122-B
UK IT SECURITY EVALUATION AND
CERTIFICATION SCHEME
COMMON CRITERIA CERTIFICATION REPORT No. P212
Oracle Label Security for Oracle9i Database Enterprise Edition
Release 2 (9.2.0.1.0)
running on SuSE Linux Enterprise Server V8
Issue 1.0
February2005
© Crown Copyright 2005
Reproduction is authorised provided the report
is copied in its entirety
UK IT Security Evaluation and Certification Scheme,Certification Body,
CESG,Hubble Road, Cheltenham GL51 0EX
United Kingdom
EAL4 OLS for Oracle9i Database Enterprise Edition
augmented by ALC_FLR.3 Release 2 (9.2.0.1.0)
DBMS PP running on SuSE Linux Enterprise Server V8
Page ii Issue 1.0 February 2005
ARRANGEMENT ON THE
RECOGNITION OF COMMON CRITERIA CERTIFICATES
IN THE FIELD OF INFORMATION TECHNOLOGY SECURITY
The Certification Body of the UK IT Security Evaluation and Certification Scheme is a member of
the above Arrangement and as such this confirms that the Common Criteria certificate has been
issued by or under the authority of a Party to this Arrangement and is the Party’s claim that the
certificate has been issued in accordance with the terms of this Arrangement.
The judgements contained in the certificate and Certification Report are those of the Qualified
Certification Body which issued it and of the Evaluation Facility which carried out the evaluation.
There is no implication of acceptance by other Members of the Agreement Group of liability in
respect of those judgements or for loss sustained as a result of reliance placed upon those
judgements by a third party.
Trademarks:
All product and company names are used for identification purposes only and may be trademarks of their owners.
OLS for Oracle9i Database Enterprise Edition EAL4
Release 2 (9.2.0.1.0) augmented by ALC_FLR.3
running on SuSE Linux Enterprise Server V8 DBMS PP
February2005 Issue 1.0 Page iii
CERTIFICATION STATEMENT
Oracle Label Security (OLS) Release 2 (9.2.0.1.0) is a security option for Oracle9i Database
Enterprise Edition Release 2 (9.2.0.1.0). Both products were developed by Oracle Corporation.
Oracle9i Database Enterprise Edition Release 2 (9.2.0.1.0) is an object-relational database
management system. OLS Release 2 (9.2.0.1.0) enables application developers to add label-
based access control to their Oracle9i applications, in addition to the discretionary access control
provided by Oracle9i Database Enterprise Edition Release 2 (9.2.0.1.0).
OLS Release 2 (9.2.0.1.0), used with Oracle9i Database Enterprise Edition Release 2 (9.2.0.1.0),
has been evaluated under the terms of the UK IT Security Evaluation and Certification Scheme
and has met the CC Part 3 augmented requirements of Evaluation Assurance Level EAL4 (i.e.
augmented by ALC_FLR.3), for the specified CC Part 2 conformant functionality in the
specified environment when running on the platforms specified in Annex A.
OLS Release 2 (9.2.0.1.0), used with Oracle9i Database Enterprise Edition Release 2 (9.2.0.1.0),
was evaluated on SuSE Linux Enterprise Server V8, which has previously been certified to
EAL3 augmented by ALC_FLR.2.
When running on the operating system platform specified in Annex A, OLS Release 2 (9.2.0.1.0)
used with Oracle9i Database Enterprise Edition Release 2 (9.2.0.1.0), conforms to the CC
Database Management System Protection Profile with the Database Authentication functional
package.
When used in conjunction with that operating system platform, which conforms to the CC
Controlled Access Protection Profile, OLS Release 2 (9.2.0.1.0) used with Oracle9i Database
Enterprise Edition Release 9.2.0.1.0 can be used to provide security for systems that have
historically required TCSEC C2 (or equivalent security functionality) for databases.
OLS Release 2 (9.2.0.1.0) used with Oracle9i Database Enterprise Edition Release 2 (9.2.0.1.0)
has previously been certified to EAL4 augmented by ALC_FLR.3, when running on Sun Solaris
Version 8 and on Micros oft Windows NT Version 4.0.
Originator CESG
Certifier
Approval and
Authorisation
CESG
Technical Manager of the
Certification Body
Date authorised 11 February 2005
EAL4 OLS for Oracle9i Database Enterprise Edition
augmented by ALC_FLR.3 Release 2 (9.2.0.1.0)
DBMS PP running on SuSE Linux Enterprise Server V8
Page iv Issue 1.0 February 2005
(This page is intentionally left blank)
OLS for Oracle9i Database Enterprise Edition EAL4
Release 2 (9.2.0.1.0) augmented by ALC_FLR.3
running on SuSE Linux Enterprise Server V8 DBMS PP
February2005 Issue 1.0 Page v
TABLE OF CONTENTS
CERTIFICATION STATEMENT.............................................................................................iii
TABLE OF CONTENTS..............................................................................................................v
ABBREVIATIONS.....................................................................................................................vii
REFERENCES.............................................................................................................................ix
I. EXECUTIVE SUMMARY.................................................................................................1
Introduction............................................................................................................................1
Evaluated Product..................................................................................................................1
TOE Scope .............................................................................................................................2
Protection Profile Conformance ............................................................................................3
Assurance...............................................................................................................................3
Strength of Function Claims ..................................................................................................4
Security Function Policy........................................................................................................4
Security Claims......................................................................................................................4
Evaluation Conduct...............................................................................................................5
General Points........................................................................................................................6
II. EVALUATION FINDINGS................................................................................................7
Introduction............................................................................................................................7
Delivery .................................................................................................................................7
Installation and Guidance Documentation.............................................................................8
Flaw Remediation ..................................................................................................................8
Strength of Function ..............................................................................................................9
Vulnerability Analysis ...........................................................................................................9
Platform Issues.......................................................................................................................9
III. EVALUATION OUTCOME............................................................................................11
Certification Result..............................................................................................................11
Recommendations................................................................................................................11
ANNEX A: EVALUATED CONFIGURATION.....................................................................13
ANNEX B: PRODUCT SECURITY ARCHITECTURE .......................................................17
ANNEX C: PRODUCT TESTING............................................................................................21
EAL4 OLS for Oracle9i Database Enterprise Edition
augmented by ALC_FLR.3 Release 2 (9.2.0.1.0)
DBMS PP running on SuSE Linux Enterprise Server V8
Page vi Issue 1.0 February 2005
(This page is intentionally left blank)
OLS for Oracle9i Database Enterprise Edition EAL4
Release 2 (9.2.0.1.0) augmented by ALC_FLR.3
running on SuSE Linux Enterprise Server V8 DBMS PP
February2005 Issue 1.0 Page vii
ABBREVIATIONS
CAPP Controlled Access Protection Profile
CC Common Criteria
CEM Common Evaluation Methodology
CESG Communications -Electronics Security Group
CLEF Commercial Evaluation Facility
DAC Discretionary Access Control
DBMS Database Management System
DML Data Manipulation Language
EAL Evaluation Assurance Level
ETR Evaluation Technical Report
ITSEC IT Security Evaluation Criteria
LBAC Label-Based Access Control
OCI Oracle Call Interface
OLS Oracle Label Security
ONS Oracle Net Services
O-RDBMS Object-Relational Database Management System
OS operating system
PL/SQL Programming Language/Structured Query Language
PP Protection Profile
RC Release Candidate
RDBMS Relational Database Management System
SFP Security Function Policy
SFR Security Functional Requirement
SOF Strength of Function
SP Service Pack
SQL Structured Query Language
SQLJ Structured Query Language Java
TCSEC Trusted Computer System Evaluation Criteria
TOE Target of Evaluation
TSF TOE Security Functions
TSFI TOE Security Functions Interface
UFS Unix File System
UKSP United Kingdom Scheme Publication
VPD Virtual Private Database
EAL4 OLS for Oracle9i Database Enterprise Edition
augmented by ALC_FLR.3 Release 2 (9.2.0.1.0)
DBMS PP running on SuSE Linux Enterprise Server V8
Page viii Issue 1.0 February 2005
(This page is intentionally left blank)
OLS for Oracle9i Database Enterprise Edition EAL4
Release 2 (9.2.0.1.0) augmented by ALC_FLR.3
running on SuSE Linux Enterprise Server V8 DBMS PP
February2005 Issue 1.0 Page ix
REFERENCES
Standards and Criteria
a. Common Criteria for Information Technology Security Evaluation,
Part 1: Introductionand GeneralModel,
Common Criteria Interpretations Management Board,
CCIMB-2004-01-001, Version 2.2, January 2004.
