Security Target for Oracle Database 10g i Release 1 (10.1.0) November 2005 Issue 1.1 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Security Evaluations Oracle Corporation 500 Oracle Parkway Redwood Shores, CA 94065 ii Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Author: Saad Syed Contributors: Peter Goatly, Shaun Lee Copyright © 1999, 2005, Oracle Corporation. All rights reserved.This documentation contains proprietary information of Oracle Corporation; it is protected by copyright law. Reverse engineering of the software is prohibited. If this documentation is delivered to a U.S. Government Agen- cy of the Department of Defense, then it is delivered with Restricted Rights and the following legend is applicable: RESTRICTED RIGHTS LEGEND Use, duplication or disclosure by the Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of DFARS 252.227-7013, Rights in Technical Data and Computer Software (October 1988). Oracle Corporation, 500 Oracle Parkway, Redwood City, CA 94065. The information in this document is subject to change without notice. If you find any problems in the documentation, please report them to us in writing. Oracle Corporation does not warrant that this document is error free. Oracle is a registered trademark and Oracle Database 10g, Oracle9i, PL/SQL, Oracle Enterprise Manager, Oracle Call Interface, SQL*Plus, SQL*Loader and Oracle Net are trademarks or registered trademarks of Oracle Corporation. Other names may be trademarks of their respec- tive owners. Security Target for Oracle Database 10g iii Release 1 (10.1.0) November 2005 Issue 1.1 Contents 1 Introduction...........................................................................1 Identification and CC Conformance ....................................................1 TOE Overview .....................................................................................2 TOE Product Components ...................................................................2 Document Overview ............................................................................3 2 TOE Description ...................................................................5 Oracle Database 10g Architecture........................................................5 An Oracle Database..............................................................................7 Access Controls....................................................................................9 Quotas.................................................................................................12 Identification and Authentication.......................................................13 Auditing..............................................................................................14 Security Management.........................................................................16 Secure Distributed Processing............................................................17 Other Oracle Database 10g Security Features....................................17 3 Security Environment ........................................................21 Threats................................................................................................21 Organisational Security Policies ........................................................21 Assumptions.......................................................................................21 4 Security Objectives ............................................................23 TOE Security Objectives....................................................................23 iv Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 Environmental Security Objectives ...................................................23 5 IT Security Requirements..................................................25 TOE Security Functional Requirements............................................25 TOE Security Assurance Requirements ............................................32 Security Requirements for the IT Environment.................................32 Minimum Strength of Function .........................................................32 6 TOE Summary Specification .............................................33 TOE Security Functionality...............................................................33 Security Mechanisms and Techniques...............................................42 Assurance Measures ..........................................................................42 7 Protection Profile Claims ..................................................45 PP Reference......................................................................................45 PP Tailoring .......................................................................................45 PP Additions ......................................................................................45 8 Rationale.............................................................................47 Security Objectives Rationale............................................................47 Security Requirements Rationale.......................................................47 TOE Summary Specification Rationale.............................................50 PP Claims Rationale ..........................................................................54 Assurance Measures Rationale ..........................................................55 A References .........................................................................57 B Glossary .............................................................................61 Acronyms...........................................................................................61 Terms .................................................................................................62 Security Target for Oracle Database 10g 1 Release 1 (10.1.0) November 2005 Issue 1.1 C H A P T E R 1 Introduction This document is the security target for the Common Criteria evaluation of Oracle Da- tabase 10g, Release 1 (10.1.0.4). Identification and CC Conformance Title: Security Target for Oracle Database 10g Target of Evaluation (TOE): Oracle Database 10g Enterprise Edition. Release: 10.1.0.4 with Critical Patch Update - July 2005 Operating System Platform: Red Hat Enterprise Linux AS (version 3) for which [DSZ0257] is the Common Criteria certification report. CC Conformance: Database Management System Protection Profile (DBMS PP) [DPP]. The authentication package claimed for the Red Hat Enterprise Linux AS plat- forms is Database Authentication. This Security Target conforms to [CC, Part 2] and [CC, Part 3]. All SFRs in the Secu- rity Target are derived from [CC]. ALC_FLR.3 is the only augmented assurance cri- terion specified. Assurance: EAL4 augmented with ALC_FLR.31. Keywords: Oracle Database 10g, O-RDBMS, database, security target, EAL4 Version of the Common Criteria [CC] used to produce this document: 2.2 with amendments introduced by the CC Interpretations effective on 13th August 2004. 1. ALC_FLR provides assurance at the highest defined component level that there are flaw remedia- tion procedures for the TOE by which discovered security flaws can be reported to, tracked and corrected by the developer, and by which corrective actions can be issued to TOE users in a timely fashion. 2 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 TOE Overview Oracle Database 10g is an object-relational database management system (O- RDBMS), providing advanced security functionality for multi-user distributed database environments. The security functionality in Oracle Database 10g includes: • user identification and authentication, with password management options; • discretionary access controls on database objects; • granular privileges for the enforcement of least privilege; • user-configurable roles for privilege management; • quotas on the amount of processing resources a user can consume during a data- base session; • extensive and flexible auditing options; • secure access to remote Oracle databases; and • stored procedures, triggers and security policies for user-defined access controls and auditing. Oracle Database 10g supports both client/server and standalone architectures. In addition, Oracle Database 10g supports multi-tier architectures, however in this environment any tier (middle-tier) that communicates directly with the server is actually an Oracle client and any lower tiers are outside of the scope of this ST. In all architectures, the Oracle Database 10g Server acts as a data server, providing access to the information stored in a database. Access requests are made via Oracle Database 10g interface products that provide connectivity to the database and submit Structured Query Language (SQL) statements to the Oracle Database 10g data server. The Oracle Database 10g interface products may be used on the same computer as the data server, or they may run on separate client machines and communicate with the data server via network interfaces. TOE Product Components The Oracle Database 10g Enterprise Edition includes the products identified in Table 1. Access to the Oracle Database 10g server is provided via the interface products identified in Table 2. [ECD] defines which TOE products must be installed in the evaluated configuration and defines the requirements for setting up the TOE environment. Table 1: TOE Server Products TOE Server Products Oracle Database 10g Server Enterprise Edition 10.1.0 Security Target for Oracle Database 10g 3 Release 1 (10.1.0) November 2005 Issue 1.1 Document Overview This document consists of a minor update to Issue 0.5 of the Security Target for Oracle9i, [ST9i], which was used in the most recent Common Criteria evaluation of Oracle9i. Change bars indicate the changes made relative to [ST9i], which are mainly concerned with the change to the TOE’s name, changes to the operating system platforms, the accommodation of Common Criteria Interpretation 137, the addition of Security Functional Requirement FMT_SMF.1, and changed references to information in technical publications. Chapter 2 of this security target provides a high-level overview of the security features of the Oracle Database 10g data server. Chapter 3 identifies the assumptions, threats, and security policies of the TOE environment. Chapter 4 describes the security objectives for the TOE and for the environment needed to address the assumptions, threats, and security policies identified in Chapter 3. Chapter 5 identifies the Security Functional Requirements (SFRs), the Security Assurance Requirements (SARs) and the security requirements for the IT environment. Chapter 6 summarises each Security Function (SF) provided by Oracle Database 10g to meet the security requirements. Chapter 7 describes how the TOE conforms to the requirements of the DBMS Protection Profile and Chapter 8 provides the rationale for the security claims made within this security target. Appendix A contains a list of references and Appendix B provides a glossary of the terms. Table 2: TOE Interface Products TOE Interface Products SQL*Plus 10.1.0 Oracle Call Interface 10.1.0 Oracle Net Services 10.1.0 4 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 This Page Intentionally Blank Security Target for Oracle Database 10g 5 Release 1 (10.1.0) November 2005 Issue 1.1 C H A P T E R 2 TOE Description This section describes the product features that provide security mechanisms and contribute to the security of a system configured using Oracle Database 10g. For a detailed description of the security features of Oracle Database 10g the reader is referred to [SG, Part II] and [DAG, part V]. In general, these descriptions correspond to the specifications of IT security functions provided in chapter 6 of this Security Target. This chapter describes the major elements of the Oracle Database 10g architecture, the types of database objects supported by Oracle Database 10g, the access control mech- anisms used to protect those objects, controls on user resource consumption, the ac- countability and auditing mechanisms, and the security management features provided by Oracle Database 10g. Additional Oracle Database 10g security features that are not addressed by the security functional requirements of Chapter 5 are also briefly discussed. Oracle Database 10g Architecture The Oracle Database 10g architectural components are described in detail in [CON]. Database A database consists of a set of files which contain, in addition to some control data, the information which is said to be stored in the database. Each database is an autonomous unit with its own data dictionary that defines the database objects it contains (e.g. tables, views, etc.). In a distributed system there can be many databases: each database can contain many database objects, but each database object is stored within a single database. Instance An instance consists of a set of Oracle background processes, which do the work of the DBMS by executing Oracle Database 10g software, and a shared memory area. An instance is therefore an active entity, and a database is passive. In order for users to access the database, the instance must be started and must mount and open the database for use. A database is persistent: it has an indefinite lifetime from the time it is created, and the database files and contents exist independently of whether the 6 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 database is mounted to an instance and whether the underlying platform is running. The lifetime of an instance can be indefinite, from when it is started to when it is shut down, and is dependent on whether the underlying platform is running. Database Connections and Sessions Each database user employs Oracle Database 10g interface products to establish a database connection to an Oracle Database 10g server process for a particular database instance. If the user is defined as a valid user for the database and has the required privileges, then the server will create a database session for the user. While connected, the user can make requests to the Oracle Database 10g server to read and write information in the database. The server handles each request, performing the read and write accesses to database objects and returning data and results to the user, in accordance with the user’s privileges to database objects and other constraints configured by a database administrative user. Distributed Databases In a distributed environment, a user may access database objects from multiple databases. After establishing an initial database session on one instance, the user can transparently establish database sessions on other (remote) database instances using database links. A database link identifies a remote database and provides authentication information. By qualifying references to database objects with the name of a database link, a user can access remote database objects. However, each Oracle Database 10g database instance is autonomous with respect to security — a remote server enforces security based on the privileges of the user as defined in that remote database. Structured Query Lan- guage (SQL) The Oracle Database 10g server supports the ANSI/ISO SQL standard [SQL92] at the entry level of compliance and provides Oracle-specific SQL language extensions. All operations performed by the Oracle Database 10g server are executed in response to an SQL statement that specifies a valid SQL command. • Data Definition Language (DDL) statements are statements which create, alter, drop, and rename database objects, grant and revoke privileges and roles, config- ure audit options; add comments to the data dictionary; and obtain statistical information about the database and its use; • Data Manipulation Language (DML) statements are statements which manipulate the data controlled by database objects in one of four ways: by querying the data held in a database object; by row insertions; by row deletion; by column update. They include the command to lock a database object. • Transaction Control statements are statements which manage changes