Oracle Linux 7.3安全目标文档：CSEC认证CSEC2017014

需积分: 16 151 浏览量更新于2024-07-16 收藏 471KB PDF 举报

Oracle Linux 7.3 的安全目标文档是一份重要的信息安全参考文件，由Oracle Corporation发布，获得了CSECCertificationID:CSEC2017014，版本为1.4。这份文档旨在提供关于Oracle Linux操作系统的安全标准和实践指南，以满足Common Criteria (CC) EAL4级别的安全要求。 EAL4是信息安全评估框架（Information Technology Security Evaluation Criteria, ITSEC）中的一个级别，它代表了高度受控的安全保障。Oracle Linux作为一款企业级的操作系统，其安全目标文档详细阐述了如何确保系统的安全性，包括访问控制、加密、审计日志、物理安全措施以及软件安全增强等多方面。文档内容涵盖了以下关键知识点： 1. 版权和许可：Oracle Corporation保留在所有复制件上的版权，用户在使用时需自行承担风险。未经事先许可，允许在保留版权声明的情况下复制或分发文档。修改后的版本可以自由传播，但必须明确标识为修改版，并包含原始版权声明。 2. 商标：文档提及Oracle Linux、Oracle logo、Linux、UNIX等都是Oracle或其合作伙伴的注册商标，强调知识产权的尊重。 3. 法律声明：文档提供的信息是“原样”提供，不提供任何明示或暗示的保证，用户自行决定使用方式，承担相应责任。 4. 安全实践：文档详细列出了针对Oracle Linux 7.3的安全策略，如用户和权限管理、数据加密、防火墙规则、安全补丁管理和漏洞响应机制等，确保系统抵御恶意攻击和保护用户数据隐私。 5. 安全标准：符合Common Criteria EAL4的要求，意味着该系统的设计和实现经过严格的安全评估，达到了在复杂环境中防止未授权访问、保护数据完整性和机密性的能力。 6. 审计与合规性：文档可能包括关于满足法规要求，如PCI DSS（Payment Card Industry Data Security Standard）或其他行业标准的信息，帮助用户确保符合相关法规。 7. 软件更新和维护：强调定期软件更新的重要性，因为这些更新通常包含了安全补丁，对于保持系统的安全性至关重要。 Oracle Linux 7.3的安全目标文档为用户、管理员和审核员提供了一个全面的指南，以确保操作系统在高安全环境中的运行和维护。理解和遵循文档中的规定，对于保护组织的IT基础设施及其数据安全具有重要意义。

Introduction Security Target for Oracle Linux 7.3

• Linux Container support: The TOE offers userspace virtualization support via Linux

Container. That virtualization support shall be allowed to be used such that it does not

interfere with the operation of the security functions. The evaluation ensures that the

constraints associated with the use of Linux Containers in the evaluated configuration guide

has no adverse impact on the security functionality. In addition, the libvirt daemon is

allowed to run with the privileges of the root user to allow management of Linux Containers

(note, Linux Containers are not referred to by the term containers used in the remainder of

this ST).

Additional mechanisms and functions that would interfere with the operation of the security

functions are disallowed in the evaluated configuration and the Evaluation Configuration Guide

provides instructions to the administrator on how to disable them. Note: TOE mechanism which

provide additional restrictions to the above claimed security functions are allowed in the evaluated

configuration. For example, the eCryptFS cryptographic file system provided with the TOE and

permitted in the evaluated configuration even though they have not been subject to this evaluation.

The eCryptFS provides further restrictions on, for example, the security function of discretionary

access control mechanism for file system objects and therefore cannot breach the security

functionality as the discretionary access control rules of the "lower" file system are still enforced.

The following table enumerates mechanisms that are provided with the TOE but which are excluded

from the evaluation:

Functions Exclusion discussion

eCryptFS eCryptFS are not allowed to be used in the evaluated configuration.

The encryption capability provided with this file system is therefore

unavailable to any user.

LSM Support The mandatory access control functionality offered by the Linux

Security Module (LSM) framework found in the Linux kernel is not

assessed by the evaluation and disabled in the evaluated

configuration. All LSM modules such as SELinux, AppArmor,

SMACK and others are not assessed as part of the evaluation. The

evaluated configuration enables aspects of the LSM though.

GSS-API Security

Mechanisms

The GSS-API is used to secure the connection between different

audit daemons. The security mechanisms used by the GSS-API,

however, is not part of the evaluation. Therefore, A.CONNECT

applies to the audit-related communication link.

Table 1: Non-evaluated functionalities

Note: Packages and mechanisms not covered with security claims and subsequent assessments

during the evaluation or disabling the respective functionality in the evaluated configuration result

from resource constraints during the evaluation as well as the restriction specified in the protection

profile but does not imply that the respective package or functionality is implemented insecurely.

1.5.2.4 Configurations

The evaluated configurations are defined as follows:

14 of 82 Classification: atsec public Version 1.4

Security Target for Oracle Linux 7.3 Introduction

• The CC evaluated package set must be selected at install time in accordance with the

description provided in the Evaluated Configuration Guide and installed accordingly.

• The installation specified by the CC guide allows the installation of two different Linux

kernels: the Unbreakable Enterprise Kernel (UEK) as well as the derivative of the Red Hat

Enterprise Linux kernel. The administrator is free to choose which kernel is used to boot the

system as both kernels are allowed in the evaluated configuration.

• The TOE supports the use of IPv4 and IPv6, both are also supported in the evaluated

configuration. IPv6 conforms to the following RFCs:

◦ RFC 2460 specifying the basic IPv6 protocol<

◦ IPv6 source address selection as documented in RFC 3484 Linux implements several

new socket options (IPV6_RECVPKTINFO, IPV6_PKTINFO, IPV6_RECVHOPOPTS,

IPV6_HOPOPTS, IPV6_RECVDSTOPTS, IPV6_DSTOPTS, IPV6_RTHDRDSTOPTS,

IPV6_RECVRTHDR, IPV6_RTHDR, IPV6_RECVHOPOPTS, IPV6_HOPOPTS,

IPV6_{RECV,}TCLASS) and ancillary data in order to support advanced IPv6

applications including ping, traceroute, routing daemons and others. The following

section introduces Internet Protocol Version 6 (IPv6). For additional information about

referenced socket options and advanced IPv6 applications, see RFC 3542

◦ Transition from IPv4 to IPv6: dual stack, and configured tunneling according to RFC

4213.

• The default configuration for identification and authentication are the defined password-

based PAM modules as well as public-key based authentication for OpenSSH. Support for

other authentication options, e.g. smart card authentication, is not included in the evaluation

configuration.

• If the system console is used, it must be subject to the same physical protection as the TOE.

Deviations from the configurations and settings specified with the Evaluated Configuration Guide

are not permitted.

The TOE comprises a single system (and optional peripherals) running the TOE software listed.

Cluster configurations are not permitted in the evaluated configuration.

1.5.2.5 TOE Environment

Several TOE systems may be interlinked in a network, and individual networks may be joined by

bridges and/or routers, or by TOE systems which act as routers and/or gateways. Each of the TOE

systems implements its own security policy. The TOE does not include any synchronization

function for those policies. As a result a single user may have user accounts on each of those

systems with different UIDs, different roles, and other different attributes. (A synchronization

method may optionally be used, but it not part of the TOE. The administrator must ensure that the

synchronized UIDs to not conflict with the security policy applicable to the TOE.)

If other systems are connected to a network they need to be configured and managed by the same

authority using an appropriate security policy that does not conflict with the security policy of the

TOE. All links between this network and untrusted networks (e. g. the Internet) need to be protected

by appropriate measures such as carefully configured firewall systems that prohibit attacks from the

untrusted networks. Those protections are part of the TOE environment.

Version 1.4 Classification: atsec public 15 of 82

Introduction Security Target for Oracle Linux 7.3

1.5.2.6 Security Policy Model

The security policy for the TOE is defined by the security functional requirements in chapter 6. The

following is a list of the subjects and objects participating in the policy.

Subjects:

• Processes acting on behalf of a human user or technical entity.

Named objects:

• File system objects in the following allowed file systems:

◦ Ext4 - standard file system for general data

◦ XFS - standard file system for general data

◦ VFAT - special purpose file system for UEFI BIOS support mounted at /boot/efi

◦ iso9660 - ISO9660 file system for CD-ROM and DVD

◦ tmpfs - the temporary file system backed by RAM

◦ rootfs - the virtual root file system used temporarily during system boot

◦ procfs - process file system holding information about processes, general statistical data

and tunable kernel parameters

◦ sysfs - system-related file system covering general information about resources

maintained by the kernel including several tunable parameters for these resources

◦ devpts - pseudoterminal file system for allocating virtual TTYs on demand

◦ devtmpfs - temporary file system that allows the kernel to generate character or block

device nodes

◦ binfmt_misc - configuration interface allowing the assignment of executable file formats

with user space applications

◦ securityfs - interface for loadable security modules (LSM) to provide tunables and

configuration interfaces to user space

◦ cgroup - interface for configuring the control groups mechanism provided by the kernel

◦ debugfs - interface for accessing low-level kernel data

Please note that the TOE supports a number of additional virtual (i.e. without backing of

persistent storage) file systems which are only accessible to the TSF - they are not or cannot

be mounted. All above mentioned virtual file systems implement access decisions based

DAC attributes inferred from the underlying process’ DAC attributes. Additional restrictions

may apply for specific objects in this file system.

• Inter Process Communication (IPC) objects:

◦ Semaphores

◦ Shared memory

◦ Message queues

◦ Named pipes

16 of 82 Classification: atsec public Version 1.4

Security Target for Oracle Linux 7.3 Introduction

◦ UNIX domain socket special files

◦ DBUS queues

• Network sockets (irrespective of their type - such as Internet sockets and netlink sockets)

• Storage device objects (covered by dm_crypt - note that such storage device objects may be

provided by either block devices or LVM devices)

• cron job queues maintained for each user

TSF data:

• TSF executable code

• Subject meta data - all data used for subjects except data which is not interpreted by the TSF

and does not implement parts of the TSF (this data is called user data)

• Named object meta data - all data used for the respective objects except data which is not

interpreted by the TSF and does not implement parts of the TSF (this data is called user

data)

• User accounts, including the security attributes defined by FIA_ATD.1

• Audit records

• Volume keys for dm_crypt block devices and passphrases protecting the session keys

User data:

• Non-TSF executable code used to drive the behavior of subjects

• Data not interpreted by TSF and stored or transmitted using named objects

• Any code executed within the virtual machine environment as well as any data stored in

resources assigned to virtual machines

1.6 Applied Technical Decisions

The ST claims compliance to the claimed protection profile and the extended packages. NIAP

issued the following technical decisions which are considered in this ST:

• 0332 – Support for RSA SHA2 host keys

• 0331 – SSH Rekey Testing

• 0305 – Handling of TLS connections with and without mutual authentication

• 0304 – Update to FCS_TLSC_EXT.1.2

• 0246 – Assurance Activity for FIA_UAU.5.2

• 0244 – FCS_TLSC_EXT - TLS Client Curves Allowed

• 0243 – SSH Key-Based Authentication

• 0240 – FCS_COP.1.(1) Platform provided crypto for encryption/decryption

• 0239 – Cryptographic Key Destruction in OS PP

• 0208 – Remote Users in OSPP

Version 1.4 Classification: atsec public 17 of 82

剩余81页未读，继续阅读

weird213

粉丝: 3
资源: 29

Oracle Linux 7.3安全目标文档：CSEC认证CSEC2017014

McGraw-Hill.Hacknotes.Linux.and.Unix.Security.Portable.Reference.pdf

Bean 'org.springframework.security.access.expression.method.DefaultMethodSecurityExpressionHandler@1e86a5a7' of type [org.springframework.security.access.expression.method

Oracle linux

Bean 'methodSecurityMetadataSource' of type [org.springframework.security.access.method.DelegatingMethodSecurityMetadataSource] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)

Parameter 0 of method managementSecurityFilterChain in org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration required a bean of type 'org.springframework.security.config.annotation.web.builders.HttpSecurity' that could not be found.

nifi 如何解决Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

kafkaclient里面的java.security.auth.login.config怎么配置

最新资源