Citadel Hercules® Automated Vulnerability
Contents
1. Schedule Remediations The TOE provides the capability to schedule remediation activity for single client machines or groups of client machines 6 2 ASSURANCE MEASURES A description of each of the TOE assurance measures follows M AUTH M CONFIG M DELIVER M DESIGN M DEVELOP M DOCS M ID M SETUP The TOE includes documentation which describes the authorization controls used by the developer to ensure that only authorized modifications may be made to the TOE The TOE includes a configuration item list which identifies those items of the TOE which are subject to configuration control by the developer The TOE includes documentation describing the secure delivery of the TOE The TOE includes design documentation which at a minimum consists of an informal functional specification an informal high level design and an informal correspondence demonstration between the TOE Summary Specification the Functional Specification and the High Level Design The TOE includes documentation which describes the development security measures The TOE includes user and administrator guidance documentation in the form of a User s Guide and an Installation Guide as well as an on line help file accessible from the TOE HMI The TOE incorporates a unique version identifier that can be displayed to the user The TOE includes an automated installation and set up program compatible with the TOE operating system The installation2. Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 23 of 68 WEVA Hercules AVR Security Target FPT ITT 1 1 Dependencies FPT_RVM 1 Hierarchical to FPT_RVM 1 1 Dependencies FPT_SEP 1 Hierarchical to FPT_SEP 1 1 FPT_SEP 1 2 Dependencies FPT_STM 1 Hierarchical to FPT_STM 1 1 Dependencies The TSF shall protect TSF data from selection disclosure modification when it is transmitted between separate parts of the TOE No dependencies Non bypassability of the TSP No other components The TSF shall ensure that TSP enforcement functions are invoked and succeed before each function within the TSC is allowed to proceed No dependencies TSF domain separation No other components The TSF shall maintain a security domain for its own execution that protects it from interference and tampering by untrusted subjects The TSF shall enforce separation between the security domains of subjects in the TSC No dependencies Reliable time stamps No other components The TSF shall be able to provide reliable time stamps for its own use No dependencies 5 3 SECURITY FUNCTIONAL REQUIREMENTS PROVIDED BY THE OPERATING SYSTEM The Hercules AVR product relies upon the underlying operating system to provide some of the security features of the product Of the security functional requirements listed in the previous paragraph the operating systems provides all or part of the fun
3. The TOE will only respond to requests for remediations which are received from identified and authorized client machines FIA_UAU 2 FIA_UID 2 The TOE also enforces the SERVER SFP information flow control security functional policy to limit its exposure to attacks by client machines and to ensure that only the correct remediation profiles are provided to client machines FDP_IFC 1 FDP_IFF 1 The TOE also maintains an audit trail of remediation requests which may help to identify an attack from a client machine FAU_GEN 1 The TOE must provide effective remediation of known and reported vulnerabilities for client systems The TOE obtains its vulnerability and remediation data from trusted external sources using the IMPORT_SFP information flow control security function policy to govern the data import process FDP_IFC 1 FDP_IFF 1 The TOE protects its data from unauthorized modifications or corruption both internally FMT MSA 1 FMT MSA 3 FPT RVM 1 FPT SEP 1 and during transmission to the client systems FDP_ITT 1 The TOE enforces the SERVER_ SFP information flow control security functional policy when providing specific remediation data to authorized client systems FDP IFC 1 FDP_IFF 1 The TOE permits authorized users to configure the list of client systems and vulnerabilities which will be remediated FMT SMF 1 Under specific circumstances the TOE is capable of rolling back remediations FDP_ROL 1 Finally the TOE maintain
4. WEVA Hercules AVR Security Target FMT_MTD 1 Hierarchical to FMT_MTD 1 1 Dependencies FMT_SMF 1 Hierarchical to FMT SMF 1 1 Dependencies FMT_SMR 1 Hierarchical to FMT SMR 1 1 FMT SMR 1 2 Dependencies FPT_ITT 1 Hierarchical to Management of TSF data No other components The TSF shall restrict the ability to selection modify delete assignment aggregate display the assignment vulnerability data remediation data and client system vulnerability and remediation status to assignment authorised Hercules AVR users FMT SMF 1 Specification of management functions FMT SMR 1 Security roles Specification of Management Functions No other components The TSF shall be capable of performing the following security management functions assignment a specifying a list of client systems which are to be subject to automatic vulnerability remediation b specifying which vulnerabilities are to be remediated c scheduling automatic vulnerability remediations and d rolling back previously completed remediations No dependencies Security roles No other components The TSF shall maintain the roles assignment Hercules AVR User and any other installation specific roles created by authorised Hercules AVR Users The TSF shall be able to associate users with roles FIA_UID 1 Timing of identification Basic internal TSF data transfer protection No other components
5. as Hi D lt Z O i fee O CLIENTREM bel P oxen EN Baa O SCANDATA ANNER O CLIENTPROT Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 54 of 68 E WA Hercules AVR Security Target FDP _IFF 1 FDP_ITC 1 FDP_ITT 1 FDP ROL FIA_AFL 1 FIA_SOS 1 FIA_UAU 2 FIA UID2 FMT MSA 1 FMT MSA3 FMT MTD 1 FMT SME 1 FMT SMR 1 FPT_ITT 1 x eer Rym xt ff Eer sera Tx fT EE Per smi ixi Table 4 Mapping of Security Functional Requirements to TOE Security Objectives R A a a Re EEE E BEES SS ERR A BLE E o N A A aae o eej oeoa AONA CAAA E O CLIENTAUTH The TOE must provide a mechanism for a two way authentication between client systems and the Remediation Server The SERVER SFP information flow control security functional policy and associated management functions FDP_IFC 1 FDP_IFF 1 FMT_MSA 1 FMT_MSA 3 FMT SMF 1 control the flow of information between the Hercules AVR Server and the client systems In addition the identification and authentication functional requirements FIA_UAU 2 and FIA_UID 2 ensure that the identification and authentication activities complete successfully before information is transferred O CLIENTPROT The TOE must protect itself against attacks initiated by client Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 55 of 68 EMMA Hercules AVR Security Target O CLIENTREM O HMI O NETATK Systems
6. Integrity IT Product Network Information or resources to be protected by the countermeasures of a TOE An attempt to bypass security controls on an IT System The attack may alter release or deny data Whether an attack will succeed depends on the vulnerability of the IT System and the effectiveness of existing countermeasures The independent examination of records and activities to ensure compliance with established controls policy and operational procedures and to recommend indicated changes in controls policy or procedures In an IT System a chronological record of system resource usage this includes user login file access or other activities and whether any actual or attempted security violations occurred legitimate and unauthorised To establish the validity of a claimed user or object Assuring information and communications services will be ready for use when expected An intrusion into an IT System where unauthorised disclosure modification or destruction of sensitive information may have occurred Assuring information will be kept secret with access limited to appropriate persons Assessment of a PP a ST or a TOE against defined criteria May range from a computer system to a computer network Assuring information will not be accidentally or maliciously altered or destroyed A package of IT software firmware and or hardware providing functionality designed for use or incorporation within a mul
7. 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 50 of 68 E WA Hercules AVR Security Target 8 RATIONALE 8 1 SECURITY OBJECTIVES RATIONALE Table 3 provides a bi directional mapping of Security Objectives to Threats and Assumptions It is followed by a discussion of how each Threat or Assumption is addressed by the corresponding Security Objective s nm lol lt oe DE Elalalalals lt a vlElSIEBIElAISIE HIE eleaialmivsjalsala 5 AE AE VIE EIE SIE SEE BIBElaElslElaldlIsleleleEle AAA 2 BIS gis 4 8 eo ele DIDO TE EA Al RA Id ad O OOOIOOIOJOIOIO OIO JO IA BACKUP X A CMS X A CONFIG X A GOODOS X IA KNOWLEDGE X IA NOEVIL X IA PHYSICAL X IA TOEUSER x T BADDATA X T CLIENT XIX T CONSOLE xX X T EXPLOIT X T NETEXPLOIT X T REMSERVER X T SNIFF X T SNIFFSCAN X T SPOOF X T SPOOFCLIENT X T SPOOFSCAN X Table 3 Mapping of Security Objectives to Threats and Assumptions A BACKUP The organization operating the TOE has good backup and recovery procedures which are followed allowing the TOE to be recovered to Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 51 of 68 EMMA Hercules AVR Security Target A CMS A CONFIG A GOODOS A KNOWLEDGE A NOEVIL A PHYSICAL a secure configuration after a hardware failure The OE BACKUP objective details the need
8. The O NETATK objective ensures that the information passing between the distributed parts of the TOE is secure T SNIFFSCAN A network attacker may monitor communications between the Remediation Server and a vulnerability scanner to learn vulnerabilities of client systems The O SCANDATA objective ensures that the scanner data used by the TOE is accurate and secure T SPOOF A network attacker may attempt to imitate the Remediation Server and provide erroneous remediation information to a client system in order to compromise the client The O CLIENTAUTH objective ensures that it is not possible to imitate the Remediation server T SPOOFCLIENT 4A network attacker may attempt to imitate a client system in order to gain information about the vulnerabilities of the client system The O CLIENTAUTH objective ensures that it is not possible for an attacker to imitate a client system T SPOOFSCAN A network attacker may attempt to provide the Remediation Server with erroneous vulnerability assessment information in an attempt to prevent the remediation of vulnerable network systems The O SCANDATA objective ensures that the scanner data used by the TOE is accurate and secure 8 2 SECURITY REQUIREMENTS RATIONALE Table 4 provides a bi directional mapping of Security Functional Requirements to Security Objectives and is followed by a discussion of how each Security Objective is addressed by the corresponding Security Functional Requirements
9. expected test results and actual test results ATE FUN 12C The test plans shall identify the security functions to be tested and describe the goal of the tests to be performed ATE FUN 1 3C The test procedure descriptions shall identify the tests to be performed and describe the scenarios for testing each security function These scenarios shall include any ordering dependencies on the results of other tests ATE_FUN 1 4C The expected test results shall show the anticipated outputs from a successful execution of the tests ATE_FUN 1 5C The test results from the developer execution of the tests shall demonstrate that each tested security function behaved as specified Evaluator action elements ATE FUN LIE The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence ATE IND 2 Independent testing sample Objectives The objective is to demonstrate that the security functions perform as specified Evaluator testing includes selecting and repeating a sample of the developer tests Application notes The intent is that the developer should provide the evaluator with materials necessary for the efficient reproduction of developer tests This may include such things as machine readable test documentation test programs etc This component contains a requirement that the evaluator has available test results from the developer to supplement the program of testing The evaluator
10. features satisfy the requirements of ADV_HLD 2 ADV_RCR 1 Informal Correspondence Demonstration Assurance Measure M DESIGN ensures that the TOE design documentation includes an informal correspondence demonstration between the TOE Summary Specification the Functional Specification and the High Level Design This measure satisfies the requirements of ADV_RCR 1 Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 66 of 68 E WA Hercules AVR Security Target AGD_ADM 1 Administrator Guidance Assurance Measure M DOCS ensures that the TOE documentation includes a user manual and online help system Since all users of the TOE are also administrators refer to assumption A TOEUSER this documentation acts as both User and Administrator guidance This measure satisfies the requirements of AGD_ADM 1 AGD_USR 1 User Guidance Assurance Measure M DOCS ensures that the TOE documentation includes a user manual and online help system This measure satisfies the requirements of AGD_USR 1 ALC_DVS 1 Identification of Security Measures Assurance Measure M DEVELOP ensures that the TOE documentation includes a description of the security measures for the TOE development environment This measure satisfies the requirements of ALC_DVS 1 ATE COV 2 Analysis of Coverage Assurance Measure M TEST ensures that the TOE test documentation includes sufficient evidence to confirm that the developer has systematically tested the TOE against its
