HomeAbout Us A-Z IndexSearch  Inquiries RegisterLoginPress Shop
Conformance Statement

Product Standard: Baseline Security 96

This form contains a series of questions that need to be answered. As you go about answering the questions, please keep the following things in mind:

Enter the name of the Organization that produced the implementation and the name of the author of the Conformance Statement.

Organization
Author


1. Baseline Security 96

Product Information

Enter the product name, version/release number, and product supplier for each product required to meet the conformance requirements.

Product IdentificationVersion/Release NumberProduct Supplier
 
 
 
 
 

Environment Specification

Branding applies to software products in one of more specific binary-compatible families (hardware or hardware/software environments).

A Product may be branded in all members of a binary-compatible family on the basis of a single branding application.

Answer the questions for each binary-compatible family.

Testing Environment Binary-compatible Family Portability Environment Indicator of Compliance Compliance Details
Test Suite:
Test Report:
Test Suite:
Test Report:
Test Suite:
Test Report:
Test Suite:
Test Report:
Test Suite:
Test Report:

Temporary Waivers

Enter the waiver number and expiry date for each temporary waiver granted by The Open Group.

Waiver NumberExpiry Date


1.1 Target of Conformance (TOC) and the Trusted Computing Base (TCB)

The "Product Identification" section above identifies in the normal way the product that is registered as conformant to the Profile Definition. However, when considering systems security, it is necessary to be more precise and identify whether the "Target of Conformance (TOC)" is the whole product, or whether it is a subset of the product such that usage of functionality outside the TOC could reduce the level of security of the system. (The Trusted Computing Base (TCB) is defined as the totality of protection mechanisms within an IT system, including hardware, firmware, software and data, the combination of which is responsible for enforcing the security policy. The Target of Conformance (TOC) is the TCB together with any additional software that contains no security relevant code. See the X/Open XBSS Specification, Section 3.4, Defining the Target of Conformance.)

Identify below the target of conformance. If it is the whole product identified in the "Product Identification" above then state "the whole product". if it is not the whole product state clearly what is included in the TOC and what is not.

The Target of Conformance for this registered product is:

Purchasers should note that adding other products to the registered product, other than certain types of applications which are enumerated in the vendor's documentation, should be done with care as it could cause a reduction in the overall level of conformance, for which the supplier of the registered product cannot be held responsible.


1.2 Conformance Implications

Question 1: What are the criteria that an application must meet in order to guarantee that it can be added to the Target of Conformance (TOC) without compromising conformance of the system to the Baseline Security 96 Profile Definition?

Response

Rationale

Reference


1.3 Identification and Authentication Requirement

Question 2: What methods of authentication are provided in addition to the password method which is mandatory?

Response

Rationale

Reference


Question 3: Which method is used to notify users when a password change is due?

Response

Rationale

Reference


Question 4: Are the password complexity checking algorithms configurable or replaceable?

Response

Rationale

X/Open CAE Specification, Baseline Security Services (XBSS), Section 4.4.5, Specific Requirements for Password Authentication Mechanisms.


1.4 Basic System Entry Control

1.4.1 Authentication: User-initiated Locking

Question 5: For the user-initiated locking of a terminal, is the output also disabled and the screen cleared or occluded?

Response

    Output disabled Yes   No
    Screen cleared or occluded Yes   No

Rationale

    During the time that the user session is locked it may be desirable, though it is not required, to disable output and clear or occlude the screen.

Reference

    X/Open CAE Specification, Baseline Security Services (XBSS), Section 4.5.5, User-initiated Locking.


1.5 Basic Audit Requirement

1.5.1 Audit Trail Control, Management and Inspection

Question 6: What is the limit to the number of users that can be selectively audited?

Response

    Enter NOLIMIT if there is no limit.

Rationale

    The system administrator shall be able selectively to audit the actions of one or more users based on identity or object policy attributes.

    This requirement calls for both preselection (configuring which events are to be recorded in the audit trail) and post-selection (the selection of audit records from the recorded audit trail). Preselection is desirable because it reduces the amount of audit data that is stored, but it must be kept in mind that if an event is not preselected to be recorded in the audit trail, it cannot be post-selected for when the audit trail is analysed.

    By default, the post-selection tools must be able to select audit records based on the identity of users and the policy attributes of objects they access.

Reference

    X/Open CAE Specification, Baseline Security Services (XBSS), Section 4.6.4, Audit Trail Control, Management and Inspection.


1.6 Security Manuals

1.6.1 User Documentation

Question 7: In what form is the user documentation for security?

Response

    Describe below the user security documentation and give the full document reference.

Rationale

    The vendor shall provide end-user documentation in the form of a single summary, chapter or manual which:

    1. describes all security services provided and enforced by the TCB
    2. describes the interaction between security services
    3. provides guidelines on their use.

    The purpose of this requirement is to ensure that the users of the system have all the information they need to operate it in a secure manner from day one. The information relating to security should, by preference, be contained in one particular manual, but it is acceptable for it to be contained in a number of manuals in the standard user documentation set, provided the user can readily determine where to find all the relevant security features. The information on security can either be delivered with the system, or a clear pointer to its availability should be included.

Reference

    X/Open CAE Specification, Baseline Security Services (XBSS), Section 4.10.1, User Documentation.


1.6.2 Administrative Documentation

Question 8: In what form is the administrative documentation for security?

Response

    Describe the administration security documentation, and give the full document reference.

Rationale

    The vendor shall provide product administrator documentation which describes the proper administration of all the security services and associated procedures, privileges and functions.

    This documentation shall describe the administrative interaction between security services, and shall provide guidelines on secure generation of a new TCB.

    The procedures for examining and maintaining the audit files as well as the detailed audit record structure for each type of audit event shall be given.

    The purpose of this requirement is to ensure that the product administrator has the materials to understand how to administer the system in a secure manner. The manual may give general security advice (an overview), but specifically it should:

    • explain clearly how to install (or re-install) and then configure the system in a secure manner -- this would involve some discussion of the user and the user account, group membership, subject attributes and object attributes
    • explain how to maintain the system in a secure manner across its life time -- this might include examples of daily, weekly and monthly security routines as well as specific tasks such as bringing a system backup after a crash
    • provide instruction on how to regenerate parts of the TCB, such as the kernel, in a secure way (on systems that allow TCB regeneration)
    • explain the audit trail mechanism so that the authorised user can effectively use the audit trail to implement the local security policy
    • explain how to adjust system defaults if experience of use shows them to be too lenient or too stringent.

    Reference

      X/Open CAE Specification, Baseline Security Services (XBSS), Section 4.10.2, Administrative Documentation.

    Copyright © 
    All rights reserved.


    2. Change History

    DateNameComment
    New

     Copyright © 1998-2002 The Open Group. All Rights Reserved.

     OSF/1, Motif, UNIX, and the "X" device are registered trademarks in the U.S. and other countries, and IT DialTone and The Open Group are trademarks of The Open Group.


    [ Home ] [ Testing Home ] [ Conformance Statement Library Home ] [ Search Conformance Statements ] [ Send Feedback ]