CONFIDENCE 17 of 30 5 Security Requirements (ASE_REQ.2) 5.1 Overview This section defines the security requirements satisfied by the TOE. Each requirement has been extracted from version 3.1 (REV 5) of the Common Criteria, part 2 providing functional requirements and part 3 providing assurance requirements. Part 2 of the Common Criteria defines an approved set of operations that may be applied to security functional requirements. Following are the approved operations and the document conventions that are used within this ST to depict their application: • Assignment. The assignment operation provides the ability to specify an identified parameter within a requirement. Assignments are depicted using bolded text and are surrounded by square brackets as follows [assignment]. • Selection. The selection operation allows the specification of one or more items from a list. Selections are depicted using bold italics text and are surrounded by square brackets as follows [selection]. • Refinement. The refinement operation allows the addition of extra detail to a requirement. Refinements are indicated using bolded text, for additions, and strike-through, for deletions. • Iteration. The iteration operation allows a component to be used more than once with varying operations. Iterations are depicted by placing a letter at the end of the component identifier as follows FDP_IFF.1a and FDP_IFF.1b. COMMERCIAL-IN-CONFIDENCE 18 of 30 5.2 Security Functional Requirements 5.2.1 Overview The security functional requirements are expressed using the notation stated in Section 5.1 above and itemised in the table below. Identifier Title FAU_GEN.1 Audit data generation FAU_SAR.1 Audit review FDP_ACC.1 Subset access control FDP_ACF.1 Security attribute based access control FIA_ATD.1 User attribute definition FIA_UAU.2 User authentication before any action FIA_UID.2 User identification before any action FMT_MSA.1 Management of security attributes FMT_MSA.3 Static attribute initialisation FMT_MTD.1 Management of TSF data FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security Roles FTP_TRP.1 Trusted Path COMMERCIAL-IN-CONFIDENCE 19 of 30 5.2.2 FAU_GEN.1 Audit data generation Hierarchical to: No other components. FAU_GEN.1.1 The TSF shall be able to generate an audit report of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the [not specified] level of audit; and c) [Specifically defined auditable events listed in the Notes section below]. FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and • For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [none]. Dependencies: FPT_STM.1 Reliable time stamps Notes: Auditable events within the TOE: • User Login Success/Fail Event • Event type, date & time, user role and access origin 5.2.3 FAU_SAR.1 Audit Review Hierarchical to: No other components. FAU_SAR.1.1 The TSF shall provide [Administrator] with the capability to read [all audit information] from the audit records. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. Dependencies: FAU_GEN.1 Audit data generation Notes: None. 5.2.4 FDP_ACC.1 Subset access control Hierarchical to: No other components. FDP_ACC.1.1 The TSF shall enforce the [access control SFP] on [objects listed in the table below]. Dependencies: FDP_ACF.1 Security attribute based access control COMMERCIAL-IN-CONFIDENCE 20 of 30 Notes: Subject Object Operation Administrator User for the Application Add/Delete/Change/View API Resources Add/Update/Remove/View Applications Add/Delete/Change/View Shut Down Execute Log IN Execute Authorised User (based on assigned privilege) User Role Add/Delete/Change/View Grant Access Scope Add/Delete/Change/View Shut Down Execute Log IN Execute 5.2.5 FDP_ACF.1 Security attribute based access control Hierarchical to: No other components. FDP_ACF.1.1 The TSF shall enforce the [access control SFP] to objects based on the following: [as listed in the Notes section of FDP_ACC.1]. FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [ a) First Time login, Administrator and authorised user must set their password before performing any action for the first time b) Super user and authorised user must enter their username and password before performing any action c) Administrator and authorised user can change