made by DML statements and help to ensure the integrity of the database. They include commits and rollbacks for individual transactions, and checkpoints for the data- base; • Session Control statements dynamically manage the properties of a user’s data- base session. • System Control statements dynamically manage the processes and parameters of an Oracle Database 10g instance. • Embedded SQL statements incorporate DDL, DML, and transaction control state- ments within a procedural language program. Programming Language/SQL (PL/SQL) is a procedural language supported by Oracle Database 10g that provides program flow control statements as well as SQL Security Target for Oracle Database 10g 7 Release 1 (10.1.0) November 2005 Issue 1.1 statements [PLS]. Program units written in PL/SQL can be stored in a database and executed during the processing of a user’s SQL command. The flashback query feature allows data to be queried from a point in the past. Once a user has set the date and time that they would like to view, any SQL query that they execute will operate on data as it existed at that point in time. This can allow suitably authorised users to correct their own mistakes. SQL operations can be used to view the change history in order to identify the error. The error can then be backed out of by restoring data as it existed before the error. Note that the Flashback functionality does not reverse certain DDL statements such as TRUNCATE, although it can provide a way to restore accidentally dropped tables. It also does not apply to packages, procedures, or functions. Client side interfaces The Oracle Call Interface (OCI - described in [OCI]) provides an application programming interface (API) for developing database applications written in high level languages such as C. An Oracle Database An Oracle database contains the data dictionary and two different types of database objects: • schema objects that belong to a specific user schema and contain user-defined information [CON part II]; and • non-schema objects to organise, monitor, and control the database [CON part II], [DAG]. In an Oracle database there are two types of connections for users of the database: • Administrator connection. This covers users who connect to the database via AS SYSOPER or AS SYSDBA by virtue of possessing either the SYSOPER or SYSDBA system privilege (see [DAG, 1]). Users making a connection AS SYSOPER are allowed to perform operator administrative tasks (e.g. database startup and shutdown, and ALTER DATABASE commands). Users making a connection AS SYSDBA are allowed to perform all administrative tasks (including granting and/or revoking object privileges on other users’ objects); • Normal connection (note that this includes users SYS and SYSTEM. [DAG, 1]). This covers users who are authorised to access the database by virtue of being explicitly defined and identified to an instance of the Oracle database server. Data Dictionary At the centre of an Oracle database is the data dictionary - a set of internal Oracle tables that contain all of the information the Oracle database server needs to manage the database. The data dictionary tables are owned by the user SYS and can only be modified by highly privileged users. [SG, 10: System Privileges] cautions that extreme care must be taken when granting roles which provide privileged access to the data dictionary. A set of read-only views is provided to display the contents of the internal tables in a meaningful way and also allow Oracle users to query the data dictionary without the need to access it directly. All of the information about database objects is stored in the data dictionary and is updated by the SQL DDL commands that create, alter, and drop database objects. 8 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 Other SQL commands also insert, update, and delete information in the data dictionary in the course of their processing. Schema Objects A schema is a collection of user-defined database objects that are owned by a single database user. Oracle Database 10g supports the schema object types identified in [SQL, 2]. A special schema PUBLIC is provided by Oracle Database 10g to contain objects that are to be accessible to all users of the database. Typically, the kinds of objects that are created in the PUBLIC schema are: • Public database links that define access to remote databases; • Public synonyms which point to objects which all users may need to access. Non-Schema Objects [SQL, 2] lists object types that can be created and manipulated with SQL, but are not contained within a schema. These include tablespaces, roles, profiles and users. The primary storage management database object is a tablespace — it is used to organise the logical storage of data. A suitably privileged user manages tablespaces to: • create new tablespaces and allocate database files to the tablespace, • add database files to existing tablespaces to increase storage capacity, • assign default tablespaces to users for data storage, and • alter tablespaces for backup and recovery operations. Within the database files, Oracle Database 10g allocates space for data in three hierarchical physical units: data blocks, extents, and segments. When a user creates a schema object to store data (e.g., a table), a segment is created and the space for the segment is allocated in a specific tablespace. Database Users Oracle Database 10g has two kinds of user connection: administrative connection (connecting AS SYSDBA or AS SYSOPER) and normal connection. Throughout this document the following terms are used to classify the types of database users: • Normal User/Database Subject: A user who is connected via a normal connection. Note that the pre-defined users SYS and SYSTEM can be normal users. • Database Administrative User/Administrative User: Any user who is authorised to perform administrative tasks. This term covers: • A Normal User who is authorised to perform an administrative task via the possession of an administrative privilege which permits the opera- tion of the task. • A user who connects to the database via an administrative connection. Users making an administrative connection are authorised to access the database by virtue of having the SYSDBA or SYSOPER system privi- lege (i.e. they possess OS platform specific access rights, or are listed in the Oracle Database 10g password file as a SYSDBA or SYSOPER user). Security Target for Oracle Database 10g 9 Release 1 (10.1.0) November 2005 Issue 1.1 Note that the word authorised is used (e.g. “an authorised administrative user”) to indicate that the user has the specific authorisation (e.g. via a privilege) for the operation under consideration. Database security is managed by privileged users through the maintenance of users, roles, and profiles. • USERS identify distinct database user names and their authentication method. • ROLES provide a grouping mechanism for a set of privileges. • PROFILES provide a set of properties (e.g., resource limits, password manage- ment options) that can be assigned to individual users. These security topics are discussed in detail in subsequent sections of this chapter. Access Controls Access control is the process of defining a user’s ability to read or write information. For this, Oracle Database 10g provides discretionary access control (DAC). Discretionary Access Con- trol DAC can be used to selectively share database information with other users. This ac- cess control mechanism can be used to enforce need-to-know style confidentiality as well as control data disclosure, entry, modification, and destruction. In addition to the DAC controls enforced by the Oracle Database 10g server, application-specific access controls can be implemented using views and triggers to mediate a user’s access to ap- plication data. The DAC mechanism controls access to database objects based on the privileges enabled in the database session. There are two types of DAC privileges: object privileges and system privileges. Both object and system privileges may be granted directly to individual users, or granted indirectly by granting the privilege to an Oracle role and then granting the role to the user. Privileges and roles may also be granted to PUBLIC, authorising all database users for the privilege. During a database session, the privileges enabled in the session may be changed using several Oracle Database 10g mechanisms that affect the set of privileges held by the session. System Privileges Oracle Database 10g provides over 80 distinct system privileges to support the concept of least privilege — each database user can be granted only those system privileges that are needed to perform his or her job function. Often end-users would only need a minimal set of system privileges to connect to the database. Some users may be granted more powerful system privileges to authorise them to manage administrative objects, bypass particular server access controls, or perform specialised operations. A user may grant a system privilege to additional database users only if he or she holds that privilege with an administrative option (WITH ADMIN OPTION). Object Privileges An object privilege is permission to access a schema object in a prescribed manner (e.g., to INSERT rows into a table or EXECUTE a stored procedure). The owner of the schema containing the object may grant object privileges to other database users or roles. In addition, the owner may grant other users the right to grant those object privileges to additional database users (WITH GRANT OPTION). Because object privileges are granted to users at the discretion of other users, this type of security is termed discretionary. Oracle Database 10g ensures that users who 10 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 attempt to gain access to objects have been granted the necessary object privileges for the specific operation, or have an overriding system privilege or role. The owner of an object always has total access to that object. Roles Oracle Database 10g facilitates correct privilege administration by enabling privileges to be grouped together into database roles. The benefits of Oracle database roles include: • Reduced privilege administration, • Dynamic privilege management, • Least privilege, • Privilege bracketing, and • Consistency. Reduced privilege administration Rather than explicitly granting the same set of privileges to several users, the privileges for a group of related users can be granted to a role, and then only the role needs to be granted to each member of the group. Roles permit numerous Oracle privileges to be granted or revoked with a single SQL statement. Dynamic privilege management If the privileges of a group of users must change, only the privileges of the role(s) need to be modified instead of the privileges granted to every user. The security domains of all users granted the group's role automatically reflect the changes made to the role. Least privilege The roles granted to a user can be selectively enabled (available for use) or disabled (not available for use). This helps a user to control use of those privileges which could result in unintended disclosure, entry, modification, or destruction of data. Privilege Bracketing Because the Oracle data dictionary records which roles have been granted to the current user, database applications can be designed to query the dictionary and automatically enable and disable selective roles when a user attempts to execute applications. System Security Policy To enable centralised implementation of privilege management in a system of which Oracle may be only one component, Oracle also provides for linking database roles to platform-specific group access controls. In this way, database roles can only be enabled by users if they are a current member of the appropriate group in the underlying platform. This helps to ensure a correct and consistent implementation of a system-wide security policy. Secure Application Roles A secure application role is a role which is enabled by a PL/SQL package. A database administrative user can grant a secure application role all the privileges necessary to run a particular application. The role will then only be enabled if the application’s check of the relevant conditions is successful. This means that the use of such a role can be based on information about the user’s session, such as the IP address of a user who has connected through a proxy. DDL Restriction Privileges held via roles cannot be used with DDL statements that require access to database objects. For example, to create a view, a user requires access to the tables referenced by the view. The user must have directly granted privileges authorising the access to the underlying tables. Privileges held via a role are not applicable when the server performs the object access checking on DDL statements. Pre-defined Roles By default Oracle databases contain several pre-defined roles including: • CONNECT — containing the system privileges to connect and create basic Security Target for Oracle Database 10g 11 Release 1 (10.1.0) November 2005 Issue 1.1 schema objects, • RESOURCE — containing the system privileges necessary to create PL/SQL program units and triggers, and • DBA — containing all system privileges WITH ADMIN OPTION. These roles are provided for backward compatibility and can be modified or removed by suitably privileged users [SG, 5]. Session Privileges During the database session, the privileges held by the session can vary. When a database session is initially established, it has all of the system and object privileges directly granted to the user in addition to those granted to PUBLIC. The session also has all of the privileges granted to any default roles associated with the user. The set of privileges can be changed by: • Enabling and disabling roles, • Accessing a view, • Executing a stored program unit, or • Firing a trigger. Enabling Roles During a database session, a user can enable and disable any granted role. Consequently, the privileges of the database subject can be modified to reflect different requirements for access to database objects. Views When a user creates a view, that user must have directly granted privileges that authorise access to all of the tables (or views) referenced in the view’s query. In addition, if the user holds the necessary privileges WITH GRANT option or WITH ADMIN option, then the user may grant access to the view to other database users, authorising them for indirect access to the tables in the view. In this way, views can be used to restrict access to information based on complex SQL queries that select only the authorised data from the tables. Stored Program Units In order to use a stored program unit (procedure, function, or package), a user must have the privilege to EXECUTE the program unit. However, when the program unit runs, the privileges for its execution may be set to the owner’s directly granted privileges (definers rights), or the invoker’s privileges (invokers rights) depending on options set when the program unit is created. This allows access privileges to be encapsulated with the database operations being performed by the program unit. Any user with EXECUTE privilege for the program unit is authorised to indirectly access any database objects accessible to the program unit’s owner. Triggers The security context for the execution of triggers is similar to that of stored program units. When a trigger fires as a result of a table access, the execution privileges for the trigger are set to the trigger owner’s directly granted privileges rather than the privileges of the user who initiated the table update. Fine-grained Access Con- trol Fine-grained (or row-level) access control is available with the virtual private database (VPD) technology which is a standard feature of the Oracle Database 10g Enterprise Edition. Fine-grained access control allows a database administrative user to associate security policies with tables, views and synonyms. These policies are implemented by PL/SQL