X/Open CAE Specification, Baseline Security Services (XBSS),
Section 4.4.5, Specific Requirements for Password Authentication
Mechanisms.
1.4 Basic System Entry Control
1.4.1 Authentication: User-initiated Locking
Question 5: For the user-initiated locking of a terminal, is the
output also disabled and the screen cleared or occluded?
Response
Rationale
During the time that the user session is locked it may be desirable,
though it is not required, to disable output and clear or occlude
the screen.
Reference
X/Open CAE Specification, Baseline Security Services (XBSS),
Section 4.5.5, User-initiated Locking.
1.5 Basic Audit Requirement
1.5.1 Audit Trail Control, Management and Inspection
Question 6: What is the limit to the number of users that can be selectively audited?
Response
Rationale
The system administrator shall be able selectively to audit the
actions of one or more users based on identity or object policy
attributes.
This requirement calls for both preselection (configuring which events
are to be recorded in the audit trail) and post-selection (the selection
of audit records from the recorded audit trail). Preselection is
desirable because it reduces the amount of audit data that is stored,
but it must be kept in mind that if an event is not preselected to be
recorded in the audit trail, it cannot be post-selected for when the
audit trail is analysed.
By default, the post-selection tools must be able to select audit
records based on the identity of users and the policy attributes of
objects they access.
Reference
X/Open CAE Specification, Baseline Security Services (XBSS),
Section 4.6.4, Audit Trail Control, Management and Inspection.
1.6 Security Manuals
1.6.1 User Documentation
Question 7: In what form is the user documentation for security?
Response
Rationale
The vendor shall provide end-user documentation in the form of
a single summary, chapter or manual which:
-
describes all security services provided and enforced by the TCB
-
describes the interaction between security services
-
provides guidelines on their use.
The purpose of this requirement is to ensure that the users of
the system have all the information they need to operate it in
a secure manner from day one. The information relating to security
should, by preference, be contained in one particular manual, but
it is acceptable for it to be contained in a number of manuals in
the standard user documentation set, provided the user can readily
determine where to find all the relevant security features. The
information on security can either be delivered with the system,
or a clear pointer to its availability should be included.
Reference
X/Open CAE Specification, Baseline Security Services (XBSS),
Section 4.10.1, User Documentation.
1.6.2 Administrative Documentation
Question 8: In what form is the administrative documentation for
security?
Response
Describe the administration security documentation, and give the full
document reference.
Rationale
The vendor shall provide product administrator documentation which
describes the proper administration of all the security services and
associated procedures, privileges and functions.
This documentation shall describe the administrative interaction
between security services, and shall provide guidelines on secure
generation of a new TCB.
The procedures for examining and maintaining the audit files
as well as the detailed audit record structure for each type of audit
event shall be given.
The purpose of this requirement is to ensure that the product
administrator has the materials to understand how to administer
the system in a secure manner. The manual may give general security
advice (an overview), but specifically it should:
-
explain clearly how to install (or re-install) and then configure the
system in a secure manner -- this would involve some discussion of
the user and the user account, group membership, subject attributes
and object attributes
-
explain how to maintain the system in a secure manner across its
life time -- this might include examples of daily, weekly and monthly
security routines as well as specific tasks such as bringing a system
backup after a crash
-
provide instruction on how to regenerate parts of the TCB, such
as the kernel, in a secure way (on systems that allow TCB regeneration)
-
explain the audit trail mechanism so that the authorised user can
effectively use the audit trail to implement the local security policy
-
explain how to adjust system defaults if experience of use shows them to
be too lenient or too stringent.
Reference
X/Open CAE Specification, Baseline Security Services (XBSS),
Section 4.10.2, Administrative Documentation.
Copyright ©
All rights reserved.
2. Change History