their password once they have authenticated with the TOE ] FDP_ACF.1.3 The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the following additional rules: [none]. COMMERCIAL-IN-CONFIDENCE 21 of 30 Dependencies: FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation Notes: None. 5.2.6 FIA_ATD.1 User attribute definition Hierarchical to: No other components. FIA_ATD.1 The TSF shall maintain the following list of security attributes belonging to individual users: [Username, Password] Dependencies: No dependencies. Notes: None. 5.2.7 FIA_UAU.2 User authentication before any action Hierarchical to: FIA_UAU.1 Timing of authentication FIA_UAU.2.1 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. Dependencies: FIA_UID.1 Timing of identification Notes: None. 5.2.8 FIA_UID.2 User identification before any action Hierarchical to: FIA_UID.1 Timing of identification FIA_UID.2.1 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. Dependencies: No dependencies Notes: None. 5.2.9 FMT_MSA.1 Management of security attributes Hierarchical to: No other components. FMT_MSA.1.1 The TSF shall enforce the [access control SFP] to restrict the ability to [change_default, modify, delete] the security attributes [Administrator Account, Authorised user Account] to [Administrator]. Dependencies: [FDP_ACC.1 Subset access control, or COMMERCIAL-IN-CONFIDENCE 22 of 30 FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions Notes: None. 5.2.10 FMT_MSA.3 Static attribute initialisation Hierarchical to: No other components. FMT_MSA.3.1 The TSF shall enforce the [access control SFP] to provide [permissive] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2 The TSF shall allow the [none] to specify alternative initial values to override the default values when an object or information is created. Dependencies: FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles Notes: None. 5.2.11 FMT_MTD.1 Management of TSF data Hierarchical to: No other components. FMT_MTD.1a.1 The TSF shall restrict the ability to [manage] the [assign users to roles, User ID] to [Administrator] Dependencies: FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions Notes: None. 5.2.12 FMT_SMF.1 Specification of Management Functions Hierarchical to: No other components. FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: [ a. Add/Delete/Change/View User for the Application b. Add/Update/Remove/View API Resources c. Add/Delete/Change/View Applications d. Execute Shut Down e. Execute Log IN f. Add/Delete/Change/View User Role COMMERCIAL-IN-CONFIDENCE 23 of 30 g. Add/Delete/Change/View Grant Access Scope]. Dependencies: No dependencies. Notes: None. 5.2.13 FMT_SMR.1 Security Roles Hierarchical to: No other components. FMT_SMR.1.1 The TSF shall maintain the roles [Administrator, Authorised user]. FMT_SMR.1.2 The TSF shall be able to associate users with roles. Dependencies: FIA_UID.1 Timing of identification Notes: None. 5.2.14 FTP_TRP.1 Trusted Path Hierarchical to: No other components. FTP_TRP.1.1 The TSF shall provide a communication path between itself and [remote] users that is logically distinct from other communication paths and provides assured identification of its end points and protection of the communicated data from [modification or disclosure]. FTP_TRP.1.2 The TSF shall permit [remote users] to initiate communication via the trusted path FTP_TRP.1.3 The TSF shall require the use of the trusted path for [initial user authentication, [and all further communication after authentication]]. Dependencies: No dependencies Notes: None COMMERCIAL-IN-CONFIDENCE 24 of 30 5.3 Security Requirements Rationale 5.3.1 Dependency rationale Below demonstrates the mutual supportiveness of the SFR’s for the TOE by demonstrating how the SFR dependencies are fulfilled by the TOE, and by justifying those dependencies that are not fulfilled. The SARs relevant to the TOE constitute an evaluation assurance level EAL2 as defined in Common Criteria and include no extensions or augmentations. Therefore, as a complete evaluation assurance level, they are a mutually supportive set and require no further justification. SFR Dependency Inclusion FAU_GEN.1 FPT.STM.1 Reliable time stamps FPT_STM.1 has not been included as the TOE obtains all audit