functions and are enforced on a normal user no matter how the data is accessed (unless the user is authorised by the possession of the system privilege 12 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 EXEMPT ACCESS POLICY). Such security policies can be defined to be enforced when a query references particular columns. Different policies can be applied for SELECT, INSERT, UPDATE and DELETE operations. Note that the use of the Oracle Database 10g MERGE SQL command causes SELECT and INSERT or UPDATE operations to be performed. Note also that it is possible for more than one policy to be applied to a table, including building on top of base policies in packaged applications. Application Context An application context allows an application to make security decisions based on additional attributes attached to a user’s session information. An application context provides a protected session persistent storage area for additional user attributes defined by the application. To support application managed session pooling by middle tier applications, the DBMS_SESSION interface for managing application context is enhanced for Oracle Database 10g. This interface now has a client identifier for each application context so that the application context can be managed globally while each client will see only their assigned application context. Partitioned Fine-grained Access Control Oracle Database 10g provides the ability to partition security policy enforcement by application. This enables different security policies to be applied, depending upon which application is accessing the data. Oracle Database 10g enables partitioning of fine-grained access control through policy groups and a driving application context. The driving application context securely determines which application is accessing the data, and policy groups facilitate the management of policies which apply by ap- plication. A database administrative user specifies which policy group the policy falls into when adding a policy to a table/view using the ADD_GROUPED_POLICY interface. The driving context is defined using the ADD_POLICY_CONTEXT interface. Quotas Using Oracle Database 10g profiles, a database administrative user can set quotas on the amount of processing resources a user can consume during a databases session. Limits can be specified for the following: • enabled roles per session (via an init.ora parameter) • database sessions per user, • CPU time per session, • CPU time per SQL call, • connect time per session, • idle time per session, • database reads per session, • database reads per SQL command, and • a composite limit (based on CPU time, connect time, and database reads). Security Target for Oracle Database 10g 13 Release 1 (10.1.0) November 2005 Issue 1.1 Once a profile has been created, it can be assigned to one or more users, depending on their need for processing resources. When a user exceeds the resource limit, the Oracle Database 10g server will abort the operation, and, in some cases, terminate the user’s session, or, in other cases, simply terminate the current SQL statement or rollback the current transaction. A database administrative user may also set quotas on the amount of storage space that can be allocated for each user’s schema objects in any specific tablespace. Resumable statements are a feature in Oracle Database 10g which allows an adminis- trator to temporarily suspend a large operation, such as a batch update data load. This might be necessary when space has run out. Suspending the operation gives the data- base administrator an opportunity to take corrective steps to resolve the error condi- tion. After the error has been corrected, the suspended operation automatically resumes execution. A suspended resumable operation is aborted automatically if the error is not fixed within a set time period. Users must have the RESUMABLE system privilege before they can execute resum- able operations. An ALTER SESSION ENABLE RESUMABLE statement is provid- ed to enable SQL statements to be resumable when they are invoked within the session. Resumable operations are suspended under one of the conditions: Out of space, Space limit error, or Space quota error. Identification and Authentication Oracle Database 10g always identifies authorised users of an Oracle database prior to establishing a database session for the user. Authentication can be performed directly by the Oracle Database 10g server using passwords managed by the server, or the server can rely on the authentication done by the underlying OS platform. For OS authentication, the database user connects to the Oracle Database 10g server without specifying a user name or password. The server obtains the user’s identity from the OS, and if the user is an authorised database user, a database session is created. This form of authentication is appropriate for Oracle Database 10g only if it is running on a Microsoft Windows operating system. Since no Microsoft Windows operating system platforms are to be used for this evaluation, the TOE does not use this form of authentication. For Oracle authentication, a user must specify a user name and password in order to connect. The password is compared to the password for the user stored in the data dictionary and if they match, a database session is created. The user’s password is stored in the data dictionary in a one-way encrypted form, so before the comparison is made, the password specified by the user is also one-way encrypted. Password Management A user may change his or her password at any time. Oracle Database 10g provides the facility for suitably privileged users to create password complexity check functions that can screen new passwords for certain criteria, e.g.: • a minimum number of characters in length; • not equal to the user name; • includes a minimum number of alphabetic, numeric, or punctuation characters; • does not match any word on an internal list of words; 14 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 • differs from the previous password by a certain number of characters. A suitably authorised user can also set password lifetime, a failed logon count leading to account lockout, expiration options, and password reuse requirements in an Oracle Database 10g profile. By assigning different profiles to different groups of users, the password management parameters can vary among users. By default the database does not enforce any password profile limits, however it is critical that certain password controls are used in all profiles such that the TOE achieves a high strength of function for the password mechanism (see the Minimum Strength of Function section in chapter 5). Guidance covering the different password controls, and instructions for modifying profiles to achieve SOF-high, is provided in the TOE’s Evaluated Configuration Document [ECD]. Special Authentication Database administrative users may connect to the database to perform functions such as starting up or shutting down an Oracle Database 10g instance. These users can be authorised by either the use of a password file, or by having platform-specific access rights. Platform-specific access rights are normally established by being a member of a special operating system group. For example, on a UNIX platform, the group defaults to the ‘dba’ group, but can be changed. When a database administrative user wants to undertake special operations, he or she connects to the database through a special keyword: AS SYSDBA or AS SYSOPER. When connected using the AS SYSDBA keywords the database session then runs as the user SYS. When connected using the AS SYSOPER keyword the database session then runs as the user PUBLIC. Auditing Oracle Database 10g ensures that relevant information about operations performed by users can be recorded so that the consequences of those operations can later be linked to the user in question, and the user held accountable for his or her actions. Oracle Database 10g does this by providing auditing options which are designed to be as granular and flexible as possible to ensure that exactly what needs to be audited, as dictated by the application or system security policy, is recorded, but nothing more. This helps to ensure that the size of audit trails remain manageable and the important records easily accessible. Oracle Database 10g provides capabilities to permit auditing plans to be quickly enabled to implement crisis responses. In addition to the standard Oracle Database 10g auditing features described here, application-specific audit trails can be implemented using triggers to capture auditing details about the changes made to the information in the database. Audit Categories A database administrative user can request auditing of a number of actions in each of three categories: • By Statement Auditing specific types of SQL statements including database connections and disconnections. Statement auditing can be set to audit one, several, or all users. • By Object Auditing specific statements on specific database objects for all users. Security Target for Oracle Database 10g 15 Release 1 (10.1.0) November 2005 Issue 1.1 • By Privilege Auditing use of specific system privileges. Privilege auditing can be set to audit one, several, or all users. Audit Options Database administrative users can further focus each auditing request by specifying auditing for only successful, only unsuccessful, or both successful and unsuccessful attempts. Such users can also specify, for most audit events, that audit records be created by session or by access: by session results in only a single record for an audited action for the duration of a database session; by access results in a record for every occurrence of an audited action. Oracle also permits database administrative users to assign default object auditing options which will automatically be used for any new schema objects which are created. Fine-Grained Auditing Database administrative users can request fine-grained auditing to monitor query access based on content and can also request that DML operations be monitored. Whenever the policy conditions are met for returning a row from a query block, the query is audited. These policies are implemented by PL/SQL functions. Audit Records Oracle auditing permits audit information to be written to a database audit trail or to the audit trail of the underlying operating system. Audit records always include the following elements when they are meaningful for the audited event: • User; • Session Identifier; • Terminal Identifier; • Name of Object Accessed; • Operation Performed; • Completion Code of Operation; • Date and Timestamp; • System Privilege Used. Audit Analysis If Oracle writes to the database audit trail, then the powerful SQL data manipulation facilities of the DBMS can be used by database administrative users to perform selective audit analysis of relevant database operations, user actions, uses of privilege, and object accesses in a secure manner. Oracle provides a number of pre-defined views on the database audit trail to assist in such audit analysis. If Oracle is configured to write to an operating system audit trail, then platform services can be used to consolidate and analyse the database audit trail with audit trails from other system components to provide a comprehensive auditing portrait for the system. Alternatively, the audit data in the operating system or network services audit trail could be loaded securely into an Oracle database for comprehensive audit analysis using the SQL data manipulation facilities of the DBMS. Auditing of SYS Connections AS SYSDBA and AS SYSOPER along with attempts to startup or shutdown an instance are always recorded in the OS platform audit trail because they are OS events and because the database may not be available to be written into. 16 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 Oracle Database 10g provides for information to be written to the OS platform audit trail about all SQL commands performed by users connected as the special user SYS and users connected through the keywords AS SYSDBA and AS SYSOPER. Such OS audit trail files should have OS DAC protection set by the OS system administrator to prevent all database users being able to tamper with them (including those users who are able to connect to the database as the special user SYS or through the keywords AS SYSDBA or AS SYSOPER). Security Management Oracle Database 10g provides a number of mechanisms to support the management of database security. This section discusses the administrative system privileges, the importance of the initialisation file, the use of AS SYSOPER and AS SYSDBA, and Oracle Database 10g server dependencies on the administration of the underlying OS platform. Administrative Privileges Oracle Database 10g contains over 80 distinct system privileges. Each system privilege allows a user to perform a particular database operation or class of database operations. If a user has no privileges then they cannot perform any operations, including connecting to the database. Database Administrative Users acquire the ability to perform administrative functions by being granted specific administrative system privileges. Other users are given only a minimal set of privileges allowing them to connect to the database and access the necessary data. Oracle Database 10g security management can be delegated to any number of users. Site-specific roles can be defined to delegate administrative responsibilities based on organisational structures. Initialisation File When an Oracle Database 10g instance is started, the parameters specified in an initialisation file specify operational characteristics of Oracle Database 10g server functionality, including security functionality. It is critical that the security parameters specified in the initialisation file for the instance be set to the values which conform to the evaluated configuration. The parameter values required by this security target are identified in the TOE’s Evaluated Configuration Document [ECD]. SYSDBA and SYSOPER When a user is connected AS SYSOPER or AS SYSDBA, the user is authorised to perform special database operations. Authorisation to connect as AS SYSDBA or AS SYSOPER is made via OS mechanisms (i.e., membership in an OS-defined group and requires that a user be authenticated by the OS), or by an Oracle Database 10g password. A user connected AS SYSOPER is authorised to perform database startup, shutdown, create server parameter file and backup operations. A user connected via AS SYSDBA has the same authorisations as SYSOPER with the additional capabilities to create databases and perform the operations allowed by all system privileges WITH ADMIN option. Users who connect via AS SYSDBA have access to all of the data dictionary tables and can grant and/or revoke object privileges on other users’ objects. OS Administration The security of the data managed by the Oracle Database 10g data server is dependent not only on the secure administration of Oracle Database 10g, but also on the correct administration of the underlying OS platform and any other nodes connected in a Security Target for Oracle Database 10g 17 Release 1 (10.1.0) November 2005 Issue 1.1 distributed environment. The requirements on OS and network configuration for this security target are identified in the TOE’s Evaluated Configuration Document [ECD]. Guidance on the correct configuration of Oracle Database 10g for a specific OS platform is contained in the Oracle Database 10g Installation and Configuration Guide [ICG] for that platform. Secure Distributed Processing The basic distributed features included in the Oracle Database 10g server make use of database links to define a connection path to a remote Oracle database. When a connection is made to a remote database, the information in the database link definition is used to provide identification and authentication information to the remote Oracle server. The remote server creates a database session for the user specified by the database link (if the user is authorised for access to the remote database) and then makes its access control decisions based on that identity and its privileges in the remote database. By using database links to qualify schema object names, a user in a local database can • select (e.g., join) data from tables in any number of remote Oracle databases, • use DML statements to update tables in remote Oracle databases (Oracle Data- base 10g automatically implements a two-phase commit protocol), and • execute stored program units in remote Oracle databases. Access to the remote database is transparent; however careful administration and control of the distributed environment is essential (see [SG, 15] and [DAG, Part VII]). Access to non-Oracle distributed databases is provided by Oracle Database 10g, but such databases are not part of the evaluated configuration. Other Oracle Database 10g Security Features In addition to the security features described above, Oracle Database 10g provides features which are related to security but do not directly address any of the functional requirements identified in this Oracle Database 10g Security Target. These features provide significant security capabilities to support robust and reliable database applications. Apart from Data Integrity, for which no specific security functionality is claimed in Chapter 6, the features described below are not part of the evaluated configuration defined in [ECD]. Data Integrity Oracle Database 10g provides mechanisms to ensure that the consistency and integrity of data held in a database can be maintained. These mechanisms are transactions, concurrency controls, and integrity constraints. Transactions ensure that updates to the database occur in well-defined steps that move the database from one consistent state to another. Transactions and concurrency controls together ensure that multiple users can have shared access to the database with consistent and predictable results: each user sees a consistent state of the database and can make updates without interfering with other users. Integrity constraints ensure that the values of individual data items are of the defined type and within defined limits, and that defined relationships between database tables are properly maintained. 18 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 Import/Export It is important to ensure that data can be moved out of one database and re-inserted into the same or a different database while maintaining the data integrity and confidentiality. Oracle enables secure exporting of information from a database into an operating system file. Only appropriately privileged users may export information to which they do not normally have read access. Similarly, Oracle enables secure importing of information into a database from Oracle-generated operating system export files. Only appropriately privileged users may import information into database tables to which they do not normally have write access. When a database object is exported, the list of users having object privileges to access the object can also be exported and then imported into the new database with the database object. Backup and Recovery Backup of an Oracle database can be performed using platform-specific backup programs, the Oracle database import/export utilities, or the Oracle database recovery manager. The choice of mechanism depends upon the application needs, but all approaches can provide secure, reliable backup and recovery of the database. The Oracle Database 10g transaction integrity mechanisms also provide the basis for secure recovery following the failure of an Oracle Database 10g instance or platform operating system. Whenever an Oracle Database 10g instance is started, any transactions that were not committed prior to the failure are rolled back. This returns all of the information in the database, including the data dictionary tables, to a consistent and secure state. Oracle Advanced Security Oracle Advanced Security is an optional product which provides encryption of the Oracle network traffic between clients and servers and between two communicating servers and adaptors for various external authentication services and certificate authorities. The Oracle Internet Directory is a further add-on product that supports global authentication and global management of Oracle roles. Supplied Packages A number of standard packages are available to install in an Oracle database. These provide supportive functionality that can be invoked by other users and applications. They provide the following types of functions: • Access to SQL features from PL/SQL programs, including dynamic SQL, • Alert mechanisms for asynchronous notification of database events, • File access functions to read and write OS files, • Job queues for scheduling repeating administrative procedures, • Lock management functions for user-defined locks, • Oracle pipes for communication among database sessions, • Output operations for procedure debugging, • Functions to manipulate LOBs, • Queues for asynchronous message generation and delivery (Advanced Queuing), • Administration of distributed transactions and snapshots, and • HTTP callouts to access Web services. Security Target for Oracle Database 10g 19 Release 1 (10.1.0) November 2005 Issue 1.1 External Authentication Services In addition to the authentication methods described above, Oracle Database 10g can be configured to use an external third party authentication service. Application-Specific Secu- rity Roles can be protected by use of a password. Applications can be created specifically to enable a role when the application is supplied with the correct password. Users can not enable the database role if they do not know the password. Support for SQLJ SQLJ allows application programmers to embed static SQL operations in Java code in a way that is compatible with the Java design philosophy. Oracle provides support for SQLJ at both the client and server, so that database applications written in Java may be executed at the client or at the server. Oracle supports two SQLJ client side models; a thick client model where Java programs can make calls to the database via OCI using Oracle Net Services, and a thin client model where Java programs can call the database server directly bypassing the Oracle Net Services interface. 20 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 This Page Intentionally Blank Security Target for Oracle Database 10g 21 Release 1 (10.1.0) November 2005 Issue 1.1 C H A P T E R 3 Security Environment Threats As per [DPP, 3.2]. Organisational Security Policies As per [DPP, 3.3]. Assumptions As per [DPP, 3.4] with the following modifications and additions: TOE Assumptions A.TOE.CONFIG The TOE is installed, configured and managed in accordance with [ECD], its evaluated configuration. Note that [DPP, 3.4.2.2] includes assumptions about the secure configuration of the operating system underlying the TOE. In particular, A.ACCESS requires that the un- derlying system is configured such that only the approved group of individuals may obtain access to the system. [ECD] describes how the TOE and the system underlying it must be configured for the TOE to be in its evaluated configuration. This includes only allowing administrators to logon to the TOE’s underlying operating system. Underlying System Assumptions A.MIDTIER To ensure accountability in multi-tier environments, any middle- tier(s) will pass the original client ID through to the TOE. 22 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 This Page Intentionally Blank Security Target for Oracle Database 10g 23 Release 1 (10.1.0) November 2005 Issue 1.1 C H A P T E R 4 Security Objectives TOE Security Objectives As per [DPP, 4.1]. Environmental Security Objectives As per [DPP, 4.2]. 24 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 This Page Intentionally Blank Security Target for Oracle Database 10g 25 Release 1 (10.1.0) November 2005 Issue 1.1 C H A P T E R 5 IT Security Requirements TOE Security Functional Requirements Table 3 below lists each Security Functional Requirement (SFR) included in this Se- curity Target. These SFRs were all included in [DPP], with the exception that FMT_SMF.1 has been added to accommodate a change to [CC] that occurred since [DPP] was published. For each SFR, Table 3 identifies which Common Criteria operations (assignment (A), selection (S), refinement (R), and/or iteration (I)) have additionally been applied, namely: a) (for SFRs that are in [DPP]): the operations additional to those in [DPP]; or b) (for the SFR that is not in [DPP]): the operations additional to Part 2 of [CC]. The remainder of this section details the functional requirements as completed for this Security Target. The text for completed operations which have been applied to the re- quirement relative to the DBMS Protection Profile [DPP] or relative to Part 2 of [CC] (for SFR FMT_SMF.1) is highlighted with ITALICISED CAPITAL LETTERS within each requirement. Annex B provides definitions for various terms used in the func- tional requirements. Table 3: List of Security Functional Requirements Component Name A S R I FAU_GEN.1 Audit Data Generation X X FAU_GEN.2 User Identity Association FAU_SAR.1 Audit Review FAU_SAR.3 Selectable Audit Review X FAU_SEL.1 Selective Audit X 26 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 Security Audit FAU_GEN.1.1 The TSF shall be able to generate a database audit record of the following auditable events: a) Start-up and shutdown of the database audit functions; b) All auditable events for the basic level of audit as identified in TABLES 4 AND 7 OF [DPP] AND TABLE 4 BELOW; and FAU_STG.1 Protected Audit Trail Storage X FAU_STG.4 Prevention of Audit Data Loss X X FDP_ACC.1 Subset Access Control FDP_ACF.1 Security Attribute Based Access Control X FDP_RIP.2 Full Residual Information Protection X FIA_AFL.1 Authentication Failure Handling X FIA_ATD.1 User Attribute Definition X FIA_SOS.1 Verification of Secrets X FIA_UAU.1 Timing of Authentication X FIA_UID.1 Timing of Identification X FIA_USB.1 User-Subject Binding X X FMT_MSA.1 Management of Security Attributes X FMT_MSA.3 Static Attribute Initialisation X FMT_MTD.1 Management of TSF Data FMT_REV.1 Revocation X FMT_SMF.1 Specification of Management Functions X FMT_SMR.1 Security Roles X FPT_RVM.1 Non-Bypassability of the TSP FPT_SEP.1 TSF Domain Separation FRU_RSA.1 Maximum Quotas X FTA_MCS.1 Basic Limitation on Multiple Concurrent Sessions X FTA_TSE.1 TOE Session Establishment X Component Name A S R I Security Target for Oracle Database 10g 27 Release 1 (10.1.0) November 2005 Issue 1.1 c) NO ADDITIONAL EVENTS. FAU_GEN.1.2 The TSF shall record within each database audit record at least the following information: a) Date and time of the database event, type of database event, database subject identity, and the outcome (success or failure) of the event; and b) For each database audit event type, based on the auditable event definitions of the functional components included in the PP/ST, OTHER RELEVANT INFORMATION AS IDENTIFIED IN TABLES 4 & 7 OF [DPP]. FAU_GEN.2.1 The TSF shall be able to associate each auditable database event with the identity of the database user that caused the event. FAU_SAR.1.1 The TSF shall provide authorised database users with the capability to read all database audit information from the database audit records. FAU_SAR.1.2 TheTSF shall provide thedatabase audit records in a manner suitable for the database user to interpret the information. FAU_SAR.3.1 The TSF shall provide the ability to perform searches and sorting of database audit data based on THE VALUES OF AUDIT DATA FIELDS. FAU_SEL.1.1 The TSF shall be able to include or exclude auditable database events from the set of audited database events based on the following attributes: a) event type; b) database subject identity; c) database object identity; d) DATABASE SYSTEM PRIVILEGE. FAU_STG.1.1 The TSF shall protect the stored database audit records from unauthorised deletion. FAU_STG.1.2 The TSF shall be able to prevent UNAUTHORISED modifications to the database audit records IN THE AUDIT TRAIL. FAU_STG.4.1 The TSF shall prevent auditable events, except those taken by the authorised user with special rights, if the audit trail is full. Note that the assignment operation for the FAU_STG.4.1 element defined in [DPP, 5.1.1] has effectively been completed with “and NO OTHER ACTIONS”. However, a refinement has been applied to omit these words for the sake of clarity. User Data Protection FDP_ACC.1.1 The TSF shall enforce the database object access control SFP on: Table 4: List of Auditable Events for the Additional SFR Component Event Additional Data FMT_SMF.1 Use of Security Management Functions. None 28 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 a) database subjects; b) database objects; c) all permitted operations on database objects by database subjects covered by the SFP. FDP_ACF.1.1 The TSF shall enforce the database object access control SFP to database objects based on: a) the identity of the owner of the database object; and b) the object access privileges to the database object held by the database subject; and c) the database administrative privileges of the database subject. FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled database subjects and controlled database objects is allowed: a) if the user associated with the database subject is the owner of the database object, then the requested access is allowed; or b) if the database subject has the database object access privilege for the requested access to the database object, then the requested access is allowed; or c) otherwise access is denied, unless access is explicitly authorised in accordance with the rules specified in FDP_ACF.1.3. FDP_ACF.1.3 The TSF shall explicitly authorise access of database subjects to database objects based on the following additional rules: a) if the database subject has a database administrative privilege to override the database object access controls for the requested access to the database object, then the requested access is allowed; b) IF THE SUBJECT IS CONNECTED AS SYSDBA THEN THE REQUESTED ACCESS IS ALLOWED; OR c) IF THE SUBJECT IS CONNECTED AS SYSOPER AND THE REQUESTED ACTION IS ONE OF THE OPERATIONS PERMITTED FOR THE SYSOPER USER SPECIFIED IN [DAG, 1], THEN THE REQUESTED ACCESS IS ALLOWED. FDP_ACF.1.4 The TSF shall explicitly deny access of database subjects to database objects based on the following additional rules: NONE. FDP_RIP.2.1 The TSF shall ensure that any previous information content of a database resource is made unavailable upon the allocation of a resource to SCHEMA OBJECTS (INCLUDING NON-SCHEMA OBJECTS, WHICH ARE STORED IN THE SYS SCHEMA). Identification and Authen- tication FIA_AFL.1.1 The TSF shall detect when AN ADMINISTRATOR CONFIGURABLE POSITIVE INTEGER WITHIN THE RANGE 1 TO 2,147,483,646 unsuccessful database authentication attempts occur related to THE USER’S LAST SUCCESSFUL DATABASE SESSION. FIA_AFL.1.2 When the defined number of unsuccessful database authentication attempts has been met or surpassed, the TSF shall LOCK THE DATABASE USER’S ACCOUNT. FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual database users: Security Target for Oracle Database 10g 29 Release 1 (10.1.0) November 2005 Issue 1.1 a) database user identity; b) database object access privileges; c) database administrative privileges; d) ORACLE ROLES. FIA_SOS.1.1 The TSF shall provide a mechanism to verify that database secrets (passwords) meet REUSE, LIFETIME, AND CONTENT METRICS AS DEFINED BY AN AUTHORISED ADMINISTRATIVE USER. FIA_UAU.1.1 The TSF shall allow THE FOLLOWING LIST OF ACTIONS on behalf of the database user to be performed before the database user is authenticated: a) OBTAIN THE CURRENT ORACLE VERSION STRING AND NUMBER; b) ESTABLISH A DATABASE CONNECTION; AND c) RECEIVE AN ERROR MESSAGE UPON ERROR. FIA_UAU.1.2 The TSF shall require each database user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that database user. FIA_UID.1.1 The TSF shall allow THE