SECURITY TARGET MCAFEE® HERCULES
Contents
1. 9 2 1 EVALUATED CONFIGURATIONS nti ertet viendo tete unido kusisqata 9 XL OVENI EW u u za 9 21 2 HIE 9 213 au 11 2 2 TOE BOUNDARY 13 22 Physical BOUTIIIEY HMM ecd se E NE 13 ni CC 15 3 TOE SECURITY ENVIRONMENIIAI 17 3 1 ASSUMPTIONS 17 3 2 THREATS uuu nu a 18 3 3 ORGANIZATIONAL SECURITY POLICIES eee 19 4 SECURITY OBJECTIVES d E Qe b se We V Q ee 20 4 1 SECURITY OBJECTIVES FOR THE TOE 20 4 2 SECURITY OBJECTIVES FOR THE ENVIRONMENT 20 5 IT SECURITY REQUIREMENTS 22 5 1 INTRODUCTION Lm 22 5 2 TOE SECURITY FUNCTIONAL REQUIREMENTS 22 5 3 SECURITY FUNCTIONAL REQUIREMENTS FOR THE IT ENVIRONMENT 34 5 4 INFORMATION FLOW CONTROL SECURITY FUNCTIONAL POLICIES 39 5 4 1 McAfee Hercules Server to Client Information Flow Con2. 64 85 TOE SUMMARY SPECIFICATION RATIONALLE eere 65 8 6 ASSURANCE MEASURES 71 LIST OF FIGURES Figure 1 McAfee Hercules Standalone Network Architecture 10 Figure 2 McAfee Hercules Distributed Network Architecture 12 Figure 3 TOE Boundary PII oH eos s kk ek 14 LIST OF TABLES Table 1 Summary of CC Part 2 Security Functional Requirements 23 Table 2 Summary of Security Requirements for the Environment 35 Table 3 EAL 3 Assurance Requirements naa 42 Table 4 Mapping of Security Objectives to Threats and Assumptions 51 Table 5 Mapping of Security Functional Requirements to Security Objectives 57 Table 6 Security Functional Requirement Dependencies 63 Table 7 Security Assurance Requirement Dependencies 65 Table 8 Mapping of Security Functions to Security Functional Requirements 66 Table 9 Mapping of Assurance Measures to Assurance Requirements 71 Doc No 1566 001 D001 Version 1 3 Date 9 Apr 20
3. xp eee Table 8 Mapping of Security Functions Security Functional Requirements X Ra E ER FER E SR EU LIIS txt Tt T HE EN EE EN xt EH ee x WE EHEHE HEN EN LE LE LIE EN EHEHHNZEH x x Sie 1 PTT TT TT Tt TT EN I PTT I TT TT YT FAU_GEN 1 Audit data generation The audit function of the TOE collects F AUDIT and stores audit data for actions which are specific to the TOE scanner data import remediation data import client remediations In addition the operating system audit trail retains audit records related to the identification and authorization of users the start up and shut down of the TOE and the start up and shut down of the OS audit mechanism FAU_GEN 2 User Identity Association The audit function of the TOE collects F AUDIT and stores the identity of the user who caused an auditable event FAU_SAR 1 Audit review The TOE includes a comprehensive HMI McAfee Hercules Administrator Console with extensive display and reporting features F REPREMSTATUS which permit all authorized users with the ability to review scan analyze and interpret the audit trail recorded by the TOE F AUDIT SAR 2 Restricted audit review The TOE HMI McAfee Hercules Administrator Console provides authorized users with the
4. Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 28 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target FDP_ITC 1 Hierarchical to FDP_ITC 1 1 FDP_ITC 1 2 FDP_ITC 1 3 Dependencies FDP_ROL 1 Hierarchical to FDP_ROL 1 1 FDP_ROL 1 2 Dependencies FIA_ATD 1 Hierarchical to FMT_MSA 3 Static attribute initialisation Import of user data without security attributes No other components The TSF shall enforce the assignment MPORT EXCHANGE when importing user data controlled under the SFP from outside of the TSC The TSF shall ignore any security attributes associated with the user data when imported from outside the TSC The TSF shall enforce the following rules when importing user data controlled under the SFP from outside the TSC assignment no additional importation control rules FDP 1 Subset access control or FDP IFC 1 Subset information flow control FMT MSA 3 Static attribute initialisation Basic rollback No other components The TSF shall enforce assignment SERVER SFP to permit the rollback of the assignment automatic vulnerability remediations on the assignment Windows client machines The TSF shall permit operations to be rolled back within the assignment time period between the completion of the remediation that is to be rolled back and the start of the next remediation FDP ACC 1 Sub
5. 5 4 1 McAfee Hercules Server to Client Information Flow Control Security Functional Policy SERVER SFP The operating environment for the TOE consists of a McAfee Hercules Administrator Console and one or more McAfee Hercules Servers connected in a network with a number of client machines It is expected that the client machines will contain vulnerabilities which will be automatically remediated by the McAfee Hercules Server on a scheduled basis In an environment where the client machines are assumed to contain vulnerabilities the possibility always exists that one or more of the client machines have been compromised and may act maliciously towards the TOE For this reason the only information that a McAfee Hercules Server will accept from any client machine is a the identification of the client machine for authentication purposes when requesting a scheduled remediation and b remediation status information during the course of a remediation session All other information flow between the McAfee Hercules Server and a McAfee Hercules Client will consist of remediation profiles or rollback instructions Windows client machines only sent from the Server to the client 5 4 2 Vulnerability Scanner Import Information Flow Control Security Functional Policy IMPORT SFP The TOE relies upon data generated by one or more third party vulnerability scanner products in order to identify the vulnerabilities which exist on client ma