timestamps from the underlying platform. This has been addressed in Section 3.4 by A.TIMESTAMP. FAU.SAR.1 FAU.GEN.1 Audit data generation FAU.GEN.1 FDP_ACC.1 FDP_ACF.1 Security attribute based access control FDP_ACF.1 FDP_ACF.1 FDP_ACC.1 Subset access control FMT_MSA.3 Static attribute initialisation FDP_ACC.1 FMT_MSA.3 FIA_ATD.1 No dependencies NA FIA_UAU.2 FIA_UID.1 Timing of identification FIA_UID.2 FIA_UID.2 No dependencies N/A FMT_MSA.1 [FDP_ACC.1 Subset access control or FDP_IFC.1 Subset information flow control] FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FDP_ACC.1 FMT_SMR.1 FMT_SMF.1 FMT_MSA.3 FMT_MSA.1 Management of security attributes FMT_SMR.1 Security roles FMT_MSA.1 FMT_SMR.1 COMMERCIAL-IN-CONFIDENCE 25 of 30 SFR Dependency Inclusion FMT_MTD.1 FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_SMR.1 FMT_SMF.1 FMT_SMF.1 No dependencies N/A FMT_SMR.1 FIA_UID.1 Timing of identification FIA_UID.2 FTP_TRP.1 No dependencies N/A 5.3.2 Mapping of SFRs to security objectives for the TOE Security objective Mapped SFRs Rationale O.USER FIA_UAU.2 The requirement helps meet the objective by authenticating user before any TSF mediated actions. FIA_UID.2 The requirement helps meet the objective by identifying user before any TSF mediated actions O.ACCESS FAU_GEN.1 This SFR specifies security events that are being audited and recorded in log file. Each security event will be recorded along with date and time of event, user who execute the event, filename and other event details. It traces back to this objective. FAU_SAR.1 This SFR specifies that admin will have the capability to view the audit trail data in log form. It traces back to this objective FIA_ATD.1 The requirement helps meet the objective by ensuring user security attributes are maintained. FMT_SMF.1 The requirement helps meet the objective by providing management functions of the TOE for authenticated user. FMT_SMR.1 The requirement helps meet the objective by providing user timing of identification. O.MANAGE FMT_MTD.1 The requirement helps meet the objective by restricting the ability to modify the user password. FMT_MSA.1 The requirement helps to meet the objective by restricting the ability to modify the security attributes for the super user. O.CONFIG FMT_MTD.1 The requirement helps meet the objective by restricting user access to management functions. COMMERCIAL-IN-CONFIDENCE 26 of 30 Security objective Mapped SFRs Rationale FMT_MSA.1 The requirement helps meet the objective by restricting user access to security attributes. FMT_MSA.3 The requirement helps meet the objective by restricting access to provide default values for security attributes that are used to enforce the SFP. FMT_SMR.1 The requirement helps meet the objective by defining the security roles used within the TOE. FDP_ACC.1 The requirement provides access control functionality to ensure that access to security functionality is controlled. FDP_ACF.1 The requirement provides access control functionality to ensure that access to security functionality is controlled. O.TOECOM FTP_TRP.1 The requirement ensures that data sent by users is protected from modification or disclosure. COMMERCIAL-IN-CONFIDENCE 27 of 30 6 TOE Security Assurance Requirements (ASE_REQ.2) 6.1 Overview EAL2 requires evidence relating to the design information and test results, but does not demand more effort on the part of the developer than is consistent with good commercial practice. EAL2 provides assurance by a full security target and an analysis of the SFRs in that ST, using a functional and interface specification, guidance documentation and a basic description of the architecture of the TOE, to understand the security behaviour. The analysis is supported by independent testing of the TSF, evidence of developer testing based on the functional specification, selective independent confirmation of the developer test results, and a vulnerability analysis (based upon the functional specification, TOE design, security architecture description and guidance evidence provided) demonstrating resistance to penetration attackers with a basic attack potential. EAL2 also provides assurance through use of a configuration management system and evidence of secure delivery procedures. Assurance