11. Standard Server with service pack 6 Windows NT 4 0 Terminal Server with service pack 6 Windows 2000 Professional with any service pack Windows 2000 Server with any service pack Windows 2000 Advanced Server with any service pack Windows XP Professional with any SP Windows Server 2003 Standard Edition and Windows Server 2003 Enterprise Edition For Windows NT 4 0 Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 8 of 68 E WA Hercules AVR Security Target platforms Internet Explorer 5 5 with service pack 2 or above is also required The minimum system requirements for Windows Clients are specified in the Citadel Hercules AVR Automated Vulnerability Remediation Installation Guide d One or more network devices with Hercules AVR Client Version 2 2 0 installed on a supported version of the UNIX operating system The supported versions of the UNIX operating system are Solaris SPARC 2 6 7 8 9 and Red Hat Intel 6 0 6 1 6 2 7 0 7 1 7 2 7 3 8 9 The minimum system requirements for UNIX Clients are specified in the Citadel Hercules AVR Automated Vulnerability Remediation Installation Guide 2 2 TOE BOUNDARY The Hercules AVR product consists of the following major components e The Hercules AVR Administrator Console provides the HMI for the product It uses SSL based communications with the Hercules AVR Server s and has the ability to interact with Windows user accounts d
12. client systems O CLIENTREM The TOE must provide effective remediation of known and reported vulnerabilities for client systems O HMI The TOE must provide a controlled interface to its functionality such that only authorized TOE users are able to access the interface O NETATK The TOE must protect itself against network attackers O REMDATA The TOE must ensure that its remediation data is obtained from trusted sources and must provide a mechanism to ensure the integrity of this data O SCANDATA The TOE must ensure that its scanner data is obtained from trusted sources and must provide a mechanism to ensure the confidentiality and integrity of this data 42 ENVIRONMENT SECURITY OBJECTIVES The list below details the security objectives for the environment in which the TOE resides These objectives are to be met through the application of procedural and or administrative measures They do not impose any additional security requirements upon the TOE OE AUTHUSER Only authorized personnel are permitted physical access to the TOE OE BACKUP Good backup and recovery procedures for the TOE must be in place OE GOODOS Those portions of the client operating system required for the correct operation of the TOE must function correctly OE GOODUSER Knowledgeable non malicious users with system administrator privileges must be assigned to install configure administer operate and maintain the TOE OE GUIDANCE The administrator s resp
13. for external security measures including external procedural physical and personnel controls Evaluator action elements AVA_MSU 1 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence AVA_MSU 1 2E The evaluator shall repeat all configuration and installation procedures to confirm that the TOE can be configured and used securely using only the supplied guidance documentation AVA_MSU 1 3E The evaluator shall determine that the use of the guidance documentation allows all insecure states to be detected AVA_SOF 1 Strength of TOE security function evaluation Dependencies Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 40 of 68 E WA Hercules AVR Security Target ADV_FSP 1 Informal functional specification ADV_HLD 1 Descriptive high level design Developer action elements AVA_SOF 1 1D The developer shall perform a strength of TOE security function analysis for each mechanism identified in the ST as having a strength of TOE security function claim Content and presentation of evidence elements AVA _SOF 1 1C For each mechanism with a strength of TOE security function claim the strength of TOE security function analysis shall show that it meets or exceeds the minimum strength level defined in the PP ST AVA SOF 1 2C For each mechanism with a specific strength of TOE security function claim the strength of TOE security function analys
14. functional specification and high level design This measure satisfies the requirements of ATE COV 2 ATE DPT 1 Testing High Level Design Assurance Measure M TEST ensures that the TOE test documentation includes sufficient evidence to demonstrate that the TSF operates in accordance with its high level design This measure satisfies the requirements of ATE_DPT 1 ATE_FUN 1 Functional Testing Assurance Measure M TEST ensures that the TOE test documentation is sufficient to determine that the developer has functionally tested all TOE security functions This measure satisfies the requirements of ATE _FUN 1 ATE IND 2 Independent Testing Sample Assurance Measure M TEST ensures that the TOE test documentation is sufficient for the evaluator to repeat a sample of the developers functional testing in order to confirm the test results as well as develop independent tests of the TOE security functions This measure satisfies the requirements of ATE_IND 2 AVA_MSU 1 Examination of Guidance Assurance Measure M DOCS ensures that the TOE documentation includes guidance documentation This documentation may be examined for misleading unreasonable and conflicting guidance This measure satisfies the requirements for AVA_MSU 1 Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 67 of 68 E WA Hercules AVR Security Target AVA_SOF 1 Strength of TOE Security Function Evaluation Assurance Measure M VULNER ensures that the TOE vu
15. process includes sufficient instructions to clearly document the installation process The default installation results in the secure installation and start Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 48 of 68 E WA Hercules AVR Security Target up of the TOE M TEST A suitably configured TOE has been evaluated in a controlled networked environment to confirm that TOE functionality operates as specified and that the product can remediate a representative set of well known vulnerabilities from each of the vulnerability classes claimed by the developer TOE functionality has also been evaluated in a real world environment using a representative set of network systems configured with known vulnerabilities The TOE includes developer test documentation which consists of test plans test procedure descriptions expected test results and actual test results The test documentation is sufficient to determine that the developer has systematically tested the TOE against both the functional specification and the high level design M VULNER The TOE includes vulnerability documentation which describes the strength of function analysis along with an analysis of obvious vulnerabilities in the TOE Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 49 of 68 E WA Hercules AVR Security Target 7 PROTECTION PROFILE CLAIMS This ST does not make compliance claims with respect to any Protection Profiles Doc No
16. to TOE Security Objectives 55 Table 5 Security Functional Requirement DependencieS i sees se ee ee ee RA Ge Re 59 Table 6 Security Assurance Requirement Dependencies iese se ee ee ee AR ee 60 Table 7 Mapping of Security Functions to Security Functional Requirements 61 Table 8 Mapping of Assurance Measures to Assurance Reguirements esse sesse see see 66 Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page ii of ii WEVA Hercules AVR Security Target 1 INTRODUCTION 1 1 GENERAL This introductory section presents security target ST identification information an overview of the product and an overview of the ST structure A brief discussion of the ST development methodology is also provided An ST document provides the basis for the evaluation of an information technology IT product or system under the Common Criteria for Information Technology Security Evaluation CC Within the ST the product or system which is being evaluated is referred to as the Target of Evaluation TOE An ST principally defines e A set of assumptions about the security aspects of the environment a list of threats which the product is intended to counter and any known rules with which the product must comply see Section 3 Security Environment e A set of security objectives and a set of security requirements are presented in Sections 4 and 5 Security Objectives and IT Security Requirements resp
17. will repeat a sample of the developer s tests to gain confidence in the results obtained Having established such confidence the evaluator will build upon the developer s testing by conducting additional tests that exercise the TOE in a different manner By using a platform of validated developer test results the evaluator is able to gain confidence that the TOE operates correctly in a wider range of conditions than would be possible purely using the developer s own efforts given a fixed level of resource Having gained confidence that the developer has tested the TOE the evaluator will also have more freedom where appropriate to concentrate testing in areas where examination of documentation or specialist knowledge has raised particular concerns Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 38 of 68 E WA Hercules AVR Security Target Dependencies ADV_FSP 1 Informal functional specification AGD_USR 1 User guidance ATE FUN Functional testing Developer action elements ATE_IND 2 1D The developer shall provide the TOE for testing Content and presentation of evidence elements ATE_IND 2 1C The TOE shall be suitable for testing ATE_IND 2 2C The developer shall provide an equivalent set of resources to those that were used in the developer s functional testing of the TSF Evaluator action elements ATE_IND 2 1E The evaluator shall confirm that the information provided meets all requirements for content a
18. 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 43 of 68 WEVA Hercules AVR Security Target F DISPCLIENT F DISPCLIENTSTATUS F DISPPROF F DISPREMSTATUS F DISPSIG F DISPVADATA F DISPVULN F DOMAINSEP security and system categories Display Network Client Systems The TOE has the capability of displaying via a graphical user interface a list of devices connected to a Hercules AVR Server Display Network Client Status The TOE has the capability of displaying via a graphical user interface the operational status of each client machine Display Profiles The TOE has the capability of displaying via a graphical user interface the list of vulnerabilities which will be remediated by the Hercules AVR Server for a client machine or a group of client machines Display Remediation Status The TOE has the capability of displaying via a graphical user interface the remediation status of each client machine of each Hercules AVR Server Display Remediation Signatures The TOE has the capability of displaying via a graphical user interface the steps required to remediate a specific vulnerability on a client machine Display Scanner Data The TOE has the capability of displaying imported scanner information Display Vulnerabilities The TOE has the capability of displaying graphically the vulnerabilities of machines on a network It shall be possible to list all of the vulnerabilities reported for each
19. 8 E WA Hercules AVR Security Target Assurance Components Assurance Class Identifier Name ACM SCP 1 TOE CM coverage Delivery and Operation ADO_DEL 1 Delivery procedures ADO _IGS 1 Installation generation and start up procedures Development ADV_FSP 1 Informal functional specification ADV RCR 1 Informal correspondence demonstration Independent testing sample Vulnerability Assessment AVA SOF 1 Strength of TOE security function evaluation AVA VLA 1 Developer vulnerability analysis Table 2 EAL 3 Assurance Requirements ACM CAP 3 Authorization controls Objectives A unique reference is required to ensure that there is no ambiguity in terms of which instance of the TOE is being evaluated Labeling the TOE with its reference ensures that users of the TOE can be aware of which instance of the TOE they are using Unique identification of the configuration items leads to a clearer understanding of the composition of the TOE which in turn helps to determine those items which are subject to the evaluation requirements for the TOE Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 26 of 68 E WA Hercules AVR Security Target Providing controls to ensure that unauthorized modifications are not made to the TOE and ensuring proper functionality and use of the CM system helps to maintain the integrity of the TOE Dependencies ALC _DVS 1 Identification of security measures Developer acti
20. FMT MSA 1 Management of Security Attributes Only authorized Hercules AVR users have access to the functions of the TOE F IAUSER These users are subject to the IMPORT SFP information flow control security functional policy for the import of vulnerability scan data F IMPV ADATA and vulnerability remediation data F IMPREMDATA Authorized users may also display the imported vulnerability data F DISPVADATA and aggregate vulnerability information from multiple scans into a unified vulnerability picture for client systems F AGGVADATA Authorized TOE users have the ability to manipulate all of the vulnerability and remediation data held by the TOE F MANAGEDATA FMT MSA 3 Static attribute initialization Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 63 of 68 E WA Hercules AVR Security Target Only authorized Hercules AVR users have access to the TOE for the purposes of initializing security attributes F AUSER The security attributes are used for mutual identification and authentication between the Hercules AVR Server and the client machines F IACLIENT The Hercules AVR users are subject to the IMPORT_SFP information flow control security function policy for the import of vulnerability scan data F IMPV ADATA and vulnerability remediation data F IMPREMDATA Authorized TOE users may specify alternative initial values to override default values when data is imported F MANAGEDATA FMT MTD 1 Management of T
21. L 1 FIA_SOS 1 2 FIA_UID 2 FPT_SEP 1 FDP ROL FIA_SOS 1 FIA _UAU 2 FMT MSA FMT MSA FMT MTD FMT SMF FMT SMR FPT ITT 1 FPT RVM 1 FPT_STM 1 EJ Cnn pt ttt tt EN EN EIEN GN EEN EN ptt TTT te EN EN N EN EN EN EN EN el ad ad es Me Ed ME tT P Pt tT EN EN EN e NN EN EN EN EN aa ME EIE N N Ni dial ME Hi EIE Ed Sa el EN IE EE pt feet ENE Te fe E1EINNEIEINN NN NN NN NN N EN EN EN EE pt EIN e tT EN EN EN MEIN TT d NN EN EN ptt TTT tT EN EN EN EN EN EN EN EN EE ER EE N Lr ad HE AA OR HI ER oF Ged a Al ET eer c E iz E W E Frj gt H gt Z m E eal ia feu imi E im no Pee eee eee eee ENE eee eee ee a Eee Table 7 Mapping of Security Functions to Security Functional Requirements FRVM FAU_GEN 1 Audit data generation The audit function of the TOE collects F AUDIT and stores audit data for actions which are specific to the TOE scanner data import remediation data import client remediations In addition the operating system audit trail retains audit records related to the identification and authorization of users the start up and shut down of the TOE and the start up and shut down of the OS audit mechanism FAU_SAR 1 Audit review The TOE includes a comprehensive HMI Hercules AVR Administrator Console with extensive display and reporting features F REPREMSTATUS which permit all authorized users with the ability to rev
22. ONFIG ensures that the TOE includes a configuration item list Assurance Measure M AUTH ensures that only authorised changes are permitted to the TOE These measures combine to satisfy the requirements of ACM CAP 3 ACM SCP 1 TOE CM Coverage Assurance Measure M CONFIG ensures that the TOE includes a configuration item list The contents of this list ensure that the requirements of ACM SCP 1 are met ADO_DEL 1 Delivery Procedures Assurance Measure M DELIVER ensures that the TOE includes documentation describing the delivery procedures for the TOE This measure satisfies the requirements of ADO_DEL 1 ADO _IGS 1 Installation Generation and Startup Procedures Assurance Measure M SETUP ensures that the TOE includes documentation describing its secure installation generation and startup This measure satisfies the requirements of ADO _IGS 1 ADV_FSP 1 Informal Functional Specification Assurance Measure M DESIGN ensures that the TOE design documentation includes an informal function specification This measure satisfies the requirements of ADV_FSP 1 ADV_HLD 2 Security Enforcing High Level Design Assurance Measure M DESIGN ensures that the TOE design documentation includes an informal high level design which includes a description of the TSF in terms of subsystems a description of the purpose and method of use of all interfaces to the subsystems and a description of the separation of the TOE into TSP enforcing and other subsystems These
23. SF Data Only authorized Hercules AVR users have access to the TOE F IAUSER Only these users have the ability to manipulate display modify delete aggregate vulnerability data F AGGVADATA F DISPVADATA F DISPSIG remediation data F DISPPROF F MANAGEPROF F APPPROF and client system vulnerability and remediation data F DISPVULN F DISPCLIENT F DISPCLIENTSTATUS F DISPREMSTATUS F SCHEDREM FMT_SMF 1 Specification of Management Functions The TOE allows authorized users complete control of the vulnerability and remediation data for all client systems F MANAGEDATA Users may create edit and approve remediation profiles for client systems or groups of client systems F MANAGEPROF F APPPROF Users may also schedule automatic remediation activity for client systems F SCHEDREM F PUSHREM This allows users to remove specific vulnerabilities from specific client systems F REMCLIENT If desired it is also possible is specific circumstances to roll back a previously applied remediation F ROLLBACK FMT_SMR 1 Security Roles By default the TOE uses only one role the Hercules AVR user role Members of this role have access to all of the functionality of the TOE Additionally only individuals authorized as administrators by the underlying operating system are recognized as members of the Hercules AVR user role F IAUSER The TOE provides the capability to create custom roles to which individual users and groups of users may be
24. VALUATED CONFIGURATION siese sees ei dd eN Ga ee eg ee ee ve bk 8 TOE BOUNDARY set EG ves eie Se Ge ee E Ge Re ke Die Ga 9 TOE SECURITY ENVIRONMENT ass oseisses sesde ese sedes ese eed ek Gesie seke ese AN GN Nee eg did 12 ASSUMPTIONS ie ees es ie ee N ae Re ee ie ek N 12 died di ON 13 ORGANIZATIONAL SECURITY POLICIES ccccssssscsscctscesetsorsoncessceseessceaees 14 SECURITY OBJECT UY WS ia see ees ees iden eed san see se ev ke N ese ES dee ee eds dok 15 SECURITY OBJECTIVES FOR THE TOE sessies se See geseen ie EG iek ie 15 ENVIRONMENT SECURITY OBJECTIVES 0 0 ee sesse ese ese se ee se sees se ee se ee se ee ee 15 IT SECURITY REQUIREMENTS ssseseseseseesesorsesesecceeesorseseeesoroeseserossesosonseseeeseesosse 16 TOE SECURITY REODIREMENTS sees se ei ee ke es od a a 16 TOE SECURITY FUNCTIONAL REOUIREMENTS use see sees see ese ee se es se es ee ese 16 SECURITY FUNCTIONAL REQUIREMENTS PROVIDED BY THE OPERATING SYSTEM sesse oe EG N Ge Ge ee GE Oe bo oe ee ede 24 INFORMATION FLOW CONTROL SECURITY FUNCTIONAL POLICIES 25 Hercules AVR Server to Client Information Flow Control Security Functional Policy SERVER SEP verirse E RE ike ee eek dee 25 Vulnerability Scanner Import Information Flow Control Security Functional Policy IMPORT SFP NE RE OE OE N EE 23 TOE SECURITY ASSURANCE REOUIREMENTS issues sedes sieke ie sede de sede ese 25 TOE SUMMARY SPECIFICATION sseesesesoeseseserceeesosceseseccseesosoesesecoeeesosorseseeeeee
25. VA_SOF 1 calculations is LOW Any residual vulnerabilities may only be exploited by an attacker of moderate or high attack potential The strength of function claim is therefore SOF BASIC This claim applies to the security function F JAUSER F IACONSOLE F JACLIENT and F AREMSRV 6 1 TOE SECURITY FUNCTIONS A description of each of the TOE security functions follows F AGGVADATA Aggregate Scanner Data The TOE has the capability of merging vulnerability scanner information from the third party vulnerability scanners for a client machine into a single consistent vulnerability assessment for that machine F APPPROF Approve Profile The TOE provides the capability for a suitably authorized user to approve a remediation profile Once approved the remediation profile shall be automatically invoked by each client machine in the group to which the profile applies at the next scheduled remediation interval F AUDIT Audit Remediation Activity The TOE maintains an audit trail of remediation activity performed by each Hercules AVR server The Hercules AVR server components and windows client systems create events in the Windows event logs which include stop start successful actions and failed actions These events are created on the Hercules AVR server and the target windows machine which is being remediated The Hercules AVR server is capable of generating audit events associated with the Windows Event Viewer application Doc No
26. WEVA SECURITY TARGET CITADEL HERCULES AUTOMATED VULNERABILITY REMEDIATION VERSION 2 2 0 Document No 1451 011 D001 Version 1 13 27 February 2004 Prepared for Citadel Security Software Inc 8750 N Central Expressway Suite 100 Dallas Texas 75231 Prepared by Electronic Warfare Associates Canada Ltd 55 Metcalfe St Suite 1600 Ottawa Ontario KIP 6L5 WEVA Security Target Citadel Hercules Automated Vulnerability Remediation Version 2 2 0 Document No 1451 011 D001 Version 1 13 27 February 2004 lt Original gt Approved by Project Engineer G Gibbs Project Manager E Connor Program Director P Zatychec Signature Date E WA Hercules AVR Security Target 1 1 1 2 1 3 1 4 1 4 1 1 4 2 1 4 3 2 1 2 2 3 1 3 2 3 3 4 1 4 2 5 1 5 2 5 3 5 4 5 4 1 5 4 2 5 5 6 6 1 6 2 7 TABLE OF CONTENTS INTRODUETION sis ees dese dek Ses Ee SG Rd ie ee ge GR dd ee Gee ee GR EN 1 GENERA Leesen oreore iaer ee eg de ee ee De Ge Ge ee eg De terrier 1 IDENTIFICATION oes se ee a RE Ee GE GE N ee eo 1 POT VAD YER VIE Wa oe ee ei Re ee aaa Re ee Ne GE ee ae ee ed ay 2 CONVENTIONS TERMINOLOGY AND ACRONYMS ees see ee ee se ee se ese ese 4 RI MAELO S cap ceeo mincing ecestan tenon esta ciea Geaeagey ean lashes EES 4 I CIA e E E A E E 5 Pie AA scan NE OE AE N EE 7 TARGET OF EVALUATION DESCRIPTION scsssssssssssssssesssssssssssesssessesseees 8 E
27. _MSA 3 2 Dependencies The TSF shall require each user to identify itself before allowing any other TSF mediated actions on behalf of that user No dependencies Management of security attributes No other components a The TSF shall enforce the assignment SERVER SFP to restrict the ability to selection create modify delete assignment nonel the security attributes assignment identification and authentication of client machine to assignment authorised Hercules AVR Users b The TSF shall enforce the assignment IMPORT SFP to restrict the ability to selection create modify delete assignment nonel the security attributes assignment identification and authentication of client machine and Vflash server to assignment authorised Hercules AVR Users FDP_IFC 1 Subset information flow control FMT_SMF 1 Specification of management functions FMT SMR 1 Security roles Static attribute initialisation No other components The TSF shall enforce the assignment SERVER SFP and IMPORT SFP to provide selection permissive default values for security attributes that are used to enforce the SFP The TSF shall allow the assignment authorised TOE users to specify alternative initial values to override the default values when an object or information is created FMT MSA 1 Management of security attributes FMT SMR 1 Security roles Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 22 of 68
28. a generation Hierarchical to No other components FAU_GEN 1 1 The TSF shall be able to generate an audit record of the following auditable events a Start up and shutdown of the audit functions b All auditable events for the selection not specified level of audit and c assignment use of the Hercules AVR Client Management Service Patch Download Service or Vflash Service events in addition to the audit capabilities of the underlying operating system FAU_GEN 1 2 The TSF shall record within each audit record at least the following information a Date and time of the event type of event subject identity and the outcome success or failure of the event and b For each audit event type based on the auditable event definitions of the functional components included in the ST assignment no other audit relevant information Dependencies FPT STM 1 Reliable time stamps FAU_SAR 1 Audit review This component will provide authorised users the capability to obtain and interpret the information In case of human users this information needs to be in a human understandable presentation In case of external IT entities the information needs to be unambiguously represented in an electronic fashion Hierarchical to No other components FAU_SAR 1 1 The TSF shall provide assignment all TOE users with the capability to read assignment all audit information from the audit records FAU_SAR 1 2 The TSF shall provide the audit
29. ables performed to search for obvious ways in which a user can violate the TSP The vulnerability analysis documentation shall describe the disposition of obvious vulnerabilities The vulnerability analysis documentation shall show for all identified vulnerabilities that the vulnerability cannot be exploited in the intended environment for the TOE The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence The evaluator shall conduct penetration testing building on the developer vulnerability analysis to ensure obvious vulnerabilities have been addressed Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 42 of 68 E WA Hercules AVR Security Target 6 TOE SUMMARY SPECIFICATION This section provides a description of the security functions and assurance measures of the TOE that meet the TOE security requirements A typical attacker in the intended environment for the TOE is assumed to have a low level of sophistication but may have knowledge of vulnerabilities and access to attack methods that are in the public domain The purpose of the attacks could be 1 to gain access to the resources of the TOE 2 to gain access to the resources of the client systems protected by the TOE and or 3 to prevent the successful remediation of client systems and thus leave these systems in a vulnerable state Therefore the attack potential which is applicable for A
30. and all machines on the network or to display a list of machines which are susceptible to a specific vulnerability Domain Separation The TOE maintains a security domain for its own execution which protects the TOE from interference and tampering by Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 44 of 68 EMMA Hercules AVR Security Target F ENCRYPT F IACLIENT F IAREMSVR untrusted subjects The TOE enforces the separation of the security domains of the client systems which are being remediated The operating systems Windows and Unix provide this security domain in order to protect the TOE and provide process isolation The TSF ensures that TSP enforcement functions are invoked and succeed before each function within the TSC is allowed to proceed The TSF enforces separation between the security domains of subjects in the TSC Encrypt Data The TOE has the capability of encrypting data which is transferred between the physically separate elements of the TOE The user can configure the Hercules AVR Administrator Console to use HTTPS communication to the Hercules AVR Remediation Server The user can configure the Hercules AVR clients to use HTTPS communication to the Hercules AVR Remediation Server All Hercules AVR Remediation Server to Unix client communications for client management actions will be via SSH All communication between a Hercules AVR Remediation Server and the Cita
31. apabilities Unix clients require a root account to install configure and execute Unix daemons use of Unix file system access control and the use of ssh for installation Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 9 of 68 E WA Hercules AVR Security Target Hercules Administrator Console Vulnerability Scan Data Hercules Server b Vflash Remediation Data Vulnerability Data Download Service Hercules Windows TOE Boundary Hercules Figure 1 TOE Boundary Diagram The Hercules AVR Administrator Console and all of the Hercules AVR Servers fall within the TOE Boundary as do the data stores associated with the Remediation and Vulnerability data used by the Hercules AVR Server Figure 1 shows that client machines are partially inside the TOE Boundary and partially outside the boundary The parts of the client machines which fall within the TOE Boundary consist of the Hercules AVR Client software and those Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 10 of 68 E WA Hercules AVR Security Target portions of the operating system necessary to provide authentication and secure communications with the Hercules AVR Server The Hercules AVR product is designed for the use of network administrators and it is assumed that these users are appro
32. are necessary to protect the confidentiality and integrity of the TOE design and implementation in its development environment ALC DVS 1 2C The development security documentation shall provide evidence that these security measures are followed during the development and maintenance of the TOE Evaluator action elements ALC_DVS 1 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence ALC_DVS 1 2E The evaluator shall confirm that the security measures are being applied ATE COV 2 Analysis of coverage Objectives In this component the objective is to establish that the TSF has been tested against its functional specification in a systematic manner This is to be achieved through an examination of developer analysis of correspondence Application notes The developer is required to demonstrate that the tests which have been identified include testing of all of the security functions as described in the functional specification The analysis should not only show the correspondence between tests and security functions but should provide also sufficient information for the evaluator to determine how the functions have been exercised This information can be used in planning for additional evaluator tests Although at this level the developer has to demonstrate that each of the functions within the functional specification has been tested the amount of testing of each func
33. arge scale enterprise level Windows and Unix Solaris Linux based networks Hercules AVR provides network security administrators with the ability to prioritize and remediate vulnerabilities using automated fixes that have been developed tested verified as being correct and validated as being appropriate by trusted and dedicated IT security professionals New vulnerabilities are being discovered on a daily basis It has been estimated that it takes approximately one manhour of labour to manually correct one vulnerability on one client machine For all but the smallest networks manually correcting vulnerabilities imposes an unacceptable workload and cost for valuable and often scarce network and security administration resources The Hercules AVR product overcomes this problem with Automated Vulnerability Remediation AVR Hercules AVR offers the following significant features e Interoperability Hercules AVR supports many industry leading vulnerability assessment scanners e Multi tiered Architecture The Hercules AVR Administrator Console can be configured to manage multiple Hercules AVR Servers e Administrator Control Administrators maintain complete control over the selection of which vulnerabilities are to be remediated e Multiple O S Support In addition to Windows platforms Hercules AVR supports UNIX Sun Solaris and Linux Red Hat e Reporting Detailed reports organize the vulnerabi
34. arget 2 TARGET OF EVALUATION DESCRIPTION 2 1 EVALUATED CONFIGURATION The Hercules AVR product is designed to facilitate the automatic vulnerability remediation of devices on a network The product imports vulnerability information from a number of third party commercial vulnerability scanner products and consolidates this information into a single view of the vulnerabilities of each device in the network The product provides a sequence of automatically executable remediation steps known as a remediation signature which will correct each recognized vulnerability Users of the product may download new signatures from the V flash server operated by Citadel Security Software The Hercules AVR product provides an interface which allows users to view the listed vulnerabilities of devices on the network Logical groupings of devices may be defined An automatic remediation schedule may be defined for a group In addition a specific list of vulnerabilities to be remediated known as a remediation profile may be defined for the group The evaluated configuration of the Hercules AVR Version 2 2 0 product build 1792 with software update V flash Version 202000501 dated 2 Feb 2004 consists of a The Hercules AVR Administrator Console executing on an Intel Pentium based PC running Windows 2000 Server with all service packs Windows 2000 Advanced Server with all service packs Windows XP Professional with all service pac
35. assigned F MANAGEROLES The ability to use specific features of the TOE such as the creation of user defined vulnerabilities may be assigned to custom roles FPT ITT 1 Basic Internal TSF Data Transfer Protection The TOE uses SSL to secure data transfers between the Administrator Console and the Remediation Server s F ENCRYPT F LACONSOLE F IAREMSVR The TOE uses SSL for Windows clients and OpenSSH for Unix clients to secure data transfers between a Remediation Server and client systems F ENCRYPT F IACLIENT F PUSHREM These functions prevent the unauthorized disclosure and or modification of TSF data FPT RVM 1 Non bypassability of the TSP Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 64 of 68 E WA Hercules AVR Security Target The TOE ensures that the TSP enforcement functions are invoked and successful before any function within the TSC is activated F RVM FPT_SEP 1 TSF Domain Separation The TOE maintains a separate security domain for its own execution F DOMAINSEP This protects the TOE from interference and tampering by untrusted subjects The TOE also enforces separate security domains for each of the client systems being remediated F DOMAINSEP FPT STM 1 Reliable time stamps The audit functions of the TOE F AUDIT use the reliable time stamp provided by the underlying operating system when recording audit records 8 6 TOE ASSURANCE MEASURES RATIONALE The Hercules AVR product is desi
36. atic attribute initialisation Basic internal transfer protection No other components The TSF shall enforce the assignment SERVER_SFP to prevent the selection disclosure modification of user data when it is transmitted between physically separated parts of the TOE FDP_IFC 1 Subset information flow control Basic rollback No other components The TSF shall enforce assignment SERVER_SFP to permit the rollback of the assignment automatic vulnerability remediations on the assignment client machines The TSF shall permit operations to be rolled back within the assignment time period between the completion of the remediation that is to be rolled back and the start of the next remediation FDP_IFC 1 Subset information flow control Authentication failure handling No other components Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 20 of 68 WEVA Hercules AVR Security Target FIA_AFL 1 1 FIA_AFL 1 2 Dependencies FIA_SOS 1 Hierarchical to FIA SOS LI Dependencies FIA_UAU 2 Hierarchical to The TSF shall detect when assignment a user configurable number with an unlimited default value of unsuccessful authentication attempts occur related to assignment consecutive unsuccessful authentication attempts since the last successful authentication to the Hercules AVR Administrator Console or Hercules AVR Server When the defined number of unsuccessful authentication
37. ation Data The TOE has the capability to import specific remediation information for reported vulnerabilities F IMPVADATA Import Scanner Data The TOE has the capability of importing vulnerability scanner information from the following third party vulnerability scanners 1 Foundstone FoundScan Engine 2 Harris STAT Scanner 3 ISS Internet Scanner 4 ISS System Scanner 5 Microsoft MBSA 6 Nessus Scanner 7 Qualys QualysGuard Scanner 8 Retina Digital Security Scanner 9 VIGILANTe SecureScan Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 46 of 68 WEVA Hercules AVR Security Target F MANAGEDATA F MANAGEPROF F MANAGEROLES F PUSHREM F REMCLIENT F REPREMSTATUS F ROLLBACK Manage Scanner and Remediation Data The TOE provides the user with an interface from which it is possible to manage the vulnerability scanner information and the vulnerability remediation information A user may view a remediation profile for a device in order to determine which vulnerabilities and associated remedies will be applied to a device when it is remediated Manage Profiles The TOE provides the capability for a suitably authorized user to manage remediation profiles Machines may be added to or removed from the group to which the profile applies Specific vulnerabilities may be added to or removed from the remediation profile Manage Roles The TOE provides the capability for a su
38. ation profiles or rollback instructions sent from the Server to the client 5 4 2 Vulnerability Scanner Import Information Flow Control Security Functional Policy TMPORT_SFP The TOE relies upon data generated by one or more third party vulnerability scanner products in order to identify the vulnerabilities which exist on client machines These scanner products fall outside the boundary of the TOE The data generated by the scanners is also initially outside the TOE boundary However authorised TOE users may import data from one of the recognised scanner products across the TOE boundary If the vulnerability data is selected by an authorised TOE user and conforms to the expected format of data from one of the supported third party scanner products then the TOE accepts that data as valid vulnerability information During the operation of the TOE the update of vulnerability remediation data must be performed on a regular basis These updates are obtained from the trusted Hercules AVR V Flash server which falls outside the TOE boundary The TOE uses SSL to ensure the fidelity of the data downloaded from the V Flash server 5 5 TOE SECURITY ASSURANCE REQUIREMENTS The security assurance requirements for the TOE comprise the requirements corresponding to the EAL 3 level of assurance as defined in the CC Part 3 The assurance components are summarized in the following table Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 25 of 6
39. attempts has been met or surpassed the TSF shall assignment lock the account attempting to log in and generate an audit record The account shall remain locked until unlocked by an authorised Hercules AVR User FIA UAU 1 Timing of authentication Verification of Secrets No other components 1 The TSF shall provide a mechanism to verify that secrets meet assignment the requirements that user passwords are a minimum of 8 characters in length include a combination of alphanumeric special upper and lower case character and are changed at least once every 42 days 2 The TSF shall provide a mechanism to verify that secrets meet assignment the requirements that the Internal Hercules CMS Domain Administrator Password is a minimum of 8 characters in length a maximum of 15 characters in length with each character generated randomly No dependencies User authentication before any action FIA_UAU 1 FIA UAU 2 1 The TSF shall require each user to be successfully authenticated before allowing any other TSF mediated actions on behalf of that user Dependencies FIA_UID 1 Timing of identification FIA UID 2 User identification before any action Hierarchical to FIA_UID 1 Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 21 of 68 MEWA Hercules AVR Security Target FIA_UID 2 1 Dependencies FMT _MSA 1 Hierarchical to FMT MSA LI Dependencies FMT MSA 3 Hierarchical to FMT MSA 3 1 FMT
40. cedures Content and presentation of evidence elements ADO_DEL 1 1C The delivery documentation shall describe all procedures that are necessary to maintain security when distributing versions of the TOE to a user s site Evaluator action elements ADO_DEL 1 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence ADO IGS 1 Installation generation and start up procedures Dependencies No dependencies Developer action elements ADO_IGS 1 1D The developer shall document procedures necessary for the secure installation generation and start up of the TOE Content and presentation of evidence elements ADO_IGS 1 1C The installation generation and start up documentation shall describe all the steps necessary for secure installation generation and start up of the TOE Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 29 of 68 E WA Hercules AVR Security Target Evaluator action elements ADO_IGS 1 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence ADO_IGS 1 2E The evaluator shall determine that the installation generation and start up procedures result in a secure configuration ADV_FSP 1 Informal functional specification Dependencies ADV_RCR 1 Informal correspondence demonstration Developer action elements ADV_FSP 1 1D The developer shall provide a
41. ctionality for these Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 24 of 68 E WA Hercules AVR Security Target functional requirements FAU_GEN 1 FAU SAR 1 FAU SEL 1 FDP_ITT 1 FIA_AFL 1 FIA_SOS 1 FIA UAU 2 FIA UID 2 FMT MSA 1 FMT_MSA 3 FMT SMR 1 FPT_ITT 1 FPT RVM 1 FPT SEP 1 and FPT STM 1 5 4 INFORMATION FLOW CONTROL SECURITY FUNCTIONAL POLICIES 5 4 1 Hercules AVR Server to Client Information Flow Control Security Functional Policy SERVER_SFP The operating environment for the TOE consists of a Hercules AVR Administrator Console and one or more Hercules AVR Servers connected in a network with a number of client machines It is expected that the client machines will contain vulnerabilities which will be automatically remediated by the Hercules AVR Server on a scheduled basis In an environment where the client machines are assumed to contain vulnerabilities the possibility always exists that one or more of the client machines have been compromised and may act maliciously towards the TOE For this reason the only information that a Hercules AVR Server will accept from any client machine is a the identification of the client machine for authentication purposes when requesting a scheduled remediation and b remediation status information during the course of a remediation session All other information flow between the Hercules AVR Server and a Hercules AVR Client will consist of remedi
42. del Vflash server will be via HTTPS If a patch vendor s site supports HTTPS the downloading of patches will use HTTPS Identify and Authenticate Clients Each Hercules AVR Remediation Server has the capability to identify and authenticate each client machine for which it will issue a remediation profile The client machines can be configured for HTTPS authentication with the Hercules AVR server using a server certificate In the evaluated configuration the clients machines shall be configured with a client certificate for mutual authentication with the Hercules AVR server Identify and Authenticate Remediation Server The Hercules AVR Administrator Console has the capability to identify and authenticate each Hercules AVR Remediation Server through the use of a certificate installed on the server The Hercules AVR Server has the ability to authenticate to the Windows Domain Controller using a Domain Administrator account with an internally generated Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 45 of 68 E WA Hercules AVR Security Target random password F IAUSER Identify and Authenticate Users The Hercules AVR Administrator Console has the capability to identify and authenticate users of the console The Hercules AVR Administrator Console executes using a Windows administrator account which is recognized by the machine hosting the Hercules AVR server F IMPREMDATA Import Remedi