FOLLOWING LIST OF ACTIONS on behalf of the database user to be performed before the database user is identified: a) OBTAIN THE CURRENT ORACLE VERSION STRING AND NUMBER; b) ESTABLISH A DATABASE CONNECTION; AND c) RECEIVE ERROR MESSAGES UPON ERROR. FIA_UID.1.2 TheTSFshallrequireeachdatabaseusertobesuccessfullyidentified before allowing any other TSF-mediated actions on behalf of that database user. SFR FIA_USB.1 in this Security Target is a refinement relative to FIA_USB.1 in [DPP, 5.1.3] to satisfy Common Criteria Interpretation 137. Under this interpreta- tion, FIA_USB.1.2 and FIA_USB.1.3 are added to FIA_USB.1.1 and FIA_USB.1.1 is expanded so that the appropriate user security attributes can be specified and the rules governing the binding of user attributes to subjects can be defined. FIA_USB.1.1 The TSF shall associate the FOLLOWING database user security attributes with database subjects acting on behalf of that database user: a) USER IDENTIFIER, PASSWORD MANAGEMENT INFORMATION, PRIVILEGES AND ROLES. FIA_USB.1.2 The TSF shall enforce the following rules on the intial association of user security attributes with subjects acting on behalf of users: a) ONCE A USER HAS BEEN SUCCESSFULLY IDENTIFIED AND AUTHENTICATED AT THE START OF A SESSION WITH THE TSF, THE USER’S IDENTIFIER IS ACCESSIBLE THROUGHOUT THAT SESSION. b) AN OBJECT OR SYSTEM PRIVILEGE IS EFFECTIVE AT THE START OF A USER SESSION IF IT WAS PREVIOUSLY GRANTED TO THE USER (AND NOT SUBSEQUENTLY REVOKED) DIRECTLY OR VIA THE PUBLIC USER GROUP OR VIA A ROLE c) A USER ESTABLISHING A PROXY SESSION WITH THE TSF ON BEHALF OF ANOTHER USER CAN CONTROL WHICH 30 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 ROLES ARE AVAILABLE TO THAT USER AT THE START OF THE SESSION. FIA_USB.1.3 The TSF shall enforce the following rules governing changes to the user security attributes associated with subjects acting on the behalf of users: a) IF AN OBJECT OR SYSTEM PRIVILEGE APPLYING TO A USER IS GRANTED OR REVOKED WHILE THE USER HAS A CURRENT SESSION WITH THE TSF, THIS CHANGE APPLIES TO THE SET OF PRIVILEGES EFFECTIVE DURING THE USER SESSION. THIS RULE APPLIES TO PRIVILEGES GRANTED TO THE USER DIRECTLY OR VIA THE PUBLIC USER GROUP OR VIA A ROLE. b) DURING A SESSION WITH THE TSF, THE USER CAN CONTROL WHICH ROLES GRANTED TO THAT USER ARE EFFECTIVE. c)IF AUSEREXECUTES A VIEWORA PROGRAM UNITOWNED BY ANOTHER USER, THE PRIVILEGES OF THE OWNING USER ARE EFFECTIVE DURING THE EXECUTION OF THE VIEW OR PROGRAM UNIT. d) A USER CAN CHANGE THE PASSWORD ASSOCIATED WITH THAT USER IF THE NEW PASSWORD COMPLIES WITH THE CONFIGURABLE CONTROLS INCLUDED IN THE PASSWORD MANAGEMENT INFORMATION THAT APPLIES TO THE USER. Security Management FMT_MSA.1.1 The TSF shall enforce the database object access control SFP to restrict the ability to modify the database object security attributes: a) DATABASEOBJECTACCESSPRIVILEGEStoTHEOBJECT’S OWNER AND OTHER DATABASE USERS AUTHORIZED BY THE OWNER. b) DATABASE SYSTEM PRIVILEGES to USERS WHO HAVE BEEN GRANTED THAT PRIVILEGE WITH ADMIN OPTION OR USERS WHO CONNECT AS SYSDBA. c) DATABASE ROLES to DATABASE USERS AUTHORIZED TO MODIFY ROLES. FMT_MSA.3.1 The TSF shall enforce the database object access control SFP to provide restrictive default values for database object security attributes that are used to enforce the database object access control SFP. FMT_MSA.3.2 The TSF shall allow NO DATABASE USERS to specify alternative initial values to override the default values when a database object is created. Security Target for Oracle Database 10g 31 Release 1 (10.1.0) November 2005 Issue 1.1 FMT_MTD.1.1 The TSF shall, according to TABLES 5 AND 8 OF [DPP] AND TABLE 5 BELOW, restrict the ability to perform operations on TSF data to database administrative users. FMT_REV.1.1 The TSF shall restrict the ability to revoke security attributes associated with the database users and database objects within the TSC to: a) authorised database administrators (for users and objects); b) authorised database users (only for the database objects they own or database objects for which they have been granted database object access privileges allowing them to revoke security attributes); c) NO OTHER ROLES. FMT_REV.1.2 The TSF shall enforce the FOLLOWING rules: a) revocation of database object access privileges shall take effect prior to all subsequent attempts to establish access to the database object; b) revocation of database administrative privileges shall take effect prior to when the database user begins the next database session; c) NO ADDITIONAL REVOCATION RULES. FMT_SMF.1.1 The TSF shall be capable of performing the following security management functions: a) THE OPERATIONS ON TSF DATA SPECIFIED IN TABLES 5 AND 8 OF [DPP] AND TABLE 5 ABOVE; b) MODIFICATION OF THE DATABASE OBJECT SECURITY ATTRIBUTES AS SPECIFIED IN SFR FMT_MSA.1.1. FMT_SMR.1.1 The TSF shall maintain the database roles: a) database administrative user; b) database user; c) DATABASE ROLES DEFINED BY SUITABLY PRIVILEGED DATABASE ADMINISTRATIVE USERS. Note that due to a difference in terminology between the CC and the Oracle Database 10g product the two occurrences of the word “role” in FMT_SMR.1.1 have different meanings. The first occurrence, which is part of the required CC wording, is a general term meaning any kind of user that can be created within the TSF. The second occur- rence, which is part of a completed assignment in [DPP], is a specific term referring to Oracle database roles that can be configured and granted to users of the Oracle Database 10g product. FMT_SMR.1.2 The TSF shall be able to associate database users with database roles. Table 5: Additional Function’s Required Management Events Component Operation TSF Data FMT_SMF.1 - - 32 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 Protection of the TOE Security Functions FPT_RVM.1.1 The TSF shall ensure that TSP enforcement functions are invoked and succeed before each function within the TSC is allowed to proceed. FPT_SEP.1.1 The TSF shall maintain a security domain for its own execution that protects it from interference and tampering by untrusted database subjects. FPT_SEP.1.2 The TSF shall enforce separation between the security domains of database subjects in the TSC. Resource Utilisation FRU_RSA.1.1 The TSF shall enforce maximum quotas of the following resources: a) CPU_TIME; b) ELAPSED TIME; c) LOGICAL DATA BLOCKS READ; AND d) DATABASE STORAGE ALLOCATED. that an individual database user can use over a specified period of time. TOE Access FTA_MCS.1.1 The TSF shall restrict the maximum number of concurrent database sessions that belong to the same database user. FTA_MCS.1.2 The TSF shall enforce, by default, a limit of A NUMBER, CONFIGURED BY AN AUTHORIZED ADMINISTRATIVE USER, database sessions per database user. FTA_TSE.1.1 The TSF shall be able to deny database session establishment based on USER IDENTITY. Note that the DBA and OPER users can always connect to the database. TOE Security Assurance Requirements The target assurance level is EAL4 as defined in Part 3 of the CC, augmented with ALC_FLR.3. Security Requirements for the IT Environment As per [DPP 5.5]. Minimum Strength of Function The minimum strength of function for the TOE is SOF-High. This exceeds the require- ments in [DPP]. Security Target for Oracle Database 10g 33 Release 1 (10.1.0) November 2005 Issue 1.1 C H A P T E R 6 TOE Summary Specification TOE Security Functionality This section contains a high-level specification of each Security Function (SF) of the TOE that contributes to satisfaction of the Security Functional Requirements of chapter 5. The specifications cover five major areas: identification and authentication, database resource quotas, access controls, privileges and roles, and auditing. Table 6 below shows that all the SFRs are satisfied by at least one SF and that every SF is used to satisfy at least one SFR (but note that SFR FDP_ACF.1.4 is not satisfied by any particular SF because this SFR specifies null functionality). 34 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 Table 6: Mapping of SFs to SFRs Identification and Authen- tication F.IA.PRE Oracle shall only allow users to: a) obtain the current Oracle version string and version number; b) establish a connection; c) receive error messages upon error before identifying and authenticating the user. Note that users can obtain the current Oracle version string and version number by calling OCIServerVersion, as described in [OCI, 16: OCIServerVersion]. F.IA.UID Each database user is uniquely identified. FIA FDP FMT FPT FRU FTA FAU AFL.1.1 AFL.1.2 ATD.1.1 SOS.1.1 UAU.1.1 UAU.1.2 UID.1.1 UID.1.2 USB.1.1 USB.1.2 USB.1.3 ACC.1.1 ACF.1.1 ACF.1.2 ACF.1.3 ACF.1.4 RIP.2.1 MSA.1.1 MSA.3.1 MSA.3.2 MTD.1.1 REV.1.1 REV.1.2 SMF.1.1 SMR.1.1 SMR.1.2 RVM.1.1 SEP.1.1 SEP.1.2 RSA.1.1 MCS.1.1 MCS.1.2 TSE.1.1 GEN.1.1 GEN.1.2 GEN.2.1 SAR.1.1 SAR.1.2 SAR.3.1 SEL.1.1 STG.1.1 STG.1.2 STG.4.1 F.IA.PRE Y Y Y Y F.IA.UID Y Y F.IA.DBA Y Y Y F.IA.CNF Y F.IA.IDE Y Y Y Y Y F.IA.CSA Y Y Y Y Y F.IA.CSN Y Y Y Y F.IA.PWD Y Y Y Y F.IA.ATT Y Y Y Y F.IA.USE Y Y F.LIM.CNF Y Y Y Y Y F.LIM.POL Y Y F.LIM.NSESS Y Y Y F.LIM.TIME Y F.LIM.RSESS Y F.LIM.RCALL Y F.DAC.OBID Y Y Y F.DAC.OBREF Y Y Y F.DAC.SUA Y Y F.DAC.OBA Y Y Y F.DAC.POL Y Y Y Y Y Y F.DAC.SEP Y Y F.DAC.OR Y F.APR.GOP Y Y Y Y F.APR.ROP Y Y Y Y F.APR.GRSP Y Y Y Y Y F.APR.GRR Y Y Y Y Y Y F.APR.DER Y F.APR.EDR Y Y F.PRI.SPRIV Y Y Y Y Y Y Y F.PRI.XVP Y F.PRI.PRX Y Y F.AUD.SOM Y Y F.AUD.SEV Y Y F.AUD.ALW Y Y F.AUD.CNF Y Y Y F.AUD.ACC Y Y Y Y F.AUD.DEL Y Y Y Y F.AUD.INF Y Y F.AUD.VIEW Y Y F.AUD.FULL Y Security Target for Oracle Database 10g 35 Release 1 (10.1.0) November 2005 Issue 1.1 F.IA.DBA DBMS Identification and Authentication: If a user is configured in the TOE as being identified by a password then the TOE will: a) identify the user by confirming that the user provides a valid user identifier, and b) authenticate the user by confirming that the user provides a password corresponding to the stored password for that user. F.IA.OSA (deleted) SF F.IA.OSA concerns OS Identification and Authentication, which is not appropriate for use with UNIX and Linux operating systems. F.IA.OSA is mentioned here because it was included in the Security Target for the evaluation of Oracle9i, which has Mi- crosoft Windows NT4.0 as one of its operating system platforms. All references to OS Identification and Authentication functionality in the other SFs in this chapter have been removed for this evaluation. F.IA.CSN The TOE will create a database session as a normal user only if the CREATE SESSION privilege is held by the database user and the TOE has identified and authenticated the user as a valid database user. F.IA.IDE For each interaction between a user and the TOE following the successful creation of a database session, the TOE is able to establish the identity of the user. A subject can only submit requests to a Server and receive responses (information) from a Serverwhile the subjectisestablishing aconnection or connected to an instance during the course of a database session. F.IA.CSA The TOE will create a database session as the SYS user (for AS SYSDBA connections) or the PUBLIC user (for AS SYSOPER connections) only if the provided user identifier and password correspond to users stored in the Oracle password file as being allowed SYSDBA or SYSOPER connections, respectively. F.IA.CNF The TOE will allow only a suitably authorised user to create a database user. F.IA.PWD The TOE provides the following configurable controls on user passwords: [SQL, 15: CREATE PROFILE] a) the number of failed login attempts before the user account is locked, b) the number of days the same password can be used before expiring, c) the number of days before which a password cannot be reused, d) the number of password changes required before the current password can be reused, e) the number of days a user account will be locked after the specified number of consecutive failed logins, 36 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 f) the number of days of grace period after a password expires before the user account is locked, g) a password complexity check to screen passwords selected by the user. F.IA.ATT The data dictionary contains a unique set of security attributes for each user including their username, password management information, account status (i.e. locked or unlocked), privileges, roles and resource limits that can be displayed and modified by suitably authorised users using standard SQL commands. F.IA.USE A database user is authorised to change the password associated with that user within the following constraints: a) If the user’s profile includes a complexity check function, then the new password is accepted only if it meets the criteria of the complexity check. b) If the user’s profile specifies password reuse constraints and the user attempts to reuse a password, the TOE rejects the change if the reuse constraints are not met. [SQL, 15: CREATE PROFILE]. Access Control Database Resources F.LIM.CNF The TOE will allow only a suitably authorised user to: a) alter the default Resource Profile for a database; b) create and alter specific Resource Profiles and assign and reassign them to each individual database users. F.LIM.POL When a user attempts to use a database resource that is subject to controls specified by Resource Profiles, the TOE will enforce the limits specified by the resource profile (if any) explicitly assigned to the user, otherwise it enforces the limits specified by the default Resource Profile for the database. F.LIM.NSESS The TOE prevents a user from creating more than the maximum number of concurrent sessions specified for that user for an instance of the TOE. F.LIM.TIME If a user exceeds the specified CONNECT_TIME or IDLE_TIME resource limits by the (OS specific) amount for a single session then the TOE will terminate the session when the user attempts an operation. F.LIM.RSESS If a user attempts to perform an operation that exceeds the specified resource limits for a single session then the TOE will: a) terminate the operation; b) force the termination of the session. F.LIM.RCALL If a user attempts to perform an operation that exceeds the specified resource limits for a singleSQL statement then theTOE will terminate the operation. Security Target for Oracle Database 10g 37 Release 1 (10.1.0) November 2005 Issue 1.1 Object Access Control Discretionary Access Control F.DAC.OBID The TOE ensures that every object created in a database is uniquely identified in that database. Specifically, each schema object owned by a normal user is uniquely identified within the user’s schema1 . F.DAC.OBREF The TOE correctly resolves every reference to a database object that conforms to the Object naming rules specified in [SQL, 2], including references via database links2 . F.DAC.SUA For normal users, the TOE enforces DAC on database objects based on the following subject attributes: a) the identity of the user associated with the database session; b) the system privileges and object privileges which are effective for the database session. F.DAC.OBA For normal users, the TOE enforces DAC on database objects based on the following object attributes: a) the identity of the owner of the object; b) the object privileges which have been granted on the object; c) and any security policies providing fine-grained access control for the object. F.DAC.POL The TOE enforces the following rules to determine if an operation among controlled subjects and controlled objects is allowed: a) If the user is the owner of the object then the requested access is allowed. b) If the database session has the necessary object privileges effective for the object then the requested access is allowed. The object privileges relevant to different types of objects are specified in [SQL, 18: GRANT (grant_object_privileges)], and provide the ability to restrict a user’s access to an object to those operations which do not modify the object. c) Ifthedatabasesessionhasthenecessarysystemprivileges effective then the requested access is allowed. The system privileges relevant to different types of database-wide and schema-specific operations are specified in [SQL, 18: 1. The owner of an object is the owner of the schema containing the object, not necessarily the user who created the object. More precisely, unique identification is by object type as well as object name within a schema. 2. A reference to a database link (e.g. CONNECT /@otherdb or SELECT * FROM TBL@otherdb) will be correctly resolved to the referenced database. A database object can be uniquely identified in a distributed system, because it is uniquely identified in the database, and the database is unique in the system. The threat is that failure to uniquely identify objects and user accounts could result in reading, creating, modifying or destroying the wrong object (or copy of an object) if the user has the same access rights in each database. 38 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 GRANT (grant_system_privileges)] and provide the ability to restrict a user’s use of operations to those operations which do not modify objects. d) If the user is connected AS SYSDBA (the database session has the privilege to override the access controls) then the requested access is allowed. e) If the user is connected AS SYSOPER and the operation is one of those specified in [DAG, 1: Database Administrator Authentication (OSOPER and OSDBA)], for the OSOPER role then the requested access is allowed. F.DAC.SEP The TOE does not allow interference between concurrent database sessions. F.DAC.OR Upon allocation of a resource to schema and non-schema objects, any previous information is unavailable. In Oracle, there is no way to access an object once it has been deleted, i.e. the resources have been returned to the TOE. This is because any references to it no longer exist and, even if they were recreated, they would never be associated with the previous, non-existent object. All objects have a unique ID. Even if a deleted object is recreated using the same name, the object ID would be different. Schema and non-schema objects are defined in [SQL, 2]. Privileges and Roles Granting and Revoking Privileges and Roles F.APR.GOP A normal user (the grantor) can grant an object privilege to another user, role or PUBLIC (the grantee) only if: a) the grantor is the owner of the object; or b) the grantor has been granted that object privilege with the GRANT OPTION. F.APR.ROP A normal user (the revoker) can revoke an object privilege from another user, role or PUBLIC (the revokee), and any further propagation of that object privilege started by the revokee, only if the revoker is the original grantor of the object privilege. F.APR.GRSP A user (the grantor) can grant a system privilege to another user, role or PUBLIC (the grantee), and revoke a system privilege from the grantee, only if: a) the grantor (or revoker) is connected AS SYSDBA; or b) the database session of the grantor (or revoker) has the GRANT ANY PRIVILEGE privilege effective; or c) the grantor (or revoker) has been granted that system privilege directly with the ADMIN OPTION. F.APR.GRR Auser(thegrantor)cangrantaroletoanotheruser,roleorPUBLIC (the grantee), and revoke a role from the grantee, only if: a) the grantor is connected AS SYSDBA; or b) the database session of the grantor (or revoker) has the GRANT ANY ROLE privilege effective; or Security Target for Oracle Database 10g 39 Release 1 (10.1.0) November 2005 Issue 1.1 c) the grantor (or revoker) has been granted that role with the ADMIN OPTION. Note that c) includes the case where the grantor is the user who created the role - see [SG, 10: Granting the ADMIN OPTION], which states:“When a user creates a role, the role is automatically granted to the creator with the ADMIN OPTION.”. Enabling and Disabling Roles F.APR.DER A role can be granted to a user in one of the following ways: a) As a default role, in which case the role will be enabled automatically for each database session created by that user1. b) As a non-default role, in which case i. if the role is configured in the TOE as being identified using a package, then that package must explicitly enable the role during a database session in order for any other roles within that role to be enabled and any privileges within that role to become effective for that user; or ii. if the role is configured in the TOE as being not identified, then the user must explicitly enable the roleduringadatabasesessioninorderforanyother roles within that role to be enabled and any privileges within that role to become effective for that user. F.APR.EDR During a database session the user can control which roles are effective at any time during the course of the database session by enabling and disabling the roles which have been granted to that user (where the role may have been granted directly to the user or granted indirectly to the user through other roles 2 ), subject to the following restrictions which apply to implicit remote sessions: a) The non-default roles granted to a user in a remote database cannot be enabled while the user is connected to the remote database. b) The default roles granted to a user in a remote database cannot be disabled while the user is connected to the remote database. Effective Privileges F.PRI.SPRIV An object or system privilege will be effective in a user session only if: a) the privilege was granted to the user directly and has not been revoked from the user; or b) the privilege was granted indirectly via the PUBLIC user group and has not been revoked from PUBLIC; or 1. A default role is enabled at session creation bypassing any authorisation required for that role. 2. When a role that has been granted other roles is enabled all the indirectly granted roles are implic- itly enabled. 40 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 c) the privilege was granted to the user indirectly via a role, and has not been revoked from that role and the role is effective in the current session. F.PRI.XVP A suitably authorised user can provide other users with access to proxy mechanisms (namely Views and Program Units) which will act on behalf of the owning user (by executing with the directly granted privileges of the owning user) to allow other users to have controlled access to specified aggregations of data. F.PRI.PRX A suitably authorised user can provide other users with the ability to establish a proxy connection for another user. The authorised user can control which user roles are available to the proxy session. Audit and Accountability F.AUD.SOM When standard auditing is enabled (as DBMS or OS Auditing) for an instance, the TOE will: a) write an audit record for every occurrence of an auditable event other than CONNECT and DISCONNECT; and b) write an audit record for every pair of CONNECT/ DISCONNECT events. F.AUD.SEV The TOE will allow a suitably authorised user to specify which events for a database are auditable, as follows: a) by use of DDL statements; b) by use of DML statements; i. for specified Object Privilege Objects; ii. for all Object Privilege Objects subsequently created, by default; c) by use of system privileges; d) by use of data access based on content; e) for each event of type b) by session or by access, i.e. only one audit record written for each auditable event that occurs in the same session or one audit record written for each auditable event. For events of type c) by session or by access, unless a DDL statement when always by access; f) for each event of type a), b) and c) by outcome, i.e. success, failure, or both. g) for each event of type a) and c); i. for all users; ii. for specified users; iii. for specified proxies on behalf of any user; iv. for specified proxies on behalf of specified users; F.AUD.ALW Irrespective of the TOE's audit configuration, the TOE will audit every successful occurrence of the following events to the operating system: Security Target for Oracle Database 10g 41 Release 1 (10.1.0) November 2005 Issue 1.1 a) start-up; b) shut-down; c) connection through the keywords AS SYSDBA or AS SYSOPER. Note that for the Linux platform OS auditable Oracle records are written to standard text file audit logs in the OS. F.AUD.CNF The TOE will allow only a suitably authorised user to set or alter the audit configuration for a database. Note that, by default (after installation), the TOE allows only SYS and SYSTEM (who are granted the DBA role during installation) and users connected AS SYSDBA to set and alter the audit configuration. It is possible for these users to grant the relevant privileges to other users, but it is assumed that they will not do this in practice. F.AUD.ACC The TOE will allow suitably authorised users to select by criteria audit information from the database audit trail, as follows: a) any suitably authorised user can view all audit records; b) the owner of an object can view the audit records relating to that object. F.AUD.DEL The TOE will allow only a suitably authorised 1 user to delete or update audit records from the Database Audit Trail. F.AUD.INF The TOE will record the following information into each Database Audit Trail record, provided that the information is meaningful to the particular audited event: Date and time of event; username; instance ID for the Oracle instance where the user is accessing the database; session identifier; terminal identifier of the user’s terminal; name of object accessed; operation performed or attempted; outcome of the operation; system privileges used. In particular: a) when a user attempts a connection to a database, whether successful or not, at least the following information is recorded when the TOE is configured to audit connection attempts: date and time of event, username, instance ID for the Oracle instance where the user is accessing the database, session identifier, terminal identifier of the user’s terminal, outcome of the connection attempt; b) when a user attempts to access any database object, whether successful or not, at least the following information is recorded when the TOE is configured to audit such access attempts: date and time of event, username, name of object accessed, operation performed or attempted, outcome of the operation; 1. By default, the TOE allows only SYS and SYSTEM (who are granted the DBA role during installa- tion) and users connected AS SYSDBA to delete or update rows from the database audit trail (which is held in SYS.AUD$). It is possible for these users to grant the relevant privileges to other users, but it is assumed that they will not do this in practice. 42 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 c) when auser attemptsto createordrop any database object, whether successful or not, at least the following information is recorded when the TOE is configured to audit such create or drop actions: date and time of event, username, name of object to be created or dropped, operation performed or attempted, outcome of the operation; d) when a user attempts to affect the security of the TOE, by, for example, starting up and shutting down an instance of the TOE, creating new, modifying existing or dropping old user accounts, tablespaces, databases, rollback segments, etc. as the TOE permits at least the following information is recorded when the TOE is configured to auditsuchactions:dateandtimeofevent,username,name of object accessed, operation performed or attempted, outcome of the operation. F.AUD.VIEW Oracle provides both the SQL language and built-in views, based on the underlying audit trail table, with the ability to both view and search the audit data. F.AUD.FULL With DBMS auditing, if the tablespace containing the audit trail table becomes full, no further auditable actions can occur until space is made available. Security Mechanisms and Techniques When authentication is performed by Oracle Database 10g, a password is used for authentication. The TOE performs a cryptographic hash function (using a modified Data Encryption Standard (DES) algorithm) on passwords prior to storing them in the database. The TOE password management functions (together called the PWD mechanism) provide a Strength of Function level of SOF-high. This exceeds the DBMS PP Strength of Function level of SOF-medium [DPP]. Specific SFs supporting the claimed SOF are: • F.IA.DBA (SOF-High); and • F.IA.PWD, F.IA.ATT & F.IA.USE support F.IA.DBA by providing password management mechanisms. Assurance Measures The target assurance level is EAL4 augmented with ALC_FLR.3, which exceeds the assurance requirement of EAL3 as stated in [DPP]. No other specific assurance measures are claimed. The following table identifies the Oracle Database 10g documentation that supports each security assurance requirement for EAL4 and also the assurance requirement for ALC_FLR.3. Security Target for Oracle Database 10g 43 Release 1 (10.1.0) November 2005 Issue 1.1 Table 7: TOE Assurance Measures Component Name Documents ACM_AUT.1 Partial CM Automation [CM] ACM_CAP.4 Generation Support and Acceptance Procs [CM] ACM_SCP.2 Problem Tracking CM Coverage [CM] ADO_DEL.2 Detection of Modifica- tion [OQM] ADO_IGS.1 Installation, Genera- tion, and Startup [ICG] [ECD] ADV_FSP.2 Fully Defined External Interfaces [ERR] [OCI] ADV_HLD.2 Security Enforcing High-level Design [AD] ADV_IMP.1 Subset of the TSF Implementation [SRC] ADV_LLD.1 Descriptive Low-level Design [DD] ADV_RCR.1 Informal Correspond- ence Demonstration [AD] [DD] [DT] [SRC] ADV_SPM.1 Informal TOE Security Policy Model [SPM] AGD_ADM.1 Administrator Guid- ance [ECD] [GA] and Oracle publications relevant to administrators AGD_USR.1 User Guidance [GA] and Oracle publications relevant to users ALC_DVS.1 Identification of Secu- rity Measures [SODE] ALC_LCD.1 Developer Defined Life Cycle Model [LCS] ALC_TAT.1 Well Defined Develop- ment Tools [CM] ATE_COV.2 Analysis of Coverage [TP] ATE_DPT.1 Testing - High-level Design [TP] ATE_FUN.1 Functional Testing [TP] ATE_IND.2 Independent Testing [TP] AVA_MSU.2 Validation of Analysis [GA] AVA_SOF.1 Strength of TOE Secu- rity Functions [SOF] 44 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 AVA_VLA.2 Independent Vulnera- bility Analysis [VA] ALC_FLR.3 Systematic Flaw Reme- diation [FLR] Table 7: TOE Assurance Measures Component Name Documents Security Target for Oracle Database 10g 45 Release 1 (10.1.0) November 2005 Issue 1.1 C H A P T E R 7 Protection Profile Claims PP Reference The TOE conforms to the Database Management System Protection Profile (DBMS PP) [DPP]. PP Tailoring Table 3 in chapter 5 identifies each SFR for this Security Target that was derived from [DPP] and the tailoring operations performed relative to [DPP]. The tailoring is iden- tified in ITALICISED CAPITAL LETTERS within the text of each SFR in chapter 5. All of the tailoring operations are in conformance with the assignments and selections in [DPP]. PP Additions There are no additional threats, organisational security policies, or objectives included in this security target which were not in [DPP]. A reference to [ECD] has been added to the assumption A.TOE.CONFIG. This does not change the meaning of the assumption, rather it points to a TOE-specific document where the evaluated configuration is defined. There is an additional underlying system assumption, A.MIDTIER, which is included to ensure accountability in multi-tier environments. Although the O-RDBMS can au- dit the actions of a proxy user, accountability relies upon the correct identity of the cli- ent (given during the connection by the middle-tier). As explained in chapter 1 (TOE Overview), this type of environment is an addition to the scope of evaluation (which was first introduced for Oracle8i). Table 3 in chapter 5 lists each Security Functional Requirement (SFR) included in this Security Target. These SFRs were all included in [DPP], with the exception that FMT_SMF.1 has been added to accommodate a change to [CC] that occurred since [DPP] was published. This change does not affect the Security Target’s conformance 46 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 with [DPP] because FMT_SMF.1 serves only to specify the management functions for which the other families in the FMT class define usage restrictions. SFR FIA_USB.1 in chapter 5 of this Security Target is a refinement relative to FIA_USB.1 in [DPP, 5.1.3] to satisfy Common Criteria Interpretation 137. Under this interpretation, FIA_USB.1.2 and FIA_USB.1.3 are added to FIA_USB.1.1 and FIA_USB.1.1 is expanded so that the appropriate user security attributes can be spec- ified and the rules governing the binding of user attributes to subjects can be defined. The change to FIA_USB.1 that has been implemented in this Security Target does not affect conformance with [DPP] because it is only a refinement of the version of FIA_USB.1 in [DPP] to provide the additional detail required by Interpretation 137. The assurance requirements specified in this security target are those for EAL4 aug- mented with ALC_FLR.3. This includes all assurance requirements in [DPP] (which mandates EAL3). Security Target for Oracle Database 10g 47 Release 1 (10.1.0) November 2005 Issue 1.1 C H A P T E R 8 Rationale Security Objectives Rationale As per [DPP, 6.1]. Assumptions Rationale The assumptions rationale in [DPP, 6.5] applies to the TOE, with the exception that A.TOE.CONFIG has been slightly modified relative to [DPP, 3.4.1], so a modified ra- tionale has been given below. In addition, assumption A.MIDTIER is not present in [DPP] and therefore a rationale has been supplied below. A.TOE.CONFIG is directly provided by O.INSTALL part a) because [ECD] is part of the operational documentation of the TOE. A.MIDTIER states that any middle-tier must pass the original client ID through to the TOE. A.MIDTIER is directly provided by O.INSTALL part a) because [ECD] in- cludes this requirement for the use of a middle-tier. Security Requirements Rationale The TOE security objectives are as per [DPP, 4.1]. The TOE’s SFRs are as per [DPP, 5.1 and 5.2 and 5.3] with the addition of FMT_SMF.1. Suitability of Security Requirements [DPP, 6.2.1 and 6.3 and 6.4.1] show that the SFRs defined in [DPP, 5.1 and 5.2 and 5.3] satisfy the IT security objectives defined in [DPP, 4.1]. The table below correlates the IT security objectives to the SFR that is additional to those provided in [DPP] which satisfy them (as indicated by a YES), showing that each IT security objective is satisfied by at the additional SFR, and that the additional SFR satisfies at least one IT security objective. 48 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 Suitability of SFR FMT_SMF.1 FMT_SMF.1 combines with FMT_MSA.1 and FMT_MTD.1 to ensure that the TSF is capable of the controlled management of user attributes in support of O.I&A.TOE. FMT_SMF.1 combines with FMT_MSA.1 to ensure that the TSF is capable of the controlled management of the security attributes used to mediate access to database objects in support of O.ACCESS. FMT_SMF.1 combines with FMT_MTD.1 to ensure that the TSF is capable of the controlled management of the audit trail in support of O.AUDIT. FMT_SMF.1 combines with FMT_MTD.1 to ensure that the TSF is capable of the controlled management of resource assignment in support of O.RESOURCE. FMT_SMF.1 combines with FMT_MSA.1 and FMT_MTD.1 to ensure that the TSF includes administrative functionality for the control of security-related aspects of the TOE in support of O.ADMIN.TOE. This rationale thus demonstrates the suitability of the TOE security requirements. Dependency Analysis The tables given in [DPP, 6.2.2 and 6.4.2] apply to the TOE. The table below com- bines these tables and also shows the dependency analysis for the additional compo- nent that was not present in [DPP]. The table below shows that all dependencies of functional components are satisfied. Table 8: Correlation of IT Security Objectives to the SFR Additional to [DPP] Requirement O.I&A.TOE O.ACCESS O.AUDIT O.RESOURCE O.ADMIN.TOE FMT_SMF.1 YES YES YES YES YES Table 9: Functional Component Dependency Analysis Component Reference Component Dependencies Dependency Reference 1 FAU_GEN.1T FPT_STM.1 See note a) in [DPP, 6.2.3] 2 FAU_GEN.2 FAU_GEN.1 FIA_UID.1 1 15 3 FAU_SAR.1 FAU_GEN.1 1 4 FAU_SAR.3 FAU_SAR.1 3 5 FAU_SEL.1 FAU_GEN.1 FMT_MTD.1 1 18 6 FAU_STG.1 FAU_GEN.1 1 7 FAU_STG.4 FAU_STG.1 6 8 FDP_ACC.1 FDP_ACF.1 9 Security Target for Oracle Database 10g 49 Release 1 (10.1.0) November 2005 Issue 1.1 For the dependency analysis of the security assurance requirements: EAL4 is a self- contained assurance package and ALC_FLR.3 has no dependencies on any other com- ponent. Demonstration of Mutual Support The supportive dependencies discussed in [DPP, 6.2.3] apply to the TOE. The follow- ing additional supportive dependencies exist for the TOE to prevent bypassing of and tampering with the SFR that is not present in [DPP], FMT_SMF.1: FDP.ACC.1 and FDP.ACF.1 support FMT_SMF.1 by preventing unauthorised mod- ifications to the audit trail. FIA_UID.1 and FIA_UAU.1 support FMT_SMF.1 by preventing the bypassing of 9 FDP_ACF.1 FDP_ACC.1 FMT_MSA.3 8 17 10 FDP_RIP.2 - - 11 FIA_AFL.1 FIA_UAU.1 14 12 FIA_ATD.1 - - 13 FIA_SOS.1 - - 14 FIA_UAU.1 FIA_UID.1 15 15 FIA_UID.1 - - 16 FMT_MSA.1 FDP_ACC.1 FMT_SMF.1 FMT_SMR.1 8 20 21 17 FMT_MSA.3 FMT_MSA.1 FMT_SMR.1 16 21 18 FMT_MTD.1 FMT_SMF.1 FMT_SMR.1 20 21 19 FMT_REV.1 FMT_SMR.1 21 20 FMT_SMF.1 - - 21 FMT_SMR.1 FIA_UID.1 15 22 FPT_RVM.1 - - 23 FPT_SEP.1 - - 24 FRU_RSA.1 - - 25 FTA_MCS.1 FIA_UID.1 15 26 FTA_TSE.1 - - Table 9: Functional Component Dependency Analysis Component Reference Component Dependencies Dependency Reference 50 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 this SFR by unauthorised users. FMT_MSA.1 provides support to FMT_SMF.1 by controlling the modification of ob- ject security attributes. FMT_MTD.1 supports FMT_SMF.1 by protecting the integrity of the audit trail. The additional SFR does not offer any further support to the other SFRs. Strength of Function Validity The strength of function specified, SOF-high, exceeds the strength of function re- quired by [DPP]. The PWD mechanism is the only TOE mechanism that is probabil- istic or permutational, and has a strength of SOF-high. This strength of function is intended to provide enough protection against straightforward or intentional attack from threat agents having a high attack potential. Assurance Requirements Appropriate The target assurance level is EAL4, augmented with ALC_FLR.3, which exceeds the minimum assurance requirement of EAL3 as stated in [DPP, 6.7]. [DPP, 6.7] also states that it is expected that some products may seek assurance to higher levels. EAL4 is appropriate for the TOE because it is designed for use in environments where EAL4 assurance is required to reduce the risk to the assets that the TOE is intended to protect. ALC_FLR.3 has been included in addition to EAL4 to cause the evaluation of the TOE’s flaw remediation procedures which Oracle database users need to be in place following the release of the TOE. These procedures are required to offer continuing assurance to users that Oracle Database 10g provides secure storage of and access to the data which is crucial to their enterprise’s success. To meet this requirement, the flaw remediation procedures must offer: • the ability for TOE users to report potential security flaws to Oracle, • the resolution and correction of any flaws with assurance that the corrections introduce no new security flaws, and • the timely distribution of corrective actions to users. ALC_FLR.3 is the ALC_FLR component which is at an appropriate level of rigour to cover these requirements. TOE Summary Specification Rationale This section demonstrates that the TOE Security Functions and Assurance Measures are suitable to meet the TOE security requirements. TOE Security Functions Satisfy Requirements Table 6 of chapter 6 identifies the Oracle Database 10g TOE Security Functions that address each of the SFRs in chapter 5. The table below demonstrates that for each SFR the TOE security functions are suita- ble to meet the SFR, and the combination of TOE security functions work together so as to satisfy the SFR: Security Target for Oracle Database 10g 51 Release 1 (10.1.0) November 2005 Issue 1.1 Table 10: TOE Security Function Suitability and Binding SFR TOE Security Functions Rationale FIA_AFL.1.1 F.IA.PWD The number of allowed failed logon attempts can be con- figured. FIA_AFL.1.2 F.IA.PWD When the configured number of failed logon attempts is reached the account is locked. FIA_ATD.1.1 F.IA.ATT The data dictionary stores the required security attributes FIA_SOS.1.1 F.IA.PWD F.LIM.CNF F.IA.USE F.IA.PWD specifies the controls available on database secrets (passwords). These controls are implemented via profiles which are required by F.LIM.CNF. F.IA.USE allows users to change their own passwords within the limits configured by an administrator. FIA_UAU.1.1 F.IA.PRE F.IA.PRE maps onto FIA_UAU.1.1 and FIA_UID.1.2 directly. FIA_UAU.1.2 F.IA.PRE F.IA.DBA F.IA.CSA F.IA.CSN F.IA.CSN and F.IA.CSA state the conditions for being able to establish a database session and hence perform TSF-mediated actions. These security functions depend directly on F.IA.DBA. F.IA.PRE is relevant because one of the actions allowed prior to session creation is attempting to establish a session. FIA_UID.1.1 F.IA.PRE F.IA.PRE satisfies FIA_UAU.1.1 and FIA_UID.1.1 directly. FIA_UID.1.2 F.IA.PRE F.IA.UID F.IA.DBA F.IA.IDE F.IA.CSA F.IA.CSN F.IA.CSN and F.IA.CSA state the conditions for being able to establish a database session and hence perform TSF-mediated actions. These security functions depend directly on F.IA.DBA. F.IA.PRE is relevant one of the actions allowed prior to session creation is attempting to establish a session. F.IA.IDE ensures that the identity of the user is known for the duration of the session, once created. FIA_USB.1.1 F.IA.ATT F.IA.ATT covers the security attributes for each user. FIA_USB.1.2 F.IA.DBA F.IA.IDE F.PRI.SPRIV F.PRI.PRX F.IA.DBA covers user identification, and the authentica- tion of the user by a password when starting a database session. F.IA.IDE ensures that the TSF is able to estab- lish the identity of the user during a database session. F.PRI.PRX defines the rules governing privileges in proxy user sessions, whilst F.PRI.SPRIV defines rules for which privileges are effective when starting a ses- sion. FIA_USB.1.3 F.IA.PWD F.IA.USE F.APR.EDR F.PRI.SPRIV F.PRI.XVP F.PRI.SPRIV governs the effect of changing privileges during a session. F.APR.EDR defines which roles are effective at any time during the course of the database session. F.PRI.XVP governs which privileges are effec- tive when executing a view or program owned by another user. F.IA.USE governs when a user is author- ised to make changes to a password associated with that user and F.IA.PWD relates to the configurable controls on a password. 52 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 FDP_ACC.1.1 F.DAC.OBID F.DAC.OBREF F.DAC.SUA F.DAC.OBA F.DAC.OBID and F.DAC.OBREF ensure that all objects (which are subject to DAC) can be uniquely identified. F.DAC.SUA and F.DAC.OBA state that the DAC policy extends to all subjects and objects. FDP_ACF.1.1 F.DAC.OBID F.DAC.OBREF F.DAC.SUA F.DAC.OBA F.DAC.POL F.PRI.SPRIV F.DAC.OBID and F.DAC.OBREF ensure that all objects (which are subject to DAC) can be uniquely identified. F.DAC.SUA includes the subject and their enabled privi- leges (as specified in F.PRI.SPRIV) in the DAC policy. F.DAC.OBA states that the object and any associated object privileges are considered by the DAC policy. F.DAC.POL is a statement of the DAC policy. FDP_ACF.1.2 F.IA.CNF F.DAC.OBID F.DAC.OBREF F.DAC.POL F.PRI.SPRIV F.AUD.CNF F.DAC.POL a) and b) specifies access to objects based on ownership or object privileges. F.DAC.OBID and F.DAC.OBREF are relevant as they define object owner- ship which is the basis of the DAC policy. FPRI.SPRIV is relevant as it defines which privileges are enabled for any user. F.IA.CNF and F.AUD.CNF are relevant I&A data and the audit trail are subject to the DAC policy. FDP_ACF.1.3 F.DAC.POL F.PRI.SPRIV F.AUD.CNF F.DAC.POL c) specifies access to objects based on ena- bled system privileges. F.DAC.POL d) and e) cover access via connections AS SYSDBA and AS SYSOPER. F.SPRIV is relevant as it defines which privileges are enabled for any user. F.AUD.CNF is relevant as the audit trail is subject to the DAC policy FDP_ACF.1.4 N/A This SFR does not mandate any functionality. It is included for compliance with the CC. FDP_RIP.2.1 F.DAC.OR F.DAC.OR satisfies FDP_RIP.2.1 directly. FMT_MSA.1. 1 F.APR.GOP F.APR.ROP F.APR.GRSP F.APR.GRR F.APR.GOP and F.APR.ROP cover FMT_MSA.1.1 a) which is concerned with modifying object privileges. F.APR.GRSP covers FMT_MSA.1.1 b) which is con- cerned with modifying system privileges. F.APR.GRR covers FMT_MSA.1.1 c) which is concerned with modi- fying roles. FMT_MSA.3. 1 F.DAC.POL F.PRI.SPRIV F.DAC.POL and F.PRI.SPRIV implicitly include restric- tive default values. If a user has not been explicitly granted the necessary privilege or a role containing the required privilege then the requested action will not suc- ceed. FMT_MSA.3. 2 F.DAC.OBA F.DAC.POL F.APR.GOP F.APR.GRSP F.APR.GRR Unless access to an object has been explicitly granted, as described in F.DAC.OBA, F.APR.GOP, F.APR.GRSP and F.APR.GRR, no access will be allowed. On object creation no object privileges are granted and it is not pos- sible to configure this to be the case. F.DAC.POL is rele- vant as it enforces the database object access SFP. FMT_MTD.1. 1 F.IA.ATT F.LIM.CNF F.APR.GOP F.APR.ROP F.APR.GRSP F.APR.GRR F.AUD.ACC F.AUD.DEL These TOE security functions are concerned with the modification of TSF data (security attributes and audit data). This data is stored in the data dictionary and is pro- tected from unauthorised access by the same mechanism as all other data in the database. F.IA.ATT and F.LIM.CNF cover identification and authentication data and resource limit attributes. F.APR.* cover privilege and role TSF data. F.AUD.* cover audit data. Table 10: TOE Security Function Suitability and Binding SFR TOE Security Functions Rationale Security Target for Oracle Database 10g 53 Release 1 (10.1.0) November 2005 Issue 1.1 FMT_REV.1.1 F.LIM.CNF F.APR.ROP F.APR.GRSP F.APR.GRR Only suitably privileged users can revoke (or modify) the following attributes: resource limits (F.LIM.CNF), object privileges (F.APR.ROP), system privileges (F.APR.GRSP) and roles (F.APR.GRR). FMT_REV.1.2 F.PRI.SPRIV Directly granted privileges and roles are revoked imme- diately. This is more rigorous than SFR FMT_REV.1.2. Revocation of roles takes effect when a role is re-enabled in the current session or a new user session is created. FMT_SMF.1. 1 F.IA.ATT F.LIM.CNF F.APR.GOP F.APR.ROP F.APR.GRSP F.APR.GRR F.AUD.ACC F.AUD.DEL These TOE security functions are concerned with the management functions provided by the TOE. These functions relate to TSF data (security attributes and audit data). This data is stored in the data dictionary and is protected from unauthorised access by the same mechanism as all other data in the database. F.IA.ATT and F.LIM.CNF cover identification and authentica- tion data and resource limit attributes. F.APR.* cover privilege and role TSF data. F.AUD.* cover audit data. FMT_SMR.1. 1 F.IA.UID F.IA.CSA F.IA.CSN F.APR.GRR F.IA.UID, F.IA.CSA and F.IA.CSN in combination ensure that the TSF maintains normal database users and database administrative users. F.APR.GRR covers data- base roles defined by a suitably authorised user. FMT_SMR.1. 2 F.IA.CSA F.APR.DER F.APR.EDR F.PRI.PRX F.APR.DER and F.APR.EDR cover granting database roles to database users. F.IA.CSA is relevant because it specifies how to allow a user to connect AS SYSDBA or AS SYSOPER. F.PRI.PRX covers database roles availa- ble to a proxy user session. FPT_RVM.1.1 F.IA.IDE F.DAC.POL F.IA.IDE ensures that the TOE always knows who the current user is.F.DAC.POL ensures that the database access control policy is upheld for this user. FPT_SEP.1.1 F.IA.IDE F.DAC.SEP F.IA.IDE ensures that the identity of the user associated with each interaction with the TOE is clear. F.DAC.SEP ensures that the interactions between different users and the TOE cannot interfere with each other. Additionally there is no way to access the TOE except through the evaluated interfaces described by the TOE security func- tions. FPT_SEP.1.2 F.IA.IDE F.DAC.SEP F.IA.IDE ensures that the identity of the user associated with each interaction with the TOE is clear. F.DAC.SEP ensures that the interactions between different users and the TOE cannot interfere with each other. FRU_RSA.1.1 F.LIM.CNF F.LIM.POL F.LIM.NSESS F.LIM.TIME F.LIM.RSESS F.LIM.RCALL F.LIM.CNF covers configuration of the resource quotas. F.LIM.POL, F.LIM.NSESS, F.LIM.TIME, F.LIM.RSESS and F.LIM.RCALL enforces the resource quotas configured. FTA_MCS.1.1 F.LIM.NSESS F.LIM.NSESS directly satisfies FTA_MCS.1.2 Table 10: TOE Security Function Suitability and Binding SFR TOE Security Functions Rationale 54 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 PP Claims Rationale Chapter 5 lists all of the SFRs included in this security target; this list includes all of the SFRs identified in the DBMS PP. All of the operations applied to the SFRs derived from the DBMS PP [DPP] are in accordance with the requirements of the DBMS PP. FTA_MCS.1.2 F.LIM.NSESS F.LIM.POL As with FTA_MCS.1.1 except that F.LIM.POL ensures that the default number of concurrent sessions allowed is enforced if a user specific configuration has not been specified. FTA_TSE.1.1 F.IA.CSN F.IA.CSA F.IA.CSN and F.IA.CSA define the pre-requisites for session establishment, including possession of the CRE- ATE SESSION privilege and being identified as SYS- DBA/SYSOPER, respectively. These are configured on the basis of individual user identity. Therefore, it is pos- sible to deny access based on user identity. FAU_GEN.1.1 F.AUD.SOM F.AUD.SEV F.AUD.ALW The database audit functionality is always active. Whether or not auditing is actually performed is depend- ent on the configuration of a parameter in the init.ora file which is controlled by the OS. F.AUD.SOM, F.AUD.SEV and F.AUD.ALW ensure all actions config- ured to be audited are audited. FAU_GEN.1.2 F.AUD.INF F.AUD.INF directly satisfies FAU_GEN.1.2 FAU_GEN.2.1 F.AUD.INF F.AUD.INF directly satisfies FAU_GEN.2.1 FAU_SAR.1.1 F.AUD.ACC F.AUD.ACC directly satisfies FAU_SAR.1.1 FAU_SAR.1.2 F.AUD.VIEW F.AUD.VIEW directly satisfies FAU_SAR.1.2 FAU_SAR.3.1 F.AUD.VIEW F.AUD.ACC F.AUD.VIEW satisfies FAU_SAR.3.1. Additionally F.AUD.ACC determines which records are available to the user for selection. FAU_SEL.1.1 F.AUD.SOM F.AUD.SEV F.AUD.ALW F.AUD.CNF F.AUD.SEV and F.AUD.CNF allow a suitably privi- leged user to configure exactly which events should be audited. F.AUD.SOM and F.AUD.ALW specify events that are always audited. Note that for audit records data- base subjects are always the database users, so that for example an audit record generated by a stored procedure will be generated with the username of the invoker, not that of the procedure or the procedure owner. FAU_STG.1.1 F.AUD.DEL F.AUD.DEL directly satisfies FAU_STG.1.1. FAU_STG.1.2 F.AUD.DEL F.AUD.DEL protects audit records from unauthorised modification or deletion. FAU_STG.4.1 F.AUD.FULL F.AUD.FULL directly satisfies FAU_STG.4.1 Table 10: TOE Security Function Suitability and Binding SFR TOE Security Functions Rationale Security Target for Oracle Database 10g 55 Release 1 (10.1.0) November 2005 Issue 1.1 Assurance Measures Rationale Table 7 in Chapter 6 demonstrates that all assurance requirements are suitably met by one or more assurance measures. 56 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 This Page Intentionally Blank Security Target for Oracle Database 10g 57 Release 1 (10.1.0) November 2005 Issue 1.1 A N N E X A References [AD] Architecture for Oracle Database 10g Release 1 (10.1.0), Oracle Corporation. [ADG] Oracle Database Application Developer’s Guide - Fundamentals,10g Release 1 (10.1), Oracle Corporation. [CC] Common Criteria for Information Technology Security Evaluation, Version 2.2, ISO/IEC 15408, CCIMB-2004-01, 001, January 2004. [CM] Oracle Database Configuration Management Plan, 10g Release 1 (10.1.0), Oracle Corporation. [CON] Oracle Database Concepts, 10g Release 1 (10.1), Oracle Corporation. [DAG] Oracle Database Administrator’s Guide, 10g Release 1 (10.1), Oracle Corporation. [DD] Detailed Design for Oracle Database 10g Release 1 (10.1.0), Oracle Corporation. [DPP] Database Management System Protection Profile (DBMS PP), Issue 2.1, Oracle Cor- poration, May 2000. [DT] Design Traceability for Oracle Database 10g Release 1 (10.1.0), Oracle Corporation. [DSZ0257] Certification Report BSI-DSZ-CC-0257-2004, for Red Hat Enterprise Linux AS, Version 3 Update 2, August 2004. Available from http://www.bsi.bund.de/zertifiz/zert/reporte/0257a.pdf. [ECD] Evaluated Configuration Document for Oracle Database 10g Release 1 (10.1.0), 58 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 Oracle Corporation. [ERR] Oracle Database Error Messages, 10g Release 1 (10.1), Oracle Corporation. [FIPS46-3] Federal Information Processing Standard Publication 46-3, National Institute of Standards and Technology (NIST), October 1999. [FIPS81] Federal Information Processing Standard Publication 81, National Institute of Standards and Technology (NIST), December 1980. [FLR] Oracle Flaw Remediation Procedures, Oracle Corporation. [GA] Guidance Analysis for Oracle Database, 10g Release 1 (10.1.0), Oracle Corporation. [ICG] Oracle Database Installation and Configuration Guide, 10g Release 1 (10.1), Oracle Corporation. [ITSEC] Information Technology Security Evaluation Criteria, Issue 1.2, Commission of the European Communities, 28 June 1991. [LCS] Life Cycle Support for Oracle Database 10g, Release 1 (10.1.0), Oracle Corporation. [MEMO 1] CESG Computer Security Memorandum No. 1 - Glossary of Computer Security Terms, Issue 2.0, November 1989. [OCI] Oracle Database Call Interface Programmers Guide, 10g Release 1 (10.1), Oracle Corporation. [OQM] Quality Manual for Manufacturing & Distribution, Oracle Corporation. [PLS] PL/SQL User’s Guide and Reference, 10g Release 1 (10.1), Oracle Corporation. [SG] Oracle Database Security Guide, 10g Release 1 (10.1), Oracle Corporation. [SODE] Security of the Oracle Development Environment, Oracle Corporation. [SOF] Strength of Function Analysis for Oracle Database 10g Release 1 (10.1.0), Oracle Corporation. [SQL] Oracle Database SQL Reference, 10g Release 1 (10.1), Oracle Corporation. [SQL92] Database Language SQL, ISO/IEC 9075:1992 and ANSI X3.135-1992 Security Target for Oracle Database 10g 59 Release 1 (10.1.0) November 2005 Issue 1.1 [SPM] Security Policy Model for Oracle Database 10g Release 1 (10.1.0), Oracle Corporation. [SRC] Oracle Database Source Code 10g, Release 1 (10.1.0), Oracle Corporation. [SRF] Oracle Database Reference, 10g Release 1 (10.1), Oracle Corporation. [ST9i] Security Target for Oracle9i, Release 2 (9.2.0), Issue 0.5, Oracle Corporation. [TCSEC] Trusted Computer Security Evaluation Criteria, Department of Defense, United States of America, DoD 5200.28-STD, December 1985. [TP] Test Plan, Procedures, Results, and Analysis for Oracle Database 10g Release 1 (10.1.0), Oracle Corporation. [VA] Vulnerability Analysis for Oracle Database 10g Release 1 (10.1.0), Oracle Corporation. 60 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 This Page Intentionally Blank Security Target for Oracle Database 10g 61 Release 1 (10.1.0) November 2005 Issue 1.1 A N N E X B Glossary Acronyms DAC Discretionary Access Control DDL Data Definition Language DES Data Encryption Standard DML Data Manipulation Language O-RDBMS Object-Relational Database Management System SF Security Function SFP Security Function Policy SFR Security Functional Requirement SOF Strength of Function SQL Structured Query Language TOE Target Of Evaluation TSC TOE Scope of Control TSF TOE Security Functions TSFI TSF Interface 62 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 TSP TOE Security Policy Terms Authorised administrative user Another name for a Database Administrative User. Data Definition Language (DDL) The SQL statements used to define the schema and schema objects in a database [SQL] Data dictionary A set of internal Oracle tables that contain information about the logical and physical structure of the database. [SCN] Data Encryption Standard (DES) A standard for encryption, FIPS PUB 46-3 and FIPS PUB 81. [FIPS46-3],[FIPS81] Data Manipulation Language (DML) The SQL statements used to query and manipulate data in schema objects [SQL] Data server A component of a DBMS that supports concurrent access to a database by multiple users, possibly at different nodes in a distributed environment. [ST] Database A collection of data that is treated as a unit; the general purpose of a database is to store and retrieve related information [SCN] Database administrative user A database user to whom one or more administrative privileges have been granted. [DPP] This includes users connected AS SYSOPER or AS SYSDBA as well as Normal Users who are authorised to perform an administrative task via the posession of an administrative privilege which permits the operation of the task. Database connection A communication pathway between a user and a DBMS. [DPP] Database link A definition of a one-way communication path from an Oracle database to another da- tabase. [SCN] Database non-administrative user A database user who only has privileges to perform operations in accordance with the TSP. [DPP] Database object An object contained within a database. [DPP] Database session A connection of an identified and authenticated user to a specific database; the session lasts from the time the user connects (and is identified and authenticated) until the time the user disconnects. [DPP] Database subject A subject that causes database operations to be performed. [DPP] Database user A user who interacts with a DBMS and performs operations on objects stored within Security Target for Oracle Database 10g 63 Release 1 (10.1.0) November 2005 Issue 1.1 the database. [DPP] Discretionary Access Control Access control based on access rights granted by users other than the System Security Officer. [MEMO 1] Instance The combination of a set of Oracle background processes and memory that is shared among the processes. A database instance must be started (the shared memory allocat- ed and the background processes created) by an authorised administrative user before the database managed by the instance can be accessed. [SCN] Interface product A TOE component that resides in a user process and can be used to communicate with an Oracle database server in a secure manner. [ST] Normal User A database user who has made a normal connection to the database. This can include the users SYS and SYSTEM but excludes users connected AS SYSOPER or AS SYSDBA. Object An entity within the TSC that contains or receives information and upon which sub- jects perform operations. Objects are visible through the TSFI and are composed of one or more TOE resources encapsulated with security attributes. [CC] Object-Relational Database Management System (ORDBMS) A DBMS that supports object-oriented technology as well as relational databases. [SCN] Owner The owner of a named database object is the database user who is responsible for the object and may grant other database users access to the object on a discretionary basis. [DPP] Platform The combination of software and hardware underlying the DBMS. [ST] Privilege A right to access objects and/or perform operations that can be granted to some users and not to others. [DPP] Privilege, database administrative A privilege authorising a subject to perform operations that may bypass, alter, or indi- rectly affect the enforcement of the TSP. [DPP] Privilege, database object access A privilege authorising a subject to access a named database object. [DPP] Privilege, directly granted An Oracle system or object privilege that has been explicitly granted to a user. Priv- ileges granted to any roles the user has been granted are not included in the set of di- rectly granted privileges. [SCN] Privilege, object An Oracle privilege that allows users to perform a particular action on a specific sche- ma object. Oracle object privileges are database object access privileges. [SCN] Privilege, system An Oracle privilege that allows users to perform a particular system-wide action or a particular action on a particular type of object. Some Oracle system privileges are da- tabase administrative privileges. [SCN] Program unit A PL/SQL program; a procedure, function, or package. [PLS] 64 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 Role (CC) A predefined set of rules establishing the allowed interactions between a user and the TOE. [CC] Role (Oracle) A named group of related system and/or object privileges that can be granted to users or to other roles. [SCN] Schema A collection of logical structures of data (schema objects), owned by a specific data- base user. [SQL] Security attribute Information associated with subjects, users, and/or objects which is used for the en- forcement of the TSP. [CC] Security domain The set of objects that a subject has the ability to access. [TCSEC] Security Function (SF) A part or parts of the TOE which have to be relied upon for enforcing a closely related subset of the rules from the TSP. [CC] Security Function Policy (SFP) The security policy enforced by a SF. [CC] Security Functional Requirement (SFR) A security functional requirement defined in a protection profile or security target. [CC] Server process An Oracle process that services requests for access to an Oracle database from con- nected user processes. [SCN] SOF-high A level of the TOE strength of function where analysis shows that the function pro- vides adequate protection against deliberately planned or organised breach of TOE se- curity by attackers possessing a high attack potential. [CC] SQL statement A string of SQL text containing a command and supporting clauses. All access to an Oracle database is via SQL statements. [SCN] Strength of Function (SOF) A qualification of a TOE security function expressing the minimum efforts assumed necessary to defeat its expected security behaviour by directly attacking its underlying security mechanisms. [CC] Structured Query Language (SQL) A standardised database access language; Oracle8 SQL is a superset of the ANSI/ISO SQL92 standard at entry level conformance. [SQL] Subject An entity within the TSC that causes operations to be performed. [CC] Suitably authorised user A user who is authorised to perform an administrative task via the posession of an ad- ministrative privilege which permits the operation of the task. This includes users con- nected AS SYSOPER or AS SYSDBA as well as privileged Normal Users. System A specific IT installation, with a particular purpose and operational environment [CC] Target Of Evaluation (TOE) The product or system being evaluated. [CC] TOE resource Anything usable or consumable in the TOE. [CC] Security Target for Oracle Database 10g 65 Release 1 (10.1.0) November 2005 Issue 1.1 TOE Scope of Control (TSC) The set of interactions which can occur with or within a TOE and are subject to the rules of the TSP. [CC] TOE Security Functions (TSF) A set consisting of all the software of the TOE that must be relied on for the correct enforcement of the TSP. [CC] TOE Security Policy (TSP) A set of rules that regulate how assets are managed, protected and distributed within a TOE. [CC] TSF Interface (TSFI) A set of interfaces, whether interactive (man-machine interface) or programmatic (ap- plication programming interface), through which TOE resources are accessed, medi- ated by the TSF, or information is obtained from the TSF. [CC] User Any entity (human or machine) outside the TOE that interacts with the TOE. [CC] User process A process that requests services, on behalf of a user or application, from an Oracle server process. [SCN] 66 Security Target for Oracle Database 10g Release 1 (10.1.0) November 2005 Issue 1.1 This Page Intentionally Blank