class Assurance components ADV: Development ADV_ARC.1 Security architecture description ADV_FSP.2 Security-enforcing functional specification ADV_TDS.1 Basic design AGD: Guidance documents AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures ALC: Life cycle support ALC_CMS.2 Parts of the TOE CM coverage ALC_CMC.2 Use of a CM system ALC_DEL.1 Delivery procedures ASE: Security Target evaluation ASE_CCL.1 Conformance claims ASE_ECD.1 Extended components definition ASE_INT.1 ST Introduction ASE_OBJ.2 Security objectives ASE_REQ.2 Derived security requirements COMMERCIAL-IN-CONFIDENCE 28 of 30 Assurance class Assurance components ASE_SPD.1 Security Problem Definition ASE_TSS.1 TOE summary specification ATE: Tests ATE_IND.2 Independent testing - sample ATE_FUN.1 Functional testing ATE_COV.1 Evidence of coverage AVA: Vulnerability assessment AVA_VAN.2 Vulnerability analysis 6.2 Justification for SAR selection The assurance package for the evaluation of the TOE is Evaluation Assurance Level 2 (EAL2). TOE has a low to moderate level of assurance in enforcing its security functions when instantiated in its intended environment, which imposes no restrictions on assumed activity on applicable networks. EAL2 is sufficient to demonstrate that the TOE is resistant to attackers with a Basic attack potential. COMMERCIAL-IN-CONFIDENCE 29 of 30 7 TOE Summary Specification (ASE_TSS.1) 7.1 Overview This section provides the TOE summary specification, a high-level description of how the TOE implements the claimed security functional requirements. The TOE provides the following security functions: • Security Audit; • Identification and Authentication; • Security Management; and • Secure Communication 7.2 Security Audit The TOE will create audit records (which contain the data and time of the event, type of event, subject identity and outcome of the transaction event) for the following auditable events (FAU_GEN.1): • User Login Success/Fail Event • Event type, date & time, user role and access origin The TOE’s Administrator has the capability to review these audit records via the software interface (FAU_SAR.1). Timestamps for the server are generated for audit logs by utilising the underlying operating system. The TOE does not generate its own timestamps for use in audit records; these are supplied by the underlying operating system. 7.3 Identification and Authentication The TOE implement access control and authentication measures to ensure that TOE data and functionality is not misused by unauthorised parties (FDP_ACC.1). All TOE users must provide authentication data to the TOE to affirm their identity and role prior to being granted access to any TOE functions or interfaces. The TOE maintains two types of users which are Administrator and Authorised user (FMT_SMR.1). These users may access the TOE via the web interface that the platform provides. Administrator and Authorised user must be authenticated to the TOE prior performing any TOE functions by entering a username and password (FIA_ATD.1a, FIA_UAU.2, FIA_UID.2, FDP_ACF.1). Upon first time login to the server, Administrator and Authorised user must set their new password before performing any action (FDP_ACF.1). COMMERCIAL-IN-CONFIDENCE 30 of 30 7.4 Security Management The TOE provides a suite of management functions only to Administrator and Authorised user. These functions allow for the configuration of TOE to suit the environment in which it is deployed. Additionally, management roles may perform the following tasks (FMT_SMF.1, FMT_MTD.1, FMT_MSA.1 and FMT_MSA.3): • Add/Delete/Change/View User for the Application • Add/Update/Remove/View API Resources • Add/Delete/Change/View Applications • Execute Shut Down • Execute Log IN • Add/Delete/Change/View User Role • Add/Delete/Change/View Grant Access Scope The TOE implement access control and authentication measures to ensure that TOE data and functionality is not misused by unauthorised parties (FDP_ACC.1 and FDP_ACF.1). 7.5 Secure Communication When a user accesses the TOE on their browser, by typing in the website address, the TOE will initiate a SSL secure channel establishment with the user’s browser (FTP_TRP.1). The TOE implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols.