Red Hat Enterprise Linux 7.6 Security Target - Free Download PDF

11d ago
2 Views
0 Downloads
854.98 KB
47 Pages
Transcription

Red Hat Enterprise Linux 7.6Security TargetAcumen Security, LLC.Document Version: 1.11

Table Of Contents1Security Target Introduction . 51.1 Security Target and TOE Reference . 51.2 TOE Overview. 51.3 TOE Architecture . 51.3.1 TOE Evaluated Configuration . 51.3.2 Physical Boundaries . 51.3.3 Security Functions provided by the TOE . 51.3.4 TOE Documentation . 81.3.5 Other References . 82Conformance Claims . 92.1 CC Conformance . 92.2 Protection Profile Conformance . 92.3 Conformance Rationale . 92.3.1 Technical Decisions . 93Security Problem Definition . 103.1 Threats . 103.2 Assumptions. 103.3 Organizational Security Policies . 104Security Objectives. 114.1 Security Objectives for the Operational Environment. 115Security Requirements . 125.1 Conventions . 125.2 Security Functional requirements. 135.2.1 Security Audit (FAU) . 135.2.2 Cryptographic Support (FCS) . 145.2.3 User Data Protection (FDP) . 195.2.4 Identification and Authentication (FIA) . 195.2.5 Security Management (FMT) . 205.2.6 Protection of the TSF (FPT) . 215.2.7 TOE Access (FTA) . 225.2.8 Trusted path/channels (FTP) . 235.3 TOE SFR Dependencies Rationale for SFRs . 235.4 Security Assurance Requirements . 232

5.5 Rationale for Security Assurance Requirements . 245.6 Assurance Measures . 246TOE Summary Specification . 266.1 Position Independent Executables . 336.2 Cryptographic Keys . 366.3 Stack Smashing Protection. 373

Revision teJanuary 2019May 2019July 2019August 2019August 2019September 2019February 2020March 2020April 2020April 2020June 2020DescriptionInitial DraftUpdated with additional detailUpdated based on Red Hat input and GPOS PP v4.2.1Updated based on test findingsMinor updatesMinor updatesUpdated claims.Updated TDs.Updated based on internal review.Updated for submission.Updated based on ECR comments.

1 Security Target Introduction1.1 Security Target and TOE ReferenceThis section provides information needed to identify and control this ST and its TOE.CategoryST TitleST VersionST DateST AuthorTOE IdentifierTOE Software VersionTOE DeveloperKey WordsIdentifierRed Hat Enterprise Linux 7.6 Security Target1.1June 2020Acumen Security, LLC.Red Hat Enterprise Linux7.6Red Hat, Inc.Operating System, SSH, TLS, LinuxTable 1 TOE/ST Identification1.2 TOE OverviewRed Hat Enterprise Linux is the world’s leading enterprise Linux platform. It’s an open sourceoperating system (OS) that supports multiple users, user permissions, access controls, and cryptographicfunctionality.1.3 TOE Architecture1.3.1 TOE Evaluated ConfigurationThe TOE also supports secure connectivity with several other IT environment devices as described in Table2 below,ComponentTOE HW PlatformRequiredYesWorkstation with SSHClientNoAudit ServerNoUpdate ServerYesUsage/Purpose Description for TOE performancex86 64 platform to run the TOE on. The platform must protect theTOE from hardware vulnerabilities, support UEFI Secure Boot, andprovide network connectivity.This includes any IT Environment Management workstation with anSSH client installed that is used by the TOE users (includingadministrators) to remotely connect to the TOE through SSHprotected channels. Any SSH client that supports SSHv2 may be used.The audit server is used for remote storage of audit records that havebeen generated by and transmitted from the TOE.Provides the ability to check for updates to the TOE as well asproviding signed updates.Table 2 IT Environment Components1.3.2 Physical BoundariesThe TOE itself does not have physical boundaries; however, the TOE was evaluated on a Dell Inc.PowerEdge R630 with an Intel(R) Xeon(R) E5-2620v4.1.3.3 Security Functions provided by the TOEThe TOE provides the security functionality required by [GPOSPP] and [SSHEP].1.3.3.1Security AuditThe TOE generates and stores audit events using the Lightweight Audit Framework (LAF). The LAF isdesigned to be an audit system making Linux compliant with the requirements from Common Criteria by5

intercepting all system calls and receiving audit events from privileged user space applications. Theframework allows configuring the events to be recorded from the set of all events that are possible tobe audited. Each audit record contains the date and time of event, type of event, subject identity, useridentity and results (success/fail) of the action if applicable.1.3.3.2Cryptographic SupportThe TOE provides a broad range of cryptographic support; providing SSHv2 and TLSv1.2 protocolimplementations in addition to individual cryptographic algorithms.The cryptographic services provided by the TOE are described below.Cryptographic ProtocolSSH ClientSSH ServerTLS ClientUse within the TOEThe TOE allows administrators and users to connect to remote SSH servers.The TOE allows remote administrators to connect using SSH.The TOE connects to remote trusted IT entities using TLS.Table 3 TOE Cryptographic ProtocolsThe TOE includes two cryptographic libraries/implementations. Each of these cryptographic algorithmshave been validated for conformance to the requirements specified in their respective standards, asidentified below.AlgorithmRelated SFRsAESFCS COP.1(1)FCS COP.1(1)/SSHFCS SSHC EXT.1FCS SSHS EXT.1FCS TLSC EXT.1FCS STO EXT.1FCS CKM.2FCS SSHC EXT.1FCS SSHS EXT.1FCS TLSC EXT.1FCS DRBG EXT.1FCS CKM.1FCS COP.1(3)FCS SSHC EXT.1FCS SSHS EXT.1FCS TLSC EXT.1FCS TLSC EXT.2FCS TLSC EXT.4DiffieHellmanDRBGECDSAHMAC6FCS COP.1(4)FCS SSHC EXT.1FCS SSHS EXT.1FCS TLSC EXT.1TOE UseCAVP Certificate #OpenSSL Version 7.0SSH AES CBC and CTR modes with 128 and 256-bit keys C1443TLS AES CBC and GCM modes with 128 and 256-bit keysFile Encryption using AES CBC with 128 and 256-bit keysSSH Diffie-Hellman Group 14 Key EstablishmentTLS Diffie-Hellman Group 14 Key EstablishmentN/ACTR DRBG (AES-256)C1443SSH ECDSA P-256 and P-384 Host Key and User KeyC1443GenerationSSH EC Diffie-Hellman P-256, P-384, and P-521 KeyGenerationSSH ECDSA P-256 and P-384 Host and User SignatureGeneration and VerificationTLS ECDSA P-256, P-384, and P-521 Client KeyGenerationTLS EC Diffie-Hellman P-256, P-384, and P-521 KeyGenerationTLS ECDSA P-256, P-384, and P-521 Signature Generationand VerificationSSH HMAC-SHA-256 and HMAC-SHA-512C1443TLS HMAC-SHA-1, HMAC-SHA-256, and HMAC-SHA-384TLS HMAC-SHA-256 and HMAC-SHA-384 Key Derivation

AlgorithmKASRSASHSRSASHSRelated SFRsFCS CKM.2FCS SSHC EXT.1FCS SSHS EXT.1FCS TLSC EXT.2FCS CKM.1FCS CKM.2FCS COP.1(3)FCS SSHC EXT.1FCS SSHS EXT.1FCS TLSC EXT.1FPT TST EXT.1FCS COP.1(2)FCS SSHC EXT.1FCS SSHS EXT.1FCS COP.1(3)FPT TUD EXT.1FPT TUD EXT.2FCS COP.1(2)TOE UseSSH EC Diffie-Hellman P-256, P-384, and P-521 KeyEstablishmentTLS EC Diffie-Hellman P-256, P-384, and P-521 KeyEstablishmentSSH RSA 2048-bit and 3072-bit Host Key and User KeyGenerationSSH RSA 2048-bit and 3072-bit Host and User SignatureGeneration and VerificationTLS RSA 2048-bit and 3072-bit Key EstablishmentTLS RSA 2048-bit and 3072-bit Signature VerificationSelf-Test RSA 2048 Signature VerificationSSH SHA-1, SHA-256, SHA-384, and SHA-512 KeyDerivationSHA-1, SHA-256, SHA-384, and SHA-512 for DigitalSignatures and HMACsNSS v6.0Trusted Update RSA 4096 Signature VerificationCAVP Certificate #C1443SHA-256 for Digital SignaturesC1624C1443Vendor Affirmed forKey Establishment usesC1443C1624Table 4 CAVP Algorithm Testing ReferencesThe OpenSSL library provides TLS Client functions that may be used by applications. The OpenSSL libraryalso provides the cryptographic algorithms for the SSH Client, SSH Server, and Secure Boot functionality.The NSS library provides the cryptographic algorithms for Trusted Update functionality.1.3.3.3User Data ProtectionDiscretionary Access Control (DAC) allows the TOE to assign owners to file system objects and InterProcess Communication (IPC) objects. The owners are allowed to modify Unix-type permission bits forthese objects to permit or deny access for other users or groups. The DAC mechanism also ensures thatuntrusted users cannot tamper with the TOE mechanisms.The TOE also implements POSIX Access Control Lists (ACLs) that allow the specification of the access toindividual file system objects down to the granularity of a single user.1.3.3.4Identification and AuthenticationUser identification and authentication in the TOE includes all forms of interactive login (e.g. using theSSH protocol or log in at the local console) as well as identity changes through the su or sudo command.These all rely on explicit authentication information provided interactively by a user.The authentication security function allows password-based authentication. For SSH access, public-keybased authentication is also supported.Password quality enforcement mechanisms are offered by the TOE which are enforced at the time whenthe password is changed.1.3.3.5Security ManagementThe security management facilities provided by the TOE are usable by authorized users and/orauthorized administrators to modify the configuration of TSF.7

1.3.3.6Protection of the TSFThe TOE implements self-protection mechanisms that protect the security mechanisms of the TOE aswell as software executed by the TOE. The following self-protection mechanisms are implemented andenforced: 1.3.3.7Address Space Layout Randomization for user space code.Stack buffer overflow protection using stack canaries.Secure Boot ensuring that the boot chain up to and including the kernel together with the bootimage (initramfs) is not tampered with.Updates to the operating system are only installed after their signatures have been successfullyvalidated.TOE AccessThe TOE displays informative banners before users are allowed to establish a session.1.3.3.8Trusted Path/ChannelsThe TOE supports TLSv1.2 and SSHv2 to secure remote communications. Both protocols may be usedfor communications with remote IT entities. Remote administration is only supported using SSHv2.1.3.4 TOE Documentation [ST] Red Hat Enterprise Linux 7.6 Security Target, Version 1.1[AGD] Guide to the Secure Configuration of Red Hat Enterprise Linux 7, Version 1.41.3.5 Other References 8Protection Profile for General Purpose Operating Systems, Version 4.2.1 [GPOSPP]Extended Package for Secure Shell (SSH), Version 1.0 [SSHEP]

2 Conformance Claims2.1 CC ConformanceThis TOE is conformant to: Common Criteria for Information Technology Security Evaluations Part 1, Version 3.1, Revision 5,April 2017Common Criteria for Information Technology Security Evaluations Part 2, Version 3.1, Revision 5,April 2017: Part 2 extendedCommon Criteria for Information Technology Security Evaluations Part 2, Version 3.1, Revision 5,April 2017: Part 3 extended2.2 Protection Profile ConformanceThis TOE is conformant to: Protection Profile for General Purpose Operating Systems, Version 4.2.1 [GPOSPP]Extended Package for Secure Shell (SSH), Version 1.0 [SSHEP]2.3 Conformance RationaleThis Security Target provides exact conformance to the [GPOSPP] and [SSHEP]. The security problemdefinition, security objectives and security requirements in this Security Target are all taken from theProtection Profile performing only operations defined there.2.3.1 Technical DecisionsAll NIAP Technical Decisions (TDs) issued to date that are applicable to the [GPOSPP] and [SSHEP] havebeen addressed. The following table identifies all applicable TD:IdentifierApplicableTD0496 – GPOS PP adds allow-with statement forVPN Client V2.1TD0493 – X.509v3 certificates when using digitalsignatures for Boot IntegrityTD0463 – Clarification for FPT TUD EXTTD0441 – Updated TLS Ciphersuites of OS PPTD0386 – Platform-Provided Verification of UpdateTD0365 – FCS CKM EXT.4 selectionsYesExclusion Rationale (if applicable)YesYesYesYesYesTable 5 GPOS Technical DecisionsIdentifierApplicableTD0446 – Missing selections for SSHTD0420 – Conflict in FCS SSHC EXT.1.1 andFCS SSHS EXT.1.1TD0332 – Support for RSA SHA2 host keysTD0331 – SSH Rekey TestingTD0240 – FCS COP.1.1(1) Platform provided cryptofor encryption/decryptionYesYesTable 6 SSH EP Technical Decisions9YesYesYesExclusion Rationale (if applicable)

3 Security Problem DefinitionThe security problem definition has been taken from the [GPOSPP]. It is reproduced here for theconvenience of the reader. The security problem is described in terms of the threats that the TOE isexpected to address, assumptions about the operational environment, and any organizational securitypolicies that the TOE is expected to enforce.3.1 ThreatsThe following threats are drawn directly from the [GPOSPP].IDThreatT.NETWORK ATTACKAn attacker is positioned on a communications channel or elsewhere on thenetwork infrastructure. Attackers may engage in communications withapplications and services running on or part of the OS with the intent ofcompromise. Engagement may consist of altering existing legitimatecommunications.T.NETWORK EAVESDROPAn attacker is positioned on a communications channel or elsewhere on thenetwork infrastructure. Attackers may monitor and gain access to dataexchanged between applications and services that are running on or part ofthe OS.T.LOCAL ATTACKAn attacker may compromise applications running on the OS. Thecompromised application may provide maliciously formatted input to the OSthrough a variety of channels including unprivileged system calls andmessaging via the file system.T.LIMITED PHYSICAL ACCESSAn attacker may attempt to access data on the OS while having a limitedamount of time with the physical device.Table 7 Threats3.2 AssumptionsThe following assumptions are drawn directly from the [GPOSPP].IDAssumptionA.PLATFORMThe OS relies upon a trustworthy computing platform for its execution. Thisunderlying platform is out of scope of this PP.A.PROPER USERThe user of the OS is not willfully negligent or hostile, and uses the software incompliance with the applied enterprise security policy. At the same time, malicioussoftware could act as the user, so requirements which confine malicious subjectsare still in scope.A.PROPER ADMINThe administrator of the OS is not careless, willfully negligent or hostile, andadministers the OS within compliance of the applied enterprise security policy.Table 8 Assumptions3.3 Organizational Security PoliciesThe [GPOSPP] and [SSHEP] do not define any OSPs.10

4 Security Objectives4.1 Security Objectives for the Operational EnvironmentThe following security objectives for the operational environment assist the TOE in correctly providingits security functionality. These track with the assumptions about the environment. The securityobjectives have been taken from the [GPOSPP]. They are reproduced here for the convenience of thereader.IDObjective for the Operation EnvironmentOE.PLATFORMThe OS relies on being installed on trusted hardware.OE.PROPER USERThe user of the OS is not willfully negligent or hostile, and uses the software withincompliance of the applied enterprise security policy. Standard user accounts areprovisioned in accordance with the least privilege model. Users requiring higherlevels of access should have a separate account dedicated for that use.OE.PROPER ADMINThe administrator of the OS is not careless, willfully negligent or hostile, andadministers the OS within compliance of the applied enterprise security policy.Table 9 Objectives for the Operational Environment11

5 Security RequirementsThis section identifies the Security Functional Requirements for the TOE. The Security FunctionalRequirements included in this section are derived from Part 2 of the Common Criteria for InformationTechnology Security Evaluation, Version 3.1, Revision 5, dated: April 2017 and all nFAU GEN.1FCS CKM.1FCS CKM.2FCS CKM EXT.4FCS COP.1(1)FCS COP.1(1)/SSHFCS COP.1(2)FCS COP.1(3)FCS COP.1(4)Audit Data Generation (Refined)Cryptographic Key Generation (Refined

ST Title Red Hat Enterprise Linux 7.6 Security Target ST Version 1.1 ST Date June 2020 ST Author Acumen Security, LLC. TOE Identifier Red Hat Enterprise Linux TOE Software Version 7.6 TOE Developer Red Hat, Inc. Key Words Operating System, SSH, TLS, Linux Table 1 TOE/ST Identification 1.2 TOE Overview Red Hat® Enterprise Linux® is the world’s leading enterprise Linux platform. It’s an ...