6. Flat File Import User Definable IP address range ePO asset information Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 46 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target F MANAGEDATA F MANAGEPROF F MANAGEROLES F PUSHREM F PUSHPOLICY Manage Scanner and Remediation Data The TOE provides the user with an interface from which it is possible to manage the vulnerability scanner information and the vulnerability remediation information A user may view a remediation profile for a device in order to determine which vulnerabilities and associated remedies will be applied to a device when it is remediated Manage Profiles The TOE provides the capability for a suitably authorized user to manage remediation profiles Machines may be added to or removed from the group to which the profile applies Specific vulnerabilities may be added to or removed from the remediation profile Manage Roles The TOE provides the capability for a suitably authorized user to create and manage custom roles for the TOE Once created individual users and groups of users may be assigned to the role Privileges to use specific functions of the TOE such as creating custom remediation remedies user defined vulnerabilities and selectable pre defined McAfee Hercules tasks may also be assigned to the role The McAfee Hercules Server comes with predefined roles that restrict access to va
7. OE BACKUP OE DOMAIN FAU_GEN 2 ensures that attacks of this type will be detected The TOE must ensure that its remediation data is obtained from trusted sources and must provide a mechanism to ensure the integrity of this data After initial installation the TOE obtains its remediation data updates either from manual entry by an authorized user or by remote download from the McAfee Hercules VFlash server Since all McAfee Hercules users are subject to the I amp A mechanisms of the product FIA_UAU 2 FIA_UID 2 it follows that only authorized and identified users may manually create remediation data The product also enforces the IMPORT SFP information flow security functional policy FDP IFC 1 1 IFF 1 1 FDP ITC 1 when importing remediation data from the V Flash server This ensures that the remediation data is obtained from a trusted source The TOE maintains an audit record of import sessions FAU_GEN 1 FAU_GEN 2 so that it is possible to confirm that the product has current accurate and valid remediation data The TOE must ensure that its scanner data is obtained from trusted sources and must provide a mechanism to ensure the confidentiality and integrity of this data The TOE enforces the IMPORT SFP information flow control security functional policy FDP ITC 1 to ensure that only trusted scanner data is imported by the TOE Once under the control of the TOE the scanner data may only be accessed by au
8. Protection Profile Conformance Security Target McAfee Hercules Policy Auditor and McAfee Hercules Remediation Manager McAfee Hercules Version 4 5 09 April 2008 McAfee Hercules Policy Auditor and McAfee Hercules Remediation Manager 383 4 88 The TOE is CC Part 2 conformant and CC Part 3 conformant The TOE is EAL 3 conformant The TOE does not claim conformance with any Protection Profile PP Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 1 of 74 EMA Delen he Rightunssuranee McAfee Hercules Security Target Common Criteria Common Criteria for Information Technology Security Identification Evaluation Version 2 3 August 2005 with all current approved interpretations International Standard ISO IEC 15408 2005 Authors This document has been written by EWA Canada on behalf of McAfee Inc 13 PRODUCT OVERVIEW The McAfee Hercules is a vulnerability remediation and risk and compliance tool The purpose of the product is to demonstrate compliance with a security policy and enforce compliance with automated remediation of noncompliant or vulnerable systems These functions can be performed on a heterogeneous network consisting of Microsoft Windows Solaris Red Hat Linux HP UX AIX Tru64 and Mac OS X clients The McAfee Hercules server requires Microsoft Windows Server 2003 SP1 McAfee Hercules provides network security administrator
9. Hercules Hercules Hercules Client Client Client Client Client Client Device 1 Device 2 Device 3 Device 4 Device 1 Device 1 AIX HP UX Mac OSX Solaris Windows Red Hat Figure 1 McAfee Hercules Standalone Network Architecture The McAfee Hercules Version 4 5 product consists of a The McAfee Hercules Administrator Console executing on an Intel Pentium compatible based PC running Windows 2000 Server with Service Pack 4 Windows 2000 Advanced Server with Service Pack 4 Windows 2000 Professional with Service Pack 4 Windows XP Professional with Service Pack 2 Windows Server 2003 Standard Edition with Service Pack 1 Windows Server 2003 Enterprise Edition with Service Pack 1 Windows Vista Business or Windows Vista Enterprise as the operating system Internet