43. e TOE in a secure manner The administrator guidance shall contain warnings about functions and privileges that should be controlled in a secure processing environment The administrator guidance shall describe all assumptions regarding user behaviour that are relevant to secure operation of the TOE The administrator guidance shall describe all security parameters under the control of the administrator indicating secure values as appropriate The administrator guidance shall describe each type of security relevant event relative to the administrative functions that need to be performed including changing the security characteristics of entities under the control of the TSF The administrator guidance shall be consistent with all other documentation supplied for evaluation The administrator guidance shall describe all security requirements for the IT environment that are relevant to the administrator The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence AGD_USR 1 User guidance Dependencies Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 33 of 68 E WA Hercules AVR Security Target ADV_FSP 1 Informal functional specification Developer action elements AGD_USR 1 1D The developer shall provide user guidance Content and presentation of evidence elements AGD USR 1 1C The user guidance shall describe the functions and interface
44. e 43 TOE SECURITY PUNC TIOMS sissies ien gees sd oek eie ese ede oes ve es ie Se eie Ned 43 ASSURANCE MEASURES sessies eed sessie sees leed See kerke geen geed Si Gees ken ees 48 PROTECTION PROFILE CLAIM ses essss sessies ee dees sees ese seed ee ee es eed ee ge dee kie 50 Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page i of ii E WA Hercules AVR Security Target 8 RATIONALE eis sdei sesde es ese kens e sd ede ee seke egg ewe dd geed ed ede ged se ee ky eek Ge we gede 51 8 1 SECURITY OBJECTIVES RATIONALE ses ee Ene sees Se ee GER ie Ge Dee ees eed 51 82 SECURITY REQUIREMENTS RATIONALE esse se esse ss esse ese ese es ese ese ee ge se ee ese se 54 83 SECURITY FUNCTIONAL REQUIREMENT DEPENDENCIES c cceeeeee 57 8 4 SECURITY ASSURANCE REQUIREMENT DEPENDENCIES 0c eceeeeeees 59 8 5 TOE SUMMARY SPECIFICATION RATIONALE ee ees se esse se ee se ee ee se ee se ese ee 60 8 6 TOE ASSURANCE MEASURES RATIONALE ese se esse see ee ee se esse se ese ee esse ee ese 65 LIST OF FIGURES Fig re Ii TOE Boundary Diagram ass ins Sie es seed iese na en isai GE eN 10 LIST OF TABLES Table 1 Summary of CC Part 2 Security Functional Requirements sesse esse see ee ee 17 Table 2 EAL 3 Assurance Reguireimente sessies ss eva Se kee ses dees ge ed Ged ese se eke DER Re idee 26 Table 3 Mapping of Security Objectives to Threats and Assumptions ees see see se ee ee 51 Table 4 Mapping of Security Functional Requirements
45. e evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence ACM_SCP 1 TOE CM coverage Objectives A CM system can control changes only to those items that have been placed under CM i e the configuration items identified in the configuration item list Placing the TOE implementation and the evaluation evidence required by the other assurance components in the ST under CM provides assurance that they have been modified in a controlled manner with proper authorizations Dependencies ACM_CAP 3 Authorization controls Developer action elements ACM SCP 1 ID The developer shall provide a list of configuration items for the TOE Content and presentation of evidence elements ACM SCP 1 1C The list of configuration items shall include the following implementation representation and the evaluation evidence required by the assurance components in the ST Evaluator action elements ACM SCP 1IE The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 28 of 68 E WA Hercules AVR Security Target ADO DEL 1 Delivery procedures Dependencies No dependencies Developer action elements ADO_DEL 1 1D The developer shall document procedures for delivery of the TOE or parts of it to the user ADO_DEL 1 2D The developer shall use the delivery pro
46. ectively e The IT security functions provided by the TOE which meet that set of requirements see Section 6 TOE Summary Specification The structure and contents of this ST comply with the requirements specified in the CC Part 1 Annex C and Part 3 Chapter 5 1 2 IDENTIFICATION Title Registration Common Criteria Conformance Claim Evaluation Assurance Level EAL Protection Profile Conformance Common Criteria Identification International Standard Citadel Hercules Automated Vulnerability Remediation Version 2 2 0 Security Target 383 4 18 The TOE is CC Part 2 conformant and CC Part 3 conformant The TOE is EAL 3 conformant The TOE does not claim conformance with any Protection Profile PP Common Criteria for Information Technology Security Evaluation Version 2 1 August 1999 with all current approved interpretations ISO IEC 15408 1999 Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page of 68 E WA Hercules AVR Security Target Authors This document has been written by EWA Canada on behalf of Citadel Security Software Inc 1 3 PRODUCT OVERVIEW The Hercules AVR is a network security administration tool that is intended to be used in conjunction with advanced network vulnerability assessments The purpose of the product is to enable the deliberate and controlled remote automated vulnerability remediation AVR of all classes of identified network vulnerabilities on l
47. ed within a TOE Data created by and for the TOE that might affect the operation of the TOE The set of interactions that can occur with or within a TOE and are subject to the rules of the TSP An entity human user or external IT entity outside of the TOE that interacts with the TOE Hardware firmware or software flaw that leaves an IT System open for potential exploitation A weakness in automated system security procedures administrative controls physical layout internal controls and so forth that could be exploited by a threat to gain unauthorised access to information unauthorised privileges or disrupt critical processing Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 6 of 68 WEVA Hercules AVR Security Target 1 4 3 Acronyms AVR CC CERT CM CVE EAL HMI IT O S SSH SSL ST TCP IP TOE TSC TSF TSP Automatic Vulnerability Remediation Common Criteria for Information Technology Security Evaluation Computer Emergency Response Team Configuration Management Common Vulnerabilities and Exposures Evaluation Assurance Level Human Machine Interface Information Technology Operating System Secure Shell Secure Sockets Layer Security Target Transmission Control Protocol Internet Protocol Target of Evaluation TOE Scope of Control TOE Security Functions TOE Security Policy Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 7 of 68 E WA Hercules AVR Security T
48. ently by misconfiguring network systems from a security perspective Threat agents are assumed to have a low level of sophistication but may have knowledge of vulnerabilities and access to attack methods which are in the public domain The TOE is not designed to withstand attack by sophisticated highly motivated or well funded threat agents The assets that are subject to attack are the components of the TOE itself and or the resources of the client systems protected by the TOE T BADDATA A network attacker may attempt to provide the Remediation Server with erroneous remediation information in an attempt to compromise the Client systems T CLIENT An unauthorized person may have administrator root control of one of the client systems and may use that control to attempt to compromise the Remediation Server T CONSOLE A network attacker may attempt to gain control of the TOE through the Hercules AVR Administration Console T EXPLOIT A network attacker may attempt to exploit vulnerabilities on a client system protected by the TOE in order to gain unauthorized access to the resources of the client system T NETEXPLOIT A network attacker may attempt to exploit vulnerabilities on a client system protected by the TOE in an attempt to compromise other network resources T REMSERVER A network attacker may attempt to gain control of the Hercules AVR Remediation Server T SNIFF A network attacker may intercept and monitor communications be
49. ether the TOE explicitly addresses each dependency Notes are provided for those cases where the dependencies are satisfied by components which are hierarchical to the specified dependency Security Dependencies Dependency Functional Satisfied Requirement FPT_STM 1 Yes FAU_GEN 1 Yes Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 57 of 68 E WA Hercules AVR Security Target Security Dependencies Dependency Functional Satisfied Requirement EE BEE BEE mwa We MOSSEL BERE RI FDP_IFC 1 FIA AFLI FIA_UAU 1 Yes FIA UAU 2 is specified as a security functional requirement and FIA UAU 2 is hierarchical to FIA_UAU 1 FIA_UAU 2 FIA_UID 1 FIA UID 2 is specified as a security functional requirement and FIA_UID 2 is hierarchical to FIA_UID 1 SEE WE RE LYN MEN EE Er breer e mm WEI FMT_ FMT_SMF 1 1 None FMT_ aS 1 E _UID 1 a EE is specified as a security functional requirement and FIA_UID 2 is hierarchical to FIA_UID 1 Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 58 of 68 E WA Hercules AVR Security Target Security Dependencies Dependency Functional Satisfied Requirement Table 5 Security Functional Requirement Dependencies 8 4 SECURITY ASSURANCE REQUIREMENT DEPENDENCIES Dependencies Dependency Satisfied ADV_RCR 1 ADV FSP 1 ADV FSP 1 ADV FSP 1 ATE_FUN 1 ADV HLD 2 is specified as a security assurance requirement and ADV HLD 2 is hierarch
50. for good backup and recovery procedures Windows client machines which will be remediated using Client Management Services CMS are assumed to reside on a protected network The OE SECURECOM objective ensures that communications between the Hercules Server and Windows client machines using CMS are protected The servers running the Remediation Server and the Administrator Console have been configured securely as described in the Guidance documents and are maintained in that secure configuration In particular a They are configured with the minimal operating system features installed and or enabled to permit operation of the TOE b They are configured with minimal system privileges c They are configured with user accounts for authorized system administrators only and do not provide any end user accounts The OE GUIDANCE objective ensures that the TOE will be configured securely The Operating System of the client machines has been configured in accordance with the Hercules AVR Security Configuration Guide and therefore may be trusted to function correctly for those OS Junctions required by the TOE component that is installed on the client machine The OE GOODOS objective ensures that those functions of the operating system required by the TOE function correctly TOE Users have knowledge of the Windows 2000 XP 2003 operating system networking technology and general IT security practices The OE GOODUSER objective note
51. functional specification Content and presentation of evidence elements ADV_FSP 1 1C The functional specification shall describe the TSF and its external interfaces using an informal style ADV FSP 1 2C The functional specification shall be internally consistent ADV FSP 1 3C The functional specification shall describe the purpose and method of use of all external TSF interfaces providing details of effects exceptions and error messages as appropriate ADV FSP 1 4C The functional specification shall completely represent the TSF Evaluator action elements ADV_FSP 1 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence ADV FSP 12E The evaluator shall determine that the functional specification is an accurate and complete instantiation of the TOE security functional Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 30 of 68 E WA Hercules AVR Security Target requirements ADV HLD 2 Security enforcing high level design Dependencies ADV_FSP 1 Informal functional specification ADV_RCR 1 Informal correspondence demonstration Developer action elements ADV_HLD 2 1D The developer shall provide the high level design of the TSF Content and presentation of evidence elements ADV HLD 2 1C The presentation of the high level design shall be informal ADV_HLD 2 2C The high level design shall be internally consistent ADV HLD 2 3C The high
52. gned to protect the TOE and its data from network attacks to limit the system s use of network interfaces to those specified by the user and to be simple enough for a knowledgeable system administrator to use An assurance level of EAL 3 Methodically Tested and Checked was selected as the threat to security is considered to be unsophisticated network attackers and the data to be protected consists primarily of user private data and system resources An evaluation at this level provides a moderate level of independently assured security via a thorough investigation of the TOE and its development Table 8 provides a bi directional mapping of Assurance Measures to Assurance Requirements and is followed by a short discussion of how the Assurance Requirements are addressed by the corresponding Assurance Measures ACM SCP 1 ADO_DEL 1 ADO IGS 1 ADV FSP I ADV HLD2 ADV RCR 1 AGC_ADM 1 AGD USR 1 ALC DVS 1 ATE COV 2 ATE DPT 1 ATE_FUN 1 ATE_IND 2 AVA MSA 1 laa a lt O gt O lt See Ss a esi mserup ix EN EN EN EN EN Ed mrest ET ON EN EN EN EN ENE TE TESTES ON NN N Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 65 of 68 E WA Hercules AVR Security Target Table 8 Mapping of Assurance Measures to Assurance Requirements ACM CAP 3 Authorisation Controls Assurance Measure M ID ensures that the TOE is uniquely identified and labelled with its identity Assurance Measure M C
53. ical to ADV_HLD 1 Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 59 of 68 E WA Hercules AVR Security Target Dependencies Dependency Notes Satisfied ADV_FSP 1 FSP 1 Yes AVA SOF 1 ADV FSP 1 oer ref ADV_HLD 1 ADV HLD 2 is specified as a security assurance requirement and ADV HLD 2 is hierarchical to ADV_HLD 1 AVA_VLA 1 ADV_FSP 1 FSP 1 aa HLD 1 os HLD 2 is EE as a security assurance requirement and ADV HLD 2 is hierarchical to ADV_HLD 1 Table 6 Security Assurance Requirement Dependencies 8 5 TOE SUMMARY SPECIFICATION RATIONALE Table 7 provides a bi directional mapping of Security Functions to Security Functional Requirements and is followed by a discussion of how each Security Functional Requirement is addressed by the corresponding Security Function OD 2 FAU SEL 1 FDP IFC 1 FDP _IFF 1 FDP ITC 1 FDP ITT 1 FIA_AFL 1 FPT_SEP 1 FAU_SAR 1 FDP ROL FIA SOS 1 FIA_SOS 1 FIA _UAU 2 FIA_UID 2 FMT MSA FMT MTD FMT SMF FMT SMR FPT ITT 1 FPT RYM FPT STM 1 x e Sex A ty yy lx AATE SETETE PTT TTT TT TT Ty x Ty TT ENE EI Ge IE pL ET ETP eT ET xt EE i E x Fi E E x E a a al Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 60 of 68 WEVA Hercules AVR Security Target TC 1 FDP IF DISPSIG F DISPVADATA F DISPVULN F DOMAINSEP F ENCRYPT F IACLIENT IF IAREMSVR IF IAUSER IF PUSHREM F REMCLIENT a FIA_AF
54. iew scan analyze and interpret the audit trail recorded by the TOE F AUDIT Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 61 of 68 E WA Hercules AVR Security Target FAU_SEL 1 Selective Audit The TOE HMI Hercules AVR Administrator Console provides authorized users with the ability to view audit information based both upon specific vulnerabilities or upon specific client machines or group of machines F AUDIT FDP IFC 1 Subset information flow control Each Hercules AVR Server enforces the SERVER_SFP information flow control security functional policy which dictates that the server must identify and authenticate a client machine F ACLIENT before accepting a request for remediation data from that client and providing the remediation profile F PUSHREM which is used to remediate the client F REMCLIENT Each Hercules AVR Server also enforces the IMPORT_SFP information flow control security functional policy when importing both vulnerability scan data F IMPVADATA and vulnerability remediation data F IMPREMDATA FDP_IFF 1 Simple security attributes The TOE uses the SERVER_SFP information flow control security functional policy to govern the exchange of data between a Hercules AVR Server and one of its client systems This policy states that the server must identify and authenticate the client F ACLIENT before providing the client with the remediation information F PUSHREM necessary to re
55. is shall show that it meets or exceeds the specific strength of function metric defined in the PP ST Evaluator action elements AVA_SOF 1 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence AVA_SOF 1 2E The evaluator shall confirm that the strength claims are correct AVA VLA 1 Developer vulnerability analysis Objectives A vulnerability analysis is performed by the developer to ascertain the presence of obvious security vulnerabilities and to confirm that they cannot be exploited in the intended environment for the TOE Application notes The evaluator should consider performing additional tests as a result of potential exploitable vulnerabilities identified during other parts of the evaluation Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 41 of 68 EMMA Hercules AVR Security Target Dependencies ADV FSP 1 ADV_HLD 1 AGD_USR 1 Developer action elements AVA_VLA 1 1D AVA VLA 12D Informal functional specification Descriptive high level design User guidance The developer shall perform a vulnerability analysis The developer shall provide vulnerability analysis documentation Content and presentation of evidence elements AVA_VLA 1 1C AVA_VLA 1 2C AVA VLA 13C Evaluator action elements AVA_VLA 1 1E AVA_VLA 1 2E The vulnerability analysis documentation shall describe the analysis of the TOE deliver
56. itably authorized user to create and manage custom roles for the TOE Once created individual users and groups of users may be assigned to the role Privileges to use specific functions of the TOE such as creating custom remediation remedies and user defined vulnerabilities may also be assigned to the role Push Remediation Data The Hercules AVR Server provides remediation data in the form of a remediation profile to client machines Remediate Client System The TOE provides the capability to automatically remediate specific vulnerabilities on client machines Report Remediation Status The TOE has the capability of producing reports describing the remediation status of each client machine of each Hercules AVR Server The user can select reports which show the details and summaries of remediation sessions import sessions devices groups vulnerabilities policies and remedies Rollback Remediations The TOE has the capability to systematically rollback the Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 47 of 68 WEVA Hercules AVR Security Target F RVM F SCHEDREM last remediation session performed on a Windows client machine Reference Monitor This TOE security function is supported by the operating systems Windows and Unix to provide reference mediation e g when a user process requires access to a resource its requests a handle token for the resource from the operating system
57. ither certificates or in the absence of certificates the IP Address Domain Name or NETBIOS name The TSF shall enforce the assignment no additional information flow control SFP rules The TSF shall provide the following assignment no additional SFP capabilities The TSF shall explicitly authorise an information flow based on the following rules assignment none The TSF shall explicitly deny an information flow based on the following rules assignment none FDP_IFC 1 Subset information flow control FMT MSA 3 Static attribute initialisation Import of user data without security attributes No other components Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 19 of 68 WEVA Hercules AVR Security Target FDP _ITC 1 1 FDP ITC 12 FDP ITC 13 Dependencies FDP _ITT 1 Hierarchical to FDP ITT LI Dependencies FDP ROL Hierarchical to FDP ROL LI FDP ROL 12 Dependencies FIA_AFL 1 Hierarchical to The TSF shall enforce the assignment IMPORT SFP when importing user data controlled under the SFP from outside of the TSC The TSF shall ignore any security attributes associated with the user data when imported from outside the TSC The TSF shall enforce the following rules when importing user data controlled under the SFP from outside the TSC assignment no additional importation control rules FDP_IFC 1 Subset information flow control FMT MSA 3 St
58. ks Windows 2003 Standard Edition or Windows 2003 Enterprise Edition as the operating system Internet Explorer 5 5 or above is also required The minimum hardware requirements for the Hercules AVR Administrator Console are specified in the Citadel Hercules AVR Automated Vulnerability Remediation Installation Guide The required setup of the Hercules AVR Administrator Console is described in the Hercules AVR Security Configuration Guide b One or more Hercules AVR Server s executing on an Intel Pentium based PC running Windows 2000 Server with Service Pack 4 Windows 2000 Advanced Server with Service Pack 4 Windows 2003 Standard Edition or Windows 2003 Enterprise Edition as the operating system For the Windows 2000 server family IIS 5 0 is also required For the Windows Server 2003 family HS 6 0 is also required Internet Explorer 6 0 with service pack 1 is required for all installations The minimum hardware requirements for a Hercules AVR Server are specified in the Citadel Hercules AVR Automated Vulnerability Remediation Installation Guide The required setup of a Hercules AVR Server is described in the Hercules AVR Security Configuration Guide C One or more network devices with Hercules AVR Client Version 2 2 0 installed on a supported Windows operating system The supported versions of the Windows operating system are Windows NT 4 0 Workstation with service pack 6 Windows NT 4 0
59. level design shall describe the structure of the TSF in terms of subsystems ADV_HLD 2 4C The high level design shall describe the security functionality provided by each subsystem of the TSF ADV HLD 2 5C The high level design shall identify any underlying hardware firmware and or software required by the TSF with a presentation of the functions provided by the supporting protection mechanisms implemented in that hardware firmware or software ADV_HLD 2 6C The high level design shall identify all interfaces to the subsystems of the TSF ADV_HLD 2 7C The high level design shall identify which of the interfaces to the subsystems of the TSF are externally visible ADV_HLD 2 8C The high level design shall describe the purpose and method of use of all interfaces to the subsystems of the TSF providing details of effects exceptions and error messages as appropriate ADV_HLD 2 9C The high level design shall describe the separation of the TOE into TSPenforcing and other subsystems Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 31 of 68 E WA Hercules AVR Security Target Evaluator action elements ADV_HLD 2 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence ADV_HLD 2 2E The evaluator shall determine that the high level design is an accurate and complete instantiation of the TOE security functional requirements ADV_RCR 1 Informal corre
60. lity remediation data and can be used to measure the ongoing success of frequent vulnerability remediation cycles e Consistent Remediation Hercules AVR provides a consistent method of remediation across an entire network it does not depend on the skill level of individual technicians when resolving vulnerabilities e Device Grouping Administrators can place devices into logical groups and schedule remediation by groups Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 2 of 68 E WA Hercules AVR Security Target e Roll back Capabilities Administrators have the ability to roll back system changes and patch installations when necessary e V Flash Administrators can stay current on the latest vulnerability remediation signatures through the Hercules AVR V Flash update service e Remediation Policies Users can define remediation policies for a single device or group of devices e Best Practices Hercules AVR offers complete support for the best practices of vulnerability remediation Ata high level Hercules AVR is designed to e Aggregate vulnerability and remediation information from leading sources including SecurityFocus BugTraq CERTs and other internet sources e Import scan information from vulnerability scanners and combine this information to perform remediation from a single source e Create profiles and remediation signatures that match scanner independent vulnerabilit
61. lnerability analysis documentation includes a strength of TOE security function analysis for each mechanism identified in the ST as having a strength of TOE security function claim This measure satisfies the requirements of AVA_SOF 1 AVA_VLA 1 Developer Vulnerability Analysis Assurance Measure M VULNER ensures that the TOE vulnerability analysis documentation includes an analysis of obvious ways in which a user can violate the TOE security policies along with the disposition of these obvious vulnerabilities This measure satisfies the requirements of AVA_VLA 1 Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 68 of 68
62. machine and 2 format of client machine remediation status information b The TSF shall enforce the assignment MPORT SFP based on the following types of subject and information security attributes Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 18 of 68 WEVA Hercules AVR Security Target FDP_IFF 1 2 FDP_IFF 1 3 FDP_IFF 1 4 FDP_IFF 1 5 FDP_IFF 1 6 Dependencies FDP ITC 1 Hierarchical to assignment 1 The identification and authentication of the TOE user and Vflash server and 2 the format of the source data The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold assignment 1 For the transfer of a remediation signature from the Hercules AVR Server to a client machine a the requesting client machine has been identified as authorised by the server using either certificates or in the absence of certificates the IP Address Domain Name or NETBIOS name and b the format of the client machine remediation status information is recognized 2 For the import of Vulnerability Scan data to the server a the file to be imported has been specified by the authorized TOE User and b the file meets the format expected by the TOE for the file purpose 3 For the import of remediation data the Hercules Vflash server is successfully authenticated by the Hercules AVR Server using e
63. mediate the vulnerabilities on the client system F REMCLIENT The TOE uses the IMPORT_SFP information flow control security functional policy to govern the import of vulnerability scan information F IMPVADATA and vulnerability remediation data F IMPREMDATA from trusted external sources FDP_ITC 1 Import of user data without security attribute When importing vulnerability scan data F IMPVADATA or vulnerability remediation data F IMPREMDATA from trusted external sources the TOE ignores any security attributes associated with the external data and instead applies the properties specified by the authorized TOE user F MANAGEDATA to the imported data FDP_ITT 1 Basic internal transfer protection The Hercules AVR Server enforces the SERVER_ SFP information flow control security functional policy F IACLIENT F PUSHREM F REMCLIENT to protect its remediation data from disclosure or modification while being transmitted from the server to a client system The Hercules AVR server has the ability to encrypt data transferred to a client system F ENCRYPT using SSL for Windows clients and OpenSSH for Unix clients Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 62 of 68 E WA Hercules AVR Security Target FDP_ROL 1 Basic Rollback The TOE allows the rollback F ROLLBACK of specific automatic vulnerability remediations under specified circumstances FIA_AFL 1 Authentication failure handling The TOE relies up
64. n of decomposing the TSF into a relatively small number of parts Dependencies Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 36 of 68 E WA Hercules AVR Security Target ADV_HLD 1 Descriptive high level design ATE_FUN 1 Functional testing Developer action elements ATE_DPT 1 1D The developer shall provide the analysis of the depth of testing Content and presentation of evidence elements ATE_DPT 1 1C The depth analysis shall demonstrate that the tests identified in the test documentation are sufficient to demonstrate that the TSF operates in accordance with its high level design Evaluator action elements ATE_DPT 1 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence ATE_FUN 1 Functional testing Objectives The objective is for the developer to demonstrate that all security functions perform as specified The developer is required to perform testing and to provide test documentation Dependencies No dependencies Developer action elements ATE FUN 1ID The developer shall test the TSF and document the results ATE FUN 12D The developer shall provide test documentation Content and presentation of evidence elements ATE_FUN 1 1C The test documentation shall consist of test plans test procedure Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 37 of 68 E WA Hercules AVR Security Target descriptions
65. nd presentation of evidence ATE IND 2 2E The evaluator shall test a subset of the TSF as appropriate to confirm that the TOE operates as specified ATE_IND 2 3E The evaluator shall execute a sample of tests in the test documentation to verify the developer test results AVA MSU 1 Examination of guidance Objectives The objective is to ensure that misleading unreasonable and conflicting guidance is absent from the guidance documentation and that secure procedures for all modes of operation have been addressed Insecure states should be easy to detect Dependencies ADO_IGS 1 Installation generation and start up procedures Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 39 of 68 E WA Hercules AVR Security Target ADV_FSP 1 Informal functional specification AGD_USR 1 User guidance Developer action elements AVA MSU 1 ID The developer shall provide guidance documentation Content and presentation of evidence elements AVA_MSU 1 1C The guidance documentation shall identify all possible modes of operation of the TOE including operation following failure or operational error their consequences and implications for maintaining secure operation AVA MSU 1 2C The guidance documentation shall be complete clear consistent and reasonable AVA MSU 1 3C The guidance documentation shall list all assumptions about the intended environment AVA_MSU 1 4C The guidance documentation shall list all requirements
66. omain privileges and NTFS privileges It authenticates using Windows integrated authentication to Internet Information Server on the Hercules AVR server The Hercules AVR Administrator Console is designed to be installed and used on a trusted and appropriately configured and controlled Windows machine that is used for network administration Users of the Hercules AVR Administrator Console require full administrative privileges on the machine running the console as well as the Hercules AVR Server and all client machines The Hercules AVR Administrator Console provides the HMI for the product and includes the display and input devices through which the user interacts with the Hercules AVR application e The Hercules AVR Server is a Windows service that communicates with the Hercules AVR Client to distribute remediation profiles and gather remediation progress data Multiple Hercules AVR Servers may be deployed within a network and administered from a single Hercules AVR Administrator Console The Hercules AVR Server is designed to be installed and used on a trusted and appropriately configured and controlled Windows server e The Hercules AVR Windows Clients are services that perform remediation activities on client machines The clients establish HTTPS SSL based communication to the Hercules AVR Server e The Hercules AVR Unix Clients provide functionality which is equivalent to Windows client c
67. ompromise the Remediation Server The O CLIENTAUTH and O CLIENTPROT objectives ensure that the TOE is protected against attacks by the client systems A network attacker may attempt to gain control of the TOE through the Hercules AVR Administration Console The O HMI and O NETATK objectives ensure that the Administration Console is secure A network attacker may attempt to exploit vulnerabilities on a Client system protected by the TOE in order to gain unauthorized access to the resources of the client system The O CLIENTREM objective ensures that the TOE provides effective remediation to client systems in order to remove or mitigate identified vulnerabilities A network attacker may attempt to exploit vulnerabilities on a Client system protected by the TOE in an attempt to compromise other network resources The O CLIENTREM objective ensures that the TOE provides effective remediation to client systems in order to remove or mitigate identified vulnerabilities A network attacker may attempt to gain control of the Hercules AVR Remediation Server The O NETATK objective ensures that the Remediation Server is secure A network attacker may monitor communications between the Remediation Server and the Client systems and use the information gained to compromise the Remediation Server and or a Client Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 53 of 68 E WA Hercules AVR Security Target system
68. on elements ACM _ CAP 3 1D The developer shall provide a reference for the TOE ACM CAP 32D The developer shall use a CM system ACM CAP 3 3D The developer shall provide CM documentation Content and presentation of evidence elements ACM CAP 3 1C The reference for the TOE shall be unique to each version of the TOE ACM CAP 3 2C The TOE shall be labeled with its reference ACM CAP 3 3C The CM documentation shall include a configuration list and a CM plan The configuration list shall uniquely identify all configuration items that comprise the TOE ACM CAP 3 4C The configuration list shall describe the configuration items that comprise the TOE ACM CAP 3 5C The CM documentation shall describe the method used to uniquely identify the configuration items ACM CAP 3 6C The CM system shall uniquely identify all configuration items ACM CAP 3 7C The CM plan shall describe how the CM system is used ACM CAP 3 8C The evidence shall demonstrate that the CM system is operating in accordance with the CM plan ACM_CAP 3 9C The CM documentation shall provide evidence that all configuration items have been and are being effectively maintained under the CM system Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 27 of 68 E WA Hercules AVR Security Target ACM_CAP 3 10C The CM system shall provide measures such that only authorized changes are made to the configuration items Evaluator action elements ACM CAP 3 1E Th
69. on the identification and authentication mechanisms of the underlying operating system in order to identify and authenticate individual users of the TOE HMI F IAUSER In addition the Hercules AVR Administrator Console and Hercules AVR Server perform mutual identification and authentication before exchanging information FIAREMSVR and a Hercules AVR server identifies and authenticates each client system F IACLIENT before providing any remediation data to that client FIA SOS 1 Verification of Secrets The TOE relies upon the underlying operating system for the entry and management of passwords for authorized users The TOE guidance documents provide instructions concerning the minimum standards required for secure passwords F AUSER Additionally the TOE uses functions available in the operating system to randomly generate a password which is used to authenticate to the Windows domain controller FIA UAU 2 User authentication before any action All of the identification and authentication mechanisms used by the TOE F IAUSER F JACLIENT F IAREMSVR require complete and successful authentication before allowing any action to be performed FIA UID 2 User identification before any action All of the identification and authentication mechanisms used by the TOE F I AUSER F IACLIENT F IAREMSVR require successful identification either of the individual user or the requesting system before allowing any action to be performed
70. onsible for the TOE must ensure that the TOE is installed configured administered and operated in accordance with the guidance documents OE SECURECOM The network on which the TOE resides must protect the confidentiality and integrity of information exchanged between the distributed elements of the TOE when client machines are initially installed remotely using the Hercules AVR Client Management Service CMS Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 15 of 68 E WA Hercules AVR Security Target 5 IT SECURITY REQUIREMENTS 5 1 TOE SECURITY REQUIREMENTS Section 5 provides security functional and assurance requirements that must be satisfied by a compliant TOE These requirements consist of functional components from Part 2 of the CC and an Evaluation Assurance Level EAL containing assurance components from Part 3 of the CC 5 2 TOE SECURITY FUNCTIONAL REQUIREMENTS The security functional requirements for this ST consist of the following components from Part 2 of the CC summarized in Table 1 Identifier FAU_SEL 1 Selective Audit FIA_UAU 2 User Authentication Before Any Action EA FMT_SMF 1 Specification of Management Functions Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 16 of 68 E WA Hercules AVR Security Target CC Part 2 Security Functional Components FPT_STM 1 Reliable Time Stamps Table 1 Summary of CC Part 2 Security Functional Requirements FAU_GEN 1 Audit dat
71. ows several operations to be performed on functional requirements assignment iteration refinement and selection are defined in paragraph 148 of Part 1 of the CC e The assignment operation is used to assign a specific value to an unspecified parameter such as the length of a password An assignment is indicated by showing the value in italicised text within square brackets assignment values e The refinement operation is used to add detail to a requirement and thus further restricts a requirement Refinement of security requirements is denoted by bold text There are no refinements within this ST e The selection operation is used to select one or more options provided by the CC in stating a requirement Selections are denoted by italicised text within square brackets selection value s e The iteration operation is used to apply a security functional requirement to more than one aspect of the TOE Iterations are denoted by repeating the text of the security functional requirement for each of the applicable aspects of the TOE Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 4 of 68 WEVA Hercules AVR Security Target 1 4 2 Terms This section describes the terms that are used throughout this ST When possible terms are defined as the exist in the CC Assets Attack Audit Audit Trail Authentication Availability Compromise Confidentiality Evaluation Information Technology IT System
72. priately trained and experienced Further it is assumed that the user does not have malicious intent and configures the product and its host platforms in accordance with the guidance documentation The product will not prevent a user from carelessly configuring or using the Hercules AVR such that network protection is compromised Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 11 of 68 WEVA Hercules AVR Security Target 3 TOE SECURITY ENVIRONMENT 3 1 ASSUMPTIONS The following conditions are assumed to exist in the operational environment A BACKUP A CMS A CONFIG A GOODOS A KNOWLEDGE A NOEVIL A PHYSICAL A TOEUSER The organization operating the TOE has good backup and recovery procedures which are followed allowing the TOE to be recovered to a secure configuration after a hardware failure In an environment where the Hercules AVR client software is installed by remote means on Windows client using the Hercules AVR Client Management Services CMS the server and clients are assumed to reside on a protected network The servers running the Remediation Server and the Administrator Console have been configured securely as described in the Guidance documents and are maintained in that secure configuration In particular a They are configured with the minimal operating system features installed and or enabled to permit operation of the TOE b They are configured with minimal system pri
73. records in a manner suitable for the user to interpret the information Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 17 of 68 EMMA Hercules AVR Security Target Dependencies FAU SEL Hierarchical to FAU_SEL 1 1 Dependencies FDP _IFC 1 Hierarchical to FDP IFC LI Dependencies FDP _IFF 1 Hierarchical to FDP IFF LI FAU GEN 1 Audit data generation Selective audit No other components The TSF shall be able to include or exclude auditable events from the set of audited events based on the following attributes a selection event type b assignment client machine identification FAU_GEN 1 Audit data generation FMT_MTD 1 Management of TSF data Subset information flow control No other components a The TSF shall enforce the assignment SERVER SFP on assignment Hercules AVR Servers and client machines when the client machine requests a remediation profile from a Hercules AVR Server b The TSF shall enforce the assignment JMPORT_SFP on assignment Hercules AVR Servers when importing vulnerability scan data and vulnerability remediation data from outside the TOE boundary FDP_IFF 1 Simple security attributes Simple security attributes No other components a The TSF shall enforce the assignment SERVER SFP based on the following types of subject and information security attributes assignment 1 Identification and authentication of the client
74. s Null Passwords Admin No Password etc Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 3 of 68 E WA Hercules AVR Security Target e Back Doors NetBus BackOrifice SubSeven etc e Mis Configurations NetBIOS file system privileges Null Sessions etc The Hercules AVR product is designed to operate on standard TCP IP networks and can remediate vulnerabilities on both Windows and UNIX Solaris Linux based clients The Hercules AVR human machine interface HMI provides the user with complete control over the functionality of the product The HMI allows the user to specify e An automated frequency with which client systems will request updated vulnerability remediations e Manual remediations for selected client machines e Specific vulnerabilities which will not be remediated 1 4 CONVENTIONS TERMINOLOGY AND ACRONYMS This section identifies the formatting conventions used to convey additional information and terminology having specific meaning It also defines the meanings of abbreviations and acronyms used throughout the remainder of this document 1 4 1 Conventions This section describes the conventions used to denote CC operations on security requirements and to distinguish text with special meaning The notation formatting and conventions used in this ST are largely consistent with those used in the CC Selection presentation choices are discussed here to aid the ST reader The CC all
75. s available to the non administrative users of the TOE AGD_USR 1 2C The user guidance shall describe the use of user accessible security functions provided by the TOE AGD USR 1 3C The user guidance shall contain warnings about user accessible functions and privileges that should be controlled in a secure processing environment AGD_USR 1 4C The user guidance shall clearly present all user responsibilities necessary for secure operation of the TOE including those related to assumptions regarding user behaviour found in the statement of TOE security environment AGD_USR 1 5C The user guidance shall be consistent with all other documentation supplied for evaluation AGD USR 1 6C The user guidance shall describe all security requirements for the IT environment that are relevant to the user Evaluator action elements AGD_USR 1 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence ALC_DVS 1 Identification of security measures Dependencies No dependencies Developer action elements Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 34 of 68 E WA Hercules AVR Security Target ALC_DVS 1 1D The developer shall produce development security documentation Content and presentation of evidence elements ALC DVS 1 1C The development security documentation shall describe all the physical procedural personnel and other security measures that
76. s a comprehensive audit trail of its actions FAU_GEN 1 The TOE must provide a controlled interface to its functionality such that only authorized TOE users are able to access the interface The TOE HMI is provided by the Hercules AVR Administrator Console This component of the TOE is only accessible to authorized administrative users FIA_AFL 1 FIA UAU 2 FIA UID 2 FMT SMR 1 Authorized users of the Hercules AVR Administrator may control all of the security functions of the TOE including setting security attributes and importing vulnerability scan and remediation data FIA_SOS 1 FMT MSA 1 FMT MSA 3 FMT_SMF 1 Actions performed by authorized users are subject to auditing FAU_GEN 1 FAU SAR 1 FAU_SEL 1 FPT_STM 1 The TOE must protect itself against network attackers The TOE protects itself against network attackers through its identification and authentication functions FIA UAU 2 FIA_UID 2 The TOE also protects its data from disclosure and modification while transmitting this data to the client systems FPT_ITT 1 The collection of audit data FAU_GEN 1 ensures Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 56 of 68 E WA Hercules AVR Security Target that attacks of this type will be detected O REMDATA The TOE must ensure that its remediation data is obtained from trusted sources and must provide a mechanism to ensure the integrity of this data After initial installation the TOE ob
77. s that TOE Users must be knowledgeable TOE Users are non hostile and follow all guidance documents The OE GOODUSER objective notes that TOE Users must be non malicious The Server and Administrator elements of the TOE are physically secure and only authorized personnel have physical access to these elements of the TOE The OE AUTHUSER objective notes that only authorized personnel are permitted physical access to the TOE Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 52 of 68 EMMA Hercules AVR Security Target A TOEUSER T BADDATA T CLIENT T CONSOLE T EXPLOIT T NETEXPLOIT T REMSERVER T SNIFF There is only one category of TOE user All authorized TOE users have full access to all of the TOE s functions and for this reason there is no distinction between TOE users and TOE administrators For the remainder of this document the phrase TOE User shall be employed The OE GOODUSER objective describes the characteristics of the TOE Users and notes that these users must be authorized system administrators A network attacker may attempt to provide the Remediation Server with erroneous remediation information in an attempt to compromise the Client systems The O REMDATA objective ensures that the remediation data used by the TOE is accurate and secure An unauthorized person may have administrator root control of one of the client systems and may use that control to attempt to c
78. spondence demonstration Dependencies No dependencies Developer action elements ADV_RCR 1 1D The developer shall provide an analysis of correspondence between all adjacent pairs of TSF representations that are provided Content and presentation of evidence elements ADV_RCR 1 1C For each adjacent pair of provided TSF representations the analysis shall demonstrate that all relevant security functionality of the more abstract TSF representation is correctly and completely refined in the less abstract TSF representation Evaluator action elements ADV_RCR 1 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence AGD ADM 1 Administrator guidance Dependencies ADV FSP 1 Informal functional specification Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 32 of 68 WEVA Hercules AVR Security Target Developer action elements AGD_ADM 1 1D The developer shall provide administrator guidance addressed to system administrative personnel Content and presentation of evidence elements AGD_ADM 1 1C AGD_ADM 1 2C AGD_ADM 1 3C AGD_ADM 1 4C AGD_ADM 1 5C AGD_ADM 1 6C AGD_ADM 1 7C AGD_ADM 1 8C Evaluator action elements AGD_ADM 1 1E The administrator guidance shall describe the administrative functions and interfaces available to the administrator of the TOE The administrator guidance shall describe how to administer th
79. tains its remediation data updates either from manual entry by an authorized user or by remote download from the Hercules AVR VFlash server Since all Hercules AVR users are subject to the I amp A mechanisms of the product FIA UAU 2 FIA_UID 2 it follows that only authorized and identified users may manually create remediation data The product also enforces the IMPORT_SFP information flow security functional policy FDP_IFC 1 FDP_IFF 1 FDP_ITC 1 when importing remediation data from the V Flash server This ensures that the remediation data is obtained from a trusted source The TOE maintains an audit record of import sessions FAU_GEN 1 so that it is possible to confirm that the product has current accurate and valid remediation data O SCANDATA The TOE must ensure that its scanner data is obtained from trusted sources and must provide a mechanism to ensure the integrity of this data The TOE enforces the IMPORT_SFP information flow control security functional policy FDP_ITC 1 to ensure that only trusted scanner data is imported by the TOE Once under the control of the TOE the scanner data may only be accessed by authorized TOE users FMT MTD 1 This ensures the integrity of the data The audit trail records the details of scanner data import sessions FAU_GEN 1 8 3 SECURITY FUNCTIONAL REQUIREMENT DEPENDENCIES Table 5 identifies the TOE Security Functional Requirements and their associated dependencies It also indicates wh
80. tion need not be exhaustive Dependencies Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 35 of 68 E WA Hercules AVR Security Target ADV_FSP 1 Informal functional specification ATE FUN Functional testing Developer action elements ATE _COV 2 1D The developer shall provide an analysis of the test coverage Content and presentation of evidence elements ATE COV 2 1C The analysis of the test coverage shall demonstrate the correspondence between the tests identified in the test documentation and the TSF as described in the functional specification ATE COV 22C The analysis of the test coverage shall demonstrate that the correspondence between the TSF as described in the functional specification and the tests identified in the test documentation is complete Evaluator action elements ATE _COV 2 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence ATE DPT 1 Testing high level design Objectives The subsystems of a TSF provide a high level description of the internal workings of the TSF Testing at the level of the subsystems in order to demonstrate the presence of any flaws provides assurance that the TSF subsystems have been correctly realized Application notes The developer is expected to describe the testing of the high level design of the TSF in terms of subsystems The term subsystem is used to express the notio
81. tiplicity of systems Two or more machines interconnected for communications Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 5 of 68 WEVA Hercules AVR Security Target Protection Profile PP Security Security Policy Security Target ST Target of Evaluation TOE Threat TOE Security Functions TSF TOE Security Policy TSP TSF Data TSF Scope of Control User Vulnerability An implementation independent set of security requirements for a category of TOE that meet specific consumer needs A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences The set of laws rules and practices that regulate how an organisation manages protects and distributes sensitive information A set of security requirements and specification to be used as the basis for evaluation of an identified TOE An IT product or system and its associated administrator and user guidance documentation that is the subject of an evaluation The means through which the ability or intent of a threat agent to adversely affect an automated system facility or operation can be manifest A potential violation of security A set of all hardware software and firmware of the TOE that must be relied upon for the correct enforcement of the TSP A set of rules that regulate how assets are managed protected and distribut
82. tween the Remediation Server and the Client systems and use the information gained to compromise the Remediation Server and or a Client system T SNIFFSCAN A network attacker may monitor communications between the Remediation Server and a vulnerability scanner to learn vulnerabilities of client systems T SPOOF A network attacker may attempt to imitate the Remediation Server and provide erroneous remediation information to a client system in order to compromise the client T SPOOFCLIENT A network attacker may attempt to imitate a client system in order to gain information about the vulnerabilities of the client system T SPOOFSCAN A network attacker may attempt to provide the Remediation Server with erroneous vulnerability assessment information in an attempt to Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 13 of 68 E UA Hercules AVR Security Target prevent the remediation of vulnerable network systems 3 3 ORGANIZATIONAL SECURITY POLICIES There is no requirement for the TOE to comply with any organizational security policy statements or rules Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 14 of 68 E UA Hercules AVR Security Target 4 SECURITY OBJECTIVES 4 1 SECURITY OBJECTIVES FOR THE TOE O CLIENTAUTH The TOE must provide a mechanism for a two way authentication between client systems and the Remediation Server O CLIENTPROT The TOE must protect itself against attacks initiated by
83. vileges es They are configured with user accounts for authorized system administrators only and do not provide any end user accounts The Operating System of the client machines has been configured in accordance with the Hercules AVR Security Configuration Guide and therefore may be trusted to function correctly for those OS functions required by the TOE component that is installed on the client machine TOE Users have knowledge of the Windows 2000 XP 2003 operating systems networking technology and general IT security practices TOE Users are non hostile and follow all guidance documents The Server and Administrator elements of the TOE are physically secure and only authorized personnel have physical access to these elements of the TOE There is only one category of TOE user All authorized TOE users have full access to all of the TOE s functions and for this reason there is no distinction between TOE users and TOE administrators For the remainder of this document the phrase TOE User shall be employed Doc No 1451 011 D001 Version 1 13 Date 27 Feb 2004 Page 12 of 68 E WA Hercules AVR Security Target 3 2 THREATS The threats discussed below are addressed by a compliant TOE The threat agents are either human users or external IT entities not authorized to use the TOE Additionally threat agents may be users with administrative privileges that introduce vulnerabilities either deliberately or inadvert
84. y information and client machines with their corresponding remediations e Allow an administrator to target network machines for automated remediation e Support CVE compliance by displaying CVE identifiers and supporting searching using these identifiers Fundamentally the Hercules AVR product provides enterprise administrators with the ability to manage a large scale vulnerability remediation process in a manner that is both systematic and comprehensive Today many organizations employ an incomplete hybrid of manual and partially automated techniques that are often implemented in an ad hoc manner Hercules AVR is a tool that is intended to bring a defined and systematic maturity into these security critical processes In a Windows environment Hercules AVR is a product that provides and includes all of the functionality typically associated with the vulnerability remediation capabilities of commercial and open source vulnerability scanners These typically provide registry fixes for Windows machines However this type of vulnerability only represents a small sub set of the vulnerabilities that require remediation The Hercules AVR product expands this set to include the automated remediation of vulnerabilities associated with the following five classes of vulnerabilities e Software Defects Hot fixes patches registry settings etc e Unnecessary Insecure Services Telnet Remote Access FTP etc e Insecure Account
Download Pdf Manuals
Related Search