b. Common Criteria for Information Technology Security Evaluation,
Part 2:Security FunctionalRequirements,
Common Criteria Interpretations Management Board,
CCIMB-2004-01-002, Version 2.2, January 2004.
c. Common Criteria for Information Technology Security Evaluation,
Part 3:Security Assurance Requirements,
Common Criteria Interpretations Management Board,
CCIMB-2004-01-003, Version 2.2, January 2004.
d. Common Methodology for Information Technology Security Evaluation,
Part 2: Evaluation Methodology,
Common Criteria Interpretations Management Board,
CCIMB-2004-01-004, Version 2.2, January 2004.
e. Database Management System Protection Profile,
Oracle Corporation,
Issue 2.1, May 2000.
f. Controlled Access Protection Profile,
US National Security Agency,
Version 1.d, 8 October 1999.
g. Description of the Scheme,
UK IT Security Evaluation and Certification Scheme,
UKSP 01, Issue 5.0, July 2002.
h. CLEF Requirements: Part I – Startup and Operation,
UK IT Security Evaluation and Certification Scheme,
UKSP 02 Part I, Issue 4.0, April 2003.
i. CLEF Requirements: Part II – Conduct of an Evaluation,
UK IT Security Evaluation and Certification Scheme,
UKSP 02 Part II, Issue 1.1, October 2003.
EAL4 OLS for Oracle9i Database Enterprise Edition
augmented by ALC_FLR.3 Release 2 (9.2.0.1.0)
DBMS PP running on SuSE Linux Enterprise Server V8
Page x Issue 1.0 February 2005
Previous Certification Reports
j. Common Criteria Certification Report No. P211:
Oracle9i Database Enterprise Edition Release 9.2.0.1.0,
UK IT Security Evaluation and Certification Scheme,
Issue 1.0,February 2005.
k. Common Criteria Certification Report No. P179:
Oracle Label Security for Oracle9i Database Enterprise Edition Release 9.2.0.1.0,
UK IT Security Evaluation and Certification Scheme,
Issue 1.0, September 2003.
l. Common Criteria Certification Report No. P169:
Oracle Label Security for Oracle8i Database Server Enterprise Edition Release 8.1.7.3.0,
UK IT Security Evaluation and Certification Scheme,
Issue 1.0, March 2003.
m. Common Criteria Certification Report No. BSI-DSZ-CC-0234-2004:
SuSE Linux Enterprise Server V8 Service Pack 3, RC4 with
certification-sles-eal3 package,
Bundesamt für Sicherheit in der Informationstechnik, Germany,
14 January 2004.
TOE Evaluation Reports
n. Task LFL/T151 Evaluation Technical Report 1,
Logica CLEF,
CLEF.28286.T151.30.1, Issue 0.4, 17 May 2002.
o. Task LFL/T151 Evaluation Technical Report 2,
Logica CLEF,
336.EC28286.T151:30.2, Issue 0.9, 23 August 2002.
p. Task LFL/T151 Evaluation Technical Report 3,
Logica CLEF,
336.EC28286:T151.30.3, Issue 1.0, 9 June 2003.
q. Task LFL/T151 Evaluation Technical Report 4,
LogicaCMG CLEF,
310.EC28286.T151.30.4, Issue 0.9, 1 November 2004.
Evidence for Evaluation and Certification
r. OLS Security Target for Oracle9i, Release 2 (9.2.0),
Oracle Corporation,
Issue 0.8,December 2003.
s. OLS Evaluated Configuration for Oracle9i, Release 2 (9.2.0) ,
Oracle Corporation,
Issue 1.0,September 2004.
OLS for Oracle9i Database Enterprise Edition EAL4
Release 2 (9.2.0.1.0) augmented by ALC_FLR.3
running on SuSE Linux Enterprise Server V8 DBMS PP
February2005 Issue 1.0 Page xi
t. Oracle9i Database Administrator’s Guide, Release 2 (9.2),
Oracle Corporation,
Part No. A96521-01, March 2002.
u. Oracle9i Database Concepts, Release 2 (9.2),
Oracle Corporation,
Part No. A96524-01, March 2002.
v. Oracle9i Database Error Messages, Release 2 (9.2),
Oracle Corporation,
Part No. A96525-01, March 2002.
w. Oracle9i Database Reference, Release 2 (9.2),
Oracle Corporation,
Part No. A96536-02, October 2002.
x. Oracle9i SQL Reference, Release 2 Release 2 (9.2) ,
Oracle Corporation,
Part No. A96540-02, October 2002.
y. Oracle Label Security Administrator’s Guide, Release 2 (9.2),
Oracle Corporation,
Part No. A96578-01, March 2002.
z. How To Get Started,
Oracle Corporation,
Part No. A97375-01.
aa. SLES Security Guide,
Klaus Weidner,
atsec GmbH and IBM Corporation,
Version 2.33, 4 December 2003.
Available from:
http://www.novell .com/linux/security/eal3/SLES8_EAL3_SecurityGuide.pdf
bb. Installation Instructions for Oracle9i Release 2 (9.2) on SuSE Linux Enterprise Server 8
Powered by United Linux 1.0,
SuSE Inc., 2003.
Available from:
http://ftp.novell.com/partners/oracle/docs/920_sles8_install.pdf
EAL4 OLS for Oracle9i Database Enterprise Edition
augmented by ALC_FLR.3 Release 2 (9.2.0.1.0)
DBMS PP running on SuSE Linux Enterprise Server V8
Page xii Issue 1.0 February 2005
(This page is intentionally left blank)
OLS for Oracle9i Database Enterprise Edition EAL4
Release 2 (9.2.0.1.0) augmented by ALC_FLR.3
running on SuSE Linux Enterprise Server V8 DBMS PP
February2005 Issue 1.0 Page 1
I. EXECUTIVE SUMMARY
Introduction
1. This Certification Report states the outcome of the Common Criteria (CC) IT security
evaluation of Oracle Label Security Release 2 (9.2.0.1.0) (‘OLS’), used with Oracle9i Database
Enterprise Edition Release 2 (9.2.0.1.0) (‘Oracle9i’), running on SuSE Linux Enterprise Server
V8, to the Sponsor (Oracle Corporation) and is intended to assist prospective consumers when
judging the suitability of the product for their particular requirements.
2. Prospective consumers are advised to read this report in conjunction with the Security
Target [Reference r], which specifies the functional, environmental and assurance evaluation
requirements.
3. Oracle Label Security Release 2 (9.2.0.1.0), used with Oracle9i Database Enterprise
Edition Release 2 (9.2.0.1.0) has previously been certified to EAL4 augmented by ALC_FLR.3,
when running on Sun Solaris Version 8 (‘Solaris8’) and on Microsoft Windows NT Version 4.0
(‘NT4.0’). See Certification Report P179 [k].
Evaluated Product
4. The version of the product evaluated was:
Oracle Label Security Release 2 (9.2. 0.1.0), used with Oracle9i Database Enterprise
Edition Release 2 (9.2.0.1.0).
5. This report describes the product as the Target of Evaluation (TOE) and identifies it as
‘Oracle9iOLS’. The Developer was Oracle Corporation.
6. Oracle9i is an Object-Relational Database Management System (O-RDBMS) that has been
developed to provide comprehensive security functionality for multi-user distributed database
environments.
7. OLS provides label-based access control (LBAC), in addition to the discretionary access
control (DAC) provided by Oracle9i. OLS mediates the labels and privileges associated with
each user session and it controls access to rows in database tables, based on the label(s)
contained in each row.
8. The main security features provided by the TOE are as follows:
• user identification and authentication, with password management options;
• DAC on database objects;
• LBAC;
• granular privileges for the enforcement of least privilege;
• user-configurable roles for privilege management;
• extensive and flexible auditing options;
• secure access to remote Oracle databases;
• stored procedures, triggers and security policies for user-defined access controls and
auditing.
EAL4 OLS for Oracle9i Database Enterprise Edition
augmented by ALC_FLR.3 Release 2 (9.2.0.1.0)
DBMS PP running on SuSE Linux Enterprise Server V8
Page 2 Issue 1.0 February2005
9. When used in conjunction with the operating system platform specified in Annex A,which
conforms to the CC Controlled Access Protection Profile (CAPP) [f], Oracle9iOLS can be used
to provide security for systems that have historically required Trusted Computer System
Evaluation Criteria (TCSEC) C2 (or equivalent security functionality) for databases.
10. Annex A summarises the evaluated configuration, including its guidance documentation.
Annex B outlines the security architecture. Annex C summarises the product testing.
TOE Scope
11. The scope of the certification includes the following Oracle server products:
• Oracle Label Security Release 2 (9.2.0.1.0);
• Oracle9i Database Enterprise Edition Release 2 (9.2.0.1.0).
12. Access to the above products is provided via the Oracle Call Interface (OCI) Release 2
(9.2.0.1.0) product, which constitutes the TOE Security Functions Interface (TSFI).
13. OCI Release 2 (9.2.0.1.0) is part of the evaluated configuration of the TOE. It provides a
client-side, application programming interface (API) for developing database applications
written in high levellanguages such as C.
14. The TOE can operate in standalone, client/server and distributed configurations.
Oracle client products are outside the scope of the TOE’s certification; the Evaluators used
Oracle9i Client Release 2 (9.2.0.1.0), but only for testing the TOE. Database links may be
provided to connect different O-RDBMS servers over a network.
15. The TOE can also operate in a multi-tier environment, but that is actually a particular type
of client/server configuration in which the client application is l
ocated on a middle -tier, whilst
the user interface is located on a separate ‘thin’ client (e.g. a web browser or a network
terminal). In a multi-tier environment, any middle tier that communicates with the server is an
Oracle client (which is outside the scope of the certification) and any lower tiers are also outside
the scope of the certification.
16. The scope of the certification applies to the TOE running on the following operating
system platform:
SuSE Linux Enterprise Server V8 Service Pack (SP) 3, Release Candidate (RC) 4 with
certification-sles-eal3 package (identified in this report as ‘SLES8’).
17. Annex A summarises the platforms on which the TOE was evaluated.
18. The previously evaluated version of the product was OLS Release 8.1.7.3.0 used with
Oracle8i Database Server Enterprise Edition Release 8.1.7.0.0, identified in this report as
‘Oracle8iOLS’; see its Certification Report [l]. The TOE includes the following new or
modified security related features since Oracle8iOLS (the OLS specific feature is indicated by *,
otherwise the features are provided by Oracle9i):
• partitioned fine -grained access control, known as Virtual Private Database (VPD);
• secure application roles;
• fine-grained auditing;
OLS for Oracle9i Database Enterprise Edition EAL4
Release 2 (9.2.0.1.0) augmented by ALC_FLR.3
running on SuSE Linux Enterprise Server V8 DBMS PP
February2005 Issue 1.0 Page 3
• SYS auditing;
• global application context;
• flashback query;
• EXEMPT ACCESS POLICY system privilege;
• GRANT ANY OBJECT PRIVILEGE system privilege;
• synonyms for VPD policies;
• OLS - releasabilities (also known as nationality caveats). *
19. The TOE should not be connected to any untrusted or potentially hostile network (such as
the Internet), unless additional security measures are applied. Hence use of the TOE when
connected to such a network is outside the scope of the certification.
20. The scope of the certification also excludes various features o
f the product which are
related to security but do not directly address any of the functional requirements identified in the
Security Target [r]. Those features, which are specified in the section ‘Other Oracle9i Security
Features’ in Chapter 2 of the Security Target, are as follows:
• data integrity;
• import/export;
• backup and recovery;
• Oracle Advanced Security;
• supplied packages;
• Oracle Policy Manager;
• external authentication services;
• application-specific security;
• support for Structured Query Language Java (SQLJ).
Protection Profile Conformance
21. The Security Target [r] claims conformance with the CC Database Management System
Protection Profile (DBMS PP) [e], with that profile’s Database Authentication functional
package, when running on SLES8.
22. The evaluated configuration of the TOE, running on SLES8, supports one mode of
authentication in accordance with the above claim, namely O-RDBMS Mode. In that mode,
Database Authentication is performed directly by the Oracle9i server, using passwords managed
directly by that server.
Assurance
23. The Security Target [r] specifies the assurance requirements for the evaluation.
These comprise CC predefined Evaluation Assurance Level EAL4, augmented by ALC_FLR.3.
24. CC Part 1 [a] provides an overview of the CC.
25. CC Part 3 [c] describes the scale of assurance given by predefined levels EAL1 to EAL7.
EAL4 OLS for Oracle9i Database Enterprise Edition
augmented by ALC_FLR.3 Release 2 (9.2.0.1.0)
DBMS PP running on SuSE Linux Enterprise Server V8
Page 4 Issue 1.0 February2005
Strength of Function Claims
26. The Security Target [r] claims that the minimum Strength of Function (SOF) for the TOE
is SOF-high. This exceeds the requirement in DBMS PP [e], which requires at least
SOF-medium overall for the TOE and the operating system.
27. The claim of SOF-high for the TOE is only applicable to its Database Authentication,
which includes a one-way encryption algorithm (modified Data Encryption Standard (DES)) to
encrypt passwords before storing them in the database. The Security Target [r] refers to the
TOE’s password management functions collectively as the PWD (i.e. password) mechanism and
claims SOF-high for the password space that they provide. However the modified DES
encryption algorithm is publicly known and as such it is the policy of the UK national authority
for cryptographic mechanisms, Communications-Electronics Security Group (CESG), not to
comment on its appropriateness or strength.
Security Function Policy
28. The TOE has an explicit access control Security Function Policy (SFP), defined in the
following Security Functional Requirements (SFRs) of the TOE:
• (user data protection): FDP_ACC.1,FDP_ACF.1, FDP_IFC.1 and FDP_IFF.2;
• (security management): FMT_MSA.1 and FMT_MSA.3.
29. See the Security Target [r] for further details.
Security Claims
30. The Security Target [r] claims conformance against DBMS PP [e]. In the Security Target:
a. The claimed threats are as per DBMS PP, plus T.LBAC.
b. The claimed Organisational Security Policies are as per DBMS PP, plus P.LABEL
and P.INFOFLOW.
c. The claimed assumptions are as per DBMS PP, plus the following:
i. A.TOE.CONFIG is modified (to refer to the Evaluation Configuration
document [s], but is otherwise unchanged
); and
ii. A.MIDTIER and A.USERS are added.
d. The claimed TOE security objectives are as per DBMS PP, plus O.ACCESS.LBAC.
e. The claimed environmental security objectives are as per DBMS PP, plus O.USERS.
f. The claimed SFRs are as per DBMS PP (which draws its SFRs from CC Part 2 [b]),
plus additional SFRs (FDP_IFC.1.1, FDP_IFF.2.1 - 2.7, FMT_MOF.1.1,
FMT_MSA.1.1.2, FMT_MSA.3.1.2 and FMT_MSA.3.2.2) taken directly from CC
Part 2. Use of CC Part 2, as a standard, facilitates comparison with other evaluated
products.
g. The claimed assurance requirements are strengthened from those in DBMS PP (i.e.
the TOE’s target assurance level is EAL4 augmented with ALC_FLR.3, which
exceeds the DBMS PP assurance requirement of EAL3).
OLS for Oracle9i Database Enterprise Edition EAL4
Release 2 (9.2.0.1.0) augmented by ALC_FLR.3
running on SuSE Linux Enterprise Server V8 DBMS PP
February2005 Issue 1.0 Page 5
31. In the Security Target [r], the specifications of the security functions are grouped as
follows:
• identification and authentication (i.e. F.IA);
• access control: database resources (i.e. F.LIM);
• access control: object access control (i.e. F.ACCESS);
• access control: discretionary access control (i.e. F.DAC);
• access control: label-based access control (i.e. F.LBAC);
• access control: roles and privileges (i.e. F.APR and F.PRI);
• audit and accountability (i.e. F.AUD).
Evaluation Conduct
32. The evaluation was performed in accordance with the requirements of the UK IT Security
Evaluation and Certification Scheme, as described in United Kingdom Scheme Publication
(UKSP) 01 [g] and UKSP 02 [h, i]. The Scheme has established a Certification Body, which is
managed by CESG on behalf of Her Majesty’s Government.
33. As stated on page ii of this report, the Certification Body is a member of the Common
Criteria Mutual Recognition Arrangement. The evaluation was performed in accordance with
the terms of that Arrangement.
34. The purpose of the evaluation was to provide assurance about the effectiveness of the TOE
in meeting its Security Target [r], which prospective consumers are advised to read.
35. To ensure that the Security Target [r] gave an appropriate baseline for a CC evaluation, it
was itself first evaluated. The TOE was then evaluated against that baseline.
36. The evaluation was performed in accordance withthe following requirements:
• the EAL4 requirements specified in CC Part 3 [c];
• the CEM [d];
• the appropriate interpretations.
37. Some results were reused from the following previous evaluations, where such results
complied with the above requirements and remained valid for the TOE:
• the evaluation of Oracle9i, running on SLES8, to EAL4 augmented with
ALC_FLR.3 (see Certification Report P211[j]);
• the evaluation of Oracle8iOLS to EAL4 (see Certification Report P169 [l]).
38. The Certification Body monitored the evaluation, which was performed by the
LogicaCMG Commercial Evaluation Facility (CLEF).
39. The evaluation of Oracle9iOLS running on Solaris8 and NT4.0 was completed in June
2003, when the CLEF submitted the last of its Evaluation Technical Reports (ETRs) [n - p] to
the Certification Body, who then produced the Certification Report for that evaluation [k].
EAL4 OLS for Oracle9i Database Enterprise Edition
augmented by ALC_FLR.3 Release 2 (9.2.0.1.0)
DBMS PP running on SuSE Linux Enterprise Server V8
Page 6 Issue 1.0 February2005
40. The evaluation of the TOE running on SLES8 was completed in November 2004, when the
CLEF submitted its ETR for that evaluation [q] to the Certification Body. The Certification
Body requested further details and, following the CLEF’s satisfactory responses, the
Certification Body produced this Certification Report.
General Points
41. The evaluation addressed the security functionality claimed in the Security Target [r], with
reference to the assumed operating environment specified in that Security Target. The evaluated
configuration is specified in Annex A. Prospective consumers of the TOE are advised to check
that it matches their identified requirements and to give due consideration to the
recommendations and caveats of this report.
42. Certification is not a guarantee of freedom from security vulnerabilities; there remains a
small probability (smaller with greater assurance) that exploitable vulnerabilities may be
discovered after a certificate has been awarded. This Certification Report reflects the
Certification Body’s view at the time of certification. Consumers (both prospective and
existing) should check regularly for themselves whether any security vulnerabilities have been
discovered since this report was issued and, if appropriate, should check with the Vendor to see
if any patches exist for the product and what assurance exists for such patches.
43. The issue of a Certification Report is not an endorsement of a product.
OLS for Oracle9i Database Enterprise Edition EAL4
Release 2 (9.2.0.1.0) augmented by ALC_FLR.3
running on SuSE Linux Enterprise Server V8 DBMS PP
February2005 Issue 1.0 Page 7
II. EVALUATION FINDINGS
Introduction
44. The evaluation addressed the requirements specified in the Security Target [r]. The results
of this work were reported in the ETR [q] under the CC Part 3 [c] headings.
45. The following sections note considerations of particular relevance to consumers.
Delivery
46. When a consumer orders the TOE from the Vendor, Oracle provides the consumer with the
order number and invoice detailing the items ordered. The order is shipped via a trusted carrier
to the consumer, who is informed separately of the identity of the carrier and the shipment
details (e.g. the waybill number). Packages are marked with the name and address of the sender,
the name and address of the addressee and the Oracle logo.
47. The consumer receives the TOE as a package clearly labelled as:
Oracle9i Database Release 2 (9.2.0.1.0) CD Pack for Linux Intel Release: NOV-02,
Oracle Part Number A99637-01 v4.
The package contains six CDs.
Note that ‘OLS’ is not specifically identified on the product packaging, as OLS is delivered as
part of Oracle9i as a configurable option.
48. The consumer should check that the order number of the delivery is the same as the order
number on the invoice and that the part numbers of all items supplied are the same as indicated
on the invoice.
49. The above measures are intended to ensure that a third party could not masquerade as the
Vendor and supply potentially malicious software. Nevertheless, the consumer must rely on
Oracle’s manufacturing procedures and the trust placed in the carrier, to counter the threat of
interference to the TOE along the delivery path. The Evaluators confirmed that Oracle would
use high security couriers, or other measures, if required by the consumer.
50. On receiving the TOE, the consumer should check that it is the evaluated version and
should check that the security of the TOE has not been compromised during delivery.
51. Oracle makes components of the TOE available for download from Oracle’s websites
http://metalink.oracle.com (for existing consumers) and www.oracle.com (for new consumers),
but does not provide digital signatures or checksums to enable consumers to verify the identity
of the component or its integrity. The Evaluators and the Certification Body recommend that,
where the threat of spoofing of the Oracle websites or the corruption or deliberate modification
of TOE components in transit is considered relevant to the TOE’s operational environment, then
consumers should obtain delivery of the TOE via physical media (e.g. CD-ROMs for software;
printed books for documentation).
EAL4 OLS for Oracle9i Database Enterprise Edition
augmented by ALC_FLR.3 Release 2 (9.2.0.1.0)
DBMS PP running on SuSE Linux Enterprise Server V8
Page 8 Issue 1.0 February2005
Installation and Guidance Documentation
52. The Evaluated Configuration document [s] specifies the steps that a consumer must
perform to ensure the secure installation and configuration of the TOE. The Evaluators
confirmed that the TOE generated by the installation and configuration procedures is unique, if
the steps in the Evaluated Configuration documentare followed.
53. Guidance to administrators and end-users regarding security of the TOE is provided in the
Evaluated Configuration document [s], the OLS Administrator’s Guide [y] and the Oracle 9i
Administrator’s Guide [t]. Those documents also indicate how the TOE’s environment can be
secured. The procedures in the Evaluated Configuration document that are relevant to end-users
are generally limited to common-sense measures (e.g. non-disclosure of passwords).
54. The Evaluated Configuration document [s], the OLS Administrator’s Guide [y] and the
Oracle9i Administrator’s Guide [t] refer to supporting documentation [r - bb] as appropriate.
55. The Evaluated Configuration document [s] is released by Oracle to consumers on request.
It is anticipated that Oracle may also make the document available for download from one of its
websites (e.g. via http://www.oracle.com/technology/deploy/security).
Flaw Remediation
56. Oracle’s flaw remediation information for consumers is available from two websites:
a. Oracle’s ‘MetaLink’ website (http://metalink.oracle.com), which enables consumers
with an Oracle support contract to:
i. email details of flaws to Oracle, and receive technical support, by submitting a
Technical Assistance Request;
ii. receive email alerts from Oracle regarding flaws, fixes and workarounds;
iii. read alerts and news posted on the MetaLink website by Oracle regarding
flaws, fixes and workarounds;
iv. download patches from Oracle via the MetaLinkwebsite.
b. Oracle’s public website (http://www.oracle.com), which enables other consumers
and the public to:
i. email details of security flaws to Oracle, at secalert_us@oracle.com ;
ii. read alerts and news posted on the public website by Oracle regarding flaws,
fixes and workarounds.
57. Oracle currently issues patches via the Internet (at http://metalink.oracle.com), where they
are available only to consumers with an Oracle support contract as noted above. Consumers can
guard against spoofing by phoning Oracle support and asking them to check their patch
download audit log; an entry in the log would confirm that Oracle initiated the download.
OLS for Oracle9i Database Enterprise Edition EAL4
Release 2 (9.2.0.1.0) augmented by ALC_FLR.3
running on SuSE Linux Enterprise Server V8 DBMS PP
February2005 Issue 1.0 Page 9
Strength of Function
58. Regarding the TOE’s Database Authentication, the Security Target [r] claims SOF-high
for the password space provided by the TOE’s password management functions (i.e. the ‘PWD
mechanism’). That claim applies to two different password profiles:
a. a password of minimum length 8 characters, with no lockout;
b. a password of minimum length 6 characters, with a 1 minute lockout after
3 consecutive failed logon attempts.
59. The Evaluated Configuration document [s] specifies the password controls that must be
applied to the password profiles in the evaluated configuration of the TOE.
60. The Evaluated Configuration document [s] also specifies a requirement that administrators
of the TOE must ensure that “no applications shall be permitted to run on any client or server
machines which access the network, unless they have been shown not to compromise the TOE’s
security objectives stated in the DBMS PP [e] and the Security Target [r]”. This counters the
risk of automated logon attacks from the client when no lockout is configured.
61. The Evaluators found that the TOE’s password space met the SOF-high claim of the
Security Target [r].
Vulnerability Analysis
62. The Evaluators searched for vulnerabilities regarding the TOE and its components.
They also searched for vulnerabilities in the TOE’s operating system environments (i.e. SLES8)
that could be used to compromise the TOE, e.g. from client machines.
63. The Evaluators’ vulnerability analysis was based on public-domain sources and on the
visibility of the TOE given by the evaluation process.
Platform Issues
64. The TOE was evaluated on the operating system platform and hardware platform specified
in Annex A.
65. The certified configuration is that running on those platforms only, i.e. it excludes all other
platforms.
EAL4 OLS for Oracle9i Database Enterprise Edition
augmented by ALC_FLR.3 Release 2 (9.2.0.1.0)
DBMS PP running on SuSE Linux Enterprise Server V8
Page 10 Issue 1.0 February2005
(This page is intentionally left blank)
OLS for Oracle9i Database Enterprise Edition EAL4
Release 2 (9.2.0.1.0) augmented by ALC_FLR.3
running on SuSE Linux Enterprise Server V8 DBMS PP
February2005 Issue 1.0 Page 11
III. EVALUATION OUTCOME
Certification Result
66. After due consideration of the ETR [n - q] produced by the Evaluators, and the conduct of
the evaluation as witnessed by the Certifier, the Certification Body has determined that Oracle
Label Security Release 2 (9.2.0.1.0), used with Oracle9i Database Enterprise Edition Release 2
(9.2. 0.1.0), meets the CC Part 3 [c] augmented requirements of Evaluation Assurance Level
EAL4 (i.e. augmented by ALC_FLR.3), for the CC Part 2 [b] conformant functionality specified
in the Security Target [r] in the specified environment when running on the platforms specified
in Annex A.
67. Oracle Label Security Release 2 (9.2.0.1.0), used with Oracle9i Database Enterprise
Edition Release 2 (9.2.0.1.0), was evaluated on:
SuSE Linux Enterprise Server V8 SP3, RC4 with certification-sles-eal3 package (which
has been certified [m] against CC EAL3, augmented by ALC_FLR.2, with the CC
Controlled Access Protection Profile (CAPP) [f]).
68. Oracle Label Security Release 2 (9.2.0.1.0), used with Oracle9i Database Enterprise
Edition Release 2 (9.2.0.1.0), conforms to DBMS PP [e] with the Database Authentication
functional package, when running on that operating system platform.
69. The Strength of Function claim of SOF-high for Database Authentication in the Security
Target [r] is satisfied.
70. When used with the operating system platform specified in Annex A, which conforms to
CAPP [f], Oracle Label Security Release 2 (9.2.0.1.0) used with Oracle9i Database Enterprise
Edition Release 2 (9.2.0.1.0) can be used to provide security for systems that have historically
required TCSEC C2 (or equivalent security functionality) for databases.
71. This report certifies only the TOE to assurance level EAL4 augmented by ALC_FLR.3,
when running on the operating system platform specified in Annex A (i.e. SLES8).
Prospective consumers should be aware that:
a. SLES8 is not certified to that assurance level; it is certified to EAL3 augmented by
ALC_FLR.2, see Certification Report BSI-DSZ-CC-0234-2004 [m];
b. the security functionality of the TOE relies on the security functionality of that
operating system platform, as specified in Section 5.5 of the DBMS PP [e].
Recommendations
72. Prospective consumers of the TOE should understand the specific scope of the certification
by reading this report in conjunction with the Security Target [r]. In particular, certification of
the TOE does not apply to its use in an untrusted or potentially hostile network environment
(such as the Internet).
EAL4 OLS for Oracle9i Database Enterprise Edition
augmented by ALC_FLR.3 Release 2 (9.2.0.1.0)
DBMS PP running on SuSE Linux Enterprise Server V8
Page 12 Issue 1.0 February2005
73. The product provides some features that were not within the scope of the certification as
identified in Chapter I under the heading ‘TOE Scope’. Those features should therefore not be
used if the TOE is to comply with its evaluated configuration.
74. Only the evaluated TOE configuration, as specified in Annex A, should be installed.
Subsequent updates to the TOE are covered by Oracle’s flaw remediation process.
75. The TOE should be administered and used in accordance with:
a. the guidance documentation [s, y, t], which refers to supporting documentation
[r - bb] as appropriate;
b. the environmental considerations outlined in the Security Target [r] and the
Evaluated Configuration document [s].
76. As stated in DBMS PP [e], it is recommended that TOE administrators ensure that any
audit records written to the underlying operating system do not result in space exhaustion on
secondary storage devices. TOE administrators should use appropriate operating system tools to
monitor the audit log size and to archive the oldest logs before the audit space is exhausted.
77. Further details are given in Chapter I under the heading ‘TOE Scope’ and in Chapter II.
OLS for Oracle9i Database Enterprise Edition EAL4
Release 2 (9.2.0.1.0) augmented by ALC_FLR.3
running on SuSE Linux Enterprise Server V8 DBMS PP
Annex A
February2005 Issue 1.0 Page 13
ANNEX A: EVALUATED CONFIGURATION
TOE Identification
1. The TOE is uniquely identified as:
Oracle Label Security Release 2 (9.2.0.1.0), used with Oracle9i Database Enterprise
Edition Release 2 (9.2.0.1.0).
TOE Documentation
2. The relevant guidance documents, as evaluated for the TOE or referenced from the
evaluated documents, were:
• Oracle9iOLS Security Target [r];
• Oracle9iOLS Evaluated Configuration document [s];
• Oracle9iOLS Administrator’s Guide [y];
• Oracle9i Database Administrator’s Guide [t];
• Oracle9i Database Concepts [u];
• Oracle9i Database Error Messages [v];
• Oracle9i Database Reference [w];
• Oracle9i SQL Reference [x];
• How To Get Started [z];
• SLES Security Guide [aa];
• Installation Instructions for Oracle9i on SLES8 [bb].
3. Further discussion of the guidance documents is provided in Chapter II under the heading
‘Installation and Guidance Documentation’.
TOE Configuration
4. The TOE should be installed, configured and maintained in accordance with the Evaluated
Configuration document [s], which refers to supporting documentation [r - bb] as appropriate, as
indicated above under the heading ‘TOE Documentation’.
5. Annex B.2 of the Evaluated Configuration document [s] specifies exactly the software
components that comprise the evaluated configuration of the TOE. Those components are listed
below for ease of reference (the OLS specific component is indicated by *, otherwise the
components are provided by Oracle9i):
• Assistant Common Files 9.2.0.1.0;
• Generic Connectivity Common Files 9.2.0.1.0;
• Generic Connectivity Using Open Database Connectivity (ODBC) 9.2.0.1.0;
• Oracle Net 9.2.0.1.0;
• Oracle Net Listener 9.2.0.1.0;
• Oracle Net Manager 9.2.0.1.0;
• Oracle Net Required Support Files 9.2.0.1.0;
• Oracle Net Services 9.2.0.1.0;
• Oracle Core Required Support Files 9.2.0.1.0;
EAL4 OLS for Oracle9i Database Enterprise Edition
augmented by ALC_FLR.3 Release 2 (9.2.0.1.0)
DBMS PP running on SuSE Linux Enterprise Server V8
Annex A
Page 14 Issue 1.0 February2005
• Oracle Call Interface 9.2.0.1.0;
• Oracle9i 9.2.0.1.0;
• Oracle9i Database 9.2.0.1.0;
• Oracle9i Development Kit 9.2.0.1.0;
• Oracle Label Security 9.2.0.1.0; *
• Parser Generator Required Support Files 9.2.0.1.0;
• Programming Language/Structured Query Language (PL/SQL) 9.2.0.1.0;
• PL/SQL Embedded Gateway 9.2.0.1.0;
• PL/SQL Required Support Files 9.2.0.1.0;
• Platform Required Support Files 9.2.0.1.0;
• RelationalDatabase Management System (RDBMS)RequiredSupport Files 9.2.0.1.0;
• Required Support Files 9.2.0.1.0.
Environmental Configuration
6. The TOE has no hardware or firmware dependencies.
7. The TOE has software dependencies, in that it relies on the host operating system to:
a. Protect the TOE’s security features that are within the scope of its evaluation and
certification, including its:
i. access control;
ii. identification and authentication (N.B. the TOE does not use OS Authentication
when running on SLES8);
iii. auditing (including audit records, if written to the operating sy
stem rather than
to the database audit trail);
iv. security management;
v. secured distributed processing.
b. Protect the TOE from being bypassed, tampered with, misused or directly attacked.
8. Hence the security of the TOE depends not only on secure administration of the TOE, but
also on secure administration of the host operating system in configurations using the TOE.
9. The environmental configuration used by the Developer to test the TOE was as
summarised in Table A-1:
Configuration Type Oracle9iO LS on SLES8
Machine Compaq ProLiant DL360 (used as the server and the client)
Processor Intel Pentium III 933MHz / Rev. A
Memory 2GB RAM
Operating System SuSE Linux Enterprise Server V8 SP3, RC4 with certification-sles-eal3 package
Drives 9.1GB hard drive, 1.44MB floppy drive
Network Connection Ethernet adapter with Ethernet connection
Table A-1: Environmental Configuration (Developer’s Tests)
OLS for Oracle9i Database Enterprise Edition EAL4
Release 2 (9.2.0.1.0) augmented by ALC_FLR.3
running on SuSE Linux Enterprise Server V8 DBMS PP
Annex A
February2005 Issue 1.0 Page 15
10. The environmental configuration used by the Evaluators to test the TOE was as
summarised in Table A-2:
Configuration Type Oracle9iO LS on SLES8
Machine IBM xSeries 335(used as the server) 1
Processor Quad Intel Xeon 2.4GHz
Memory 2GB RAM
Operating System SuSE Linux Enterprise Server V8 SP3, RC4 withcertification-sles-eal3 package
Drives 2 x 25GB SCSI discs, IDE DVD drive
Network Connection onboard Broadcom 1GB Ethernet adapter, Ethernet connection
1
A Compaq Deskpro EN machine (with Intel Pentium III 866MHz processor, 256MB RAM and 12GB hard disc) was
used as the client, running on SLES8, connected to the above server via a Local Area Network (LAN).
Table A-2: Environmental Configuration (Evaluators’ Tests)
11. Further details of the TOE’s environmental configuration are provided in Chapter I under
the heading ‘TOE Scope’.
EAL4 OLS for Oracle9i Database Enterprise Edition
augmented by ALC_FLR.3 Release 2 (9.2.0.1.0)
DBMS PP running on SuSE Linux Enterprise Server V8
Annex A
Page 16 Issue 1.0 February2005
(This page is intentionally left blank)
OLS for Oracle9i Database Enterprise Edition EAL4
Release 2 (9.2.0.1.0) augmented by ALC_FLR.3
running on SuSE Linux Enterprise Server V8 DBMS PP
AnnexB
February2005 Issue 1.0 Page 17
ANNEX B: PRODUCT SECURITY ARCHITECTURE
Introduction
1. The evaluated product was Oracle9iOLS.
2. OLS builds upon the VPD technology of Oracle9i.
3. The Oracle9i security architecture is summarised in Annex B of the Oracle9i Certification
Report [j]. The OLS specific security architecture is summarised in the following two sections.
OLS Label-Based Access Control
4. OLS enables application developers to add LBAC to their applications for Oracle9i.
If used, OLS mediates access to rows in database tables, based on a label contained in each row
and based on the label and privileges associated with each user session.
5. OLS provides an out-of-the-box VPD policy that enables administrative users to create one
or more custom security policies for label access decisions, without knowledge of a
programming language. There is no need to write the additional code that is normally required
for direct use of VPD, because in a single step a security policy can be applied to a given table.
In this way, OLS provides a straightforward and efficient way to implement fine-grained
security policies using data label technology.
6. Figure B-1 illustrates the process of accessing data under OLS. Within an application and
an Oracle9i session, a user issues a SQL request. Oracle9i checks the DAC privileges, checking
that the user has SELECT privileges on the table. Then it checks to see if a VPD policy has
been attached to the table. It finds that the table is protected by OLS, so the SQL statement is
modified on the fly to enforce the policy. Each data record has a label; OLS is invoked for each
row to determine whether, based on the label, the user can or cannot access the row.
Figure B-1: Accessing Data Under OLS
EAL4 OLS for Oracle9i Database Enterprise Edition
augmented by ALC_FLR.3 Release 2 (9.2.0.1.0)
DBMS PP running on SuSE Linux Enterprise Server V8
Annex B
Page 18 Issue 1.0 February2005
7. To create a customised OLS policy, an administrative user defines a set of labels and a set
of rules that govern data access, based on those labels. For example, assume that a user has
SELECT privilege on an application table. Figure B-2 illustrates that, when the user executes a
SELECT statement, OLS assesses each row selected and determines whether the user can access
it (i.e. based on the privileges and access labels assigned to the user by the administrative user).
OLS can also be configured to perform security checks on UPDATE, DELETE, and INSERT
statements.
Figure B-2: OLS Determines If The User Can Access Each Row Selected
8. OLS mediates access to data in a table according to the label associated with each row of
data, the label associated with the user session, the policy privileges associated with the user
session, and the policy enforcement options associated with the table. Consider, for example, a
standard Data Manipulation Language (
DML) operation (such as SELECT) performed upon a
row of data. OLS assesses a request by a user with the IN_CONFIDENCE label to access a data
row with the IN_CONFIDENCE label; OLS determines that this access can be achieved. Inthis
way, data of different sensitivities, or belonging to different companies, can be stored and
managed on a single system, while preserving data security through standard Oracle access
controls. Likewise, applications from a broad range of industries can each use row labels to
provide additional access control functionality where necessary.
9. Individual application tables can be protected, and not all of the tables in the application
need to be protected by an OLS policy. Lookup tables such as zip codes, for example, do not
need to be protected. Multiple OLS policies can be created. For example, a human resources
polic y could co-exist with a defence policy in the same database. Each of the policies can be
independently configured and can have its own unique label definitions.
10. In OLS, each row of a table can be labelled as to its level of confidentiality. The label
contains three components: a single level or sensitivity ranking; one or more horizontal
compartments or categories; and one or more hierarchical groups. The level specifies the
sensitivity of the data. A government organisation might define levels UNCLASSIFIED,
IN_CONFIDENCE, SENSITIVE and HIGHLY_SENSITIVE. A commercial organisation
might define levels PUBLIC and COMPANY_IN_CONFIDENCE data. The compartment
component is non-hierarchical; compartments are typically defined to segregate data, such as
data related to an ongoing strategic initiative. Finally, groups are used to record ownership and
can be used hierarchically. For example, FINANCE, SALES and ENGINEERING groups can
be defined as children of a CORPORATION group, creating an ownership relation. Labels can
contain a single level component, or a level combined with a set of either compartments or
groups, or a level with both compartments and groups.
OLS for Oracle9i Database Enterprise Edition EAL4
Release 2 (9.2.0.1.0) augmented by ALC_FLR.3
running on SuSE Linux Enterprise Server V8 DBMS PP
AnnexB
February2005 Issue 1.0 Page 19
11. Users can be granted label authorisations for each OLS policy, which determine the kind
of access (read or write) they have to the rows in tables to which that policy has been applied.
12. Policy privileges enable a user or stored program unit to bypass aspects of the label
-based
access control policy. In addition, the administrator can authorise the user or program unit to
perform specific actions, such as the ability of one user to assume the authorisations of a
different user. Privileges can be granted to program units, i.e. authorising the procedure (rather
than the user) to perform privileged operations.
13. In OLS, administrators can apply different enforcement options for maximum flexibility in
controlling the different DML operations that users can perform. For each SELECT, INSERT,
UPDATE and DELETE operation, administrative users can specify a particular type of
enforcement of the security policy on a per-table basis. In this way, the label-based access
controls can be customised for each table.
Audit
14. OLS supplements the Oracle9i audit facility, by tracking the use of its own OLS
administrative operations and policy privileges. Under OLS, audit trail records contain a label
associated with the session that generated the audit, so that the relationship between operations,
data labels and the label of the user performing the operation can be seen.
EAL4 OLS for Oracle9i Database Enterprise Edition
augmented by ALC_FLR.3 Release 2 (9.2.0.1.0)
DBMS PP running on SuSE Linux Enterprise Server V8
Annex B
Page 20 Issue 1.0 February2005
(This page is intentionally left blank)
OLS for Oracle9i Database Enterprise Edition EAL4
Release 2 (9.2.0.1.0) augmented by ALC_FLR.3
running on SuSE Linux Enterprise Server V8 DBMS PP
Annex C
February2005 Issue 1.0 Page 21
ANNEX C: PRODUCT TESTING
Developer’s Testing
1. The Developer installed and tested the TOE on the platforms as specified in Annex A.
2. The Developer’s testing was designed to test the security mechanisms of the TOE, which
implement the security functions identified in the Security Target [r] and their representations
identified in the high level design, low level design and source code modules.
3. The Developer’s testing consisted of an automated test suite and manual test suites.
Evaluators’ Testing
4. The Evaluators installed and tested the TOE on the platforms as specified in Annex A.
5. All of the Evaluators’ testing was performed via the TOE’s external interface (OCI), using
SQL.
6. For their testing, the Evaluators used sampling as required for the appropriate work-units
for EAL4, following the guidance in CEM [d], Section B.2. They confirmed sample sizes and
methods in advance with the Certifier.
7. The Evaluators assessed the Developer’s testing approach, coverage, depth and results.
This included:
a. witnessing the initiation of two of the Developer’s three general suites of tests;
b. witnessing the initiation of the Developer’s suite of TOE-specific tests;
c. repeating 60% of the Developer’s tests relevant to the security of the TOE;
d. repeating all of the Developer’s tests regarding new or modified features of the TOE
since Oracle8iOLS;
e. checking that the Developer’s tests covered all of the TOE Security Functions (TSF),
subsystems and TSFI;
f. performing a series of independently devised functional tests, in the form of
automated SQL scripts, to cover all of the TSF.
8. The Evaluators’ foundthat:
a. the Developer’s testing approach, depth, coverage and results were all adequate;
b. the Developer’s tests covered all of the TSF, subsystems and the TSFI;
c. (for the sample of the Developer’s tests repeated by the Evaluators): the actual test
results were consistent with the expected test results and any deviations were
satisfactorily accounted for ;
d. (for the Evaluators’ functional tests): the actual test results were consistent with the
expected test results.
EAL4 OLS for Oracle9i Database Enterprise Edition
augmented by ALC_FLR.3 Release 2 (9.2.0.1.0)
DBMS PP running on SuSE Linux Enterprise Server V8
Annex C
Page 22 Issue 1.0 February2005
9. The Evaluators then performed penetration testing on the TOE. Those tests were based on
samples of previous tests (i.e. from the Oracle8iOLS evaluation [l]), supplemented by new tests
to search for potential vulnerabilities introduced by new or modified features of the TOE
10. From checking various sources on the Internet, the Evaluators found no publicly known,
exploitable vulnerabilities applicable to the TOE, its components and its operating system
environment (i.e. SLES8).
11. The publicly known vulnerabilities that the Evaluators found related to:
• ONS – which was within the scope of the evaluated configuration
• Oracle Internet Application Server ) those 3 features were all
• Oracle Apache/Jserv ) outside the scope of the
• Oracle Java Virtual machine ) evaluated configuration
12. The ways by which the vulnerabilities relating to ONS were countered mean that, for the
TOE’s evaluated configuration, the network (on which the O-RDBMS and all of its client
applications run):
a. should be under the control of a trusted administrator;
b. should not be connected to any untrusted or potentially hostile networks (e.g. the
Internet).
13. In any case, the TOE’s evaluated configuration cannot consider the threats on untrusted or
potentially hostile networks, since the evaluated configurations of the TOE’s underlying
operating system (i.e. SLES8) does not consider such threats.
14. The results of the Evaluators’ penetration testing confirmed:
a. the claimed SOF in the Security Target [r] for the password space for Database
Authentication (i.e. SOF-high);
b. that all identified p
otential vulnerabilities in the TOE have been addressed, i.e. the
TOE in its intended environment has no exploitable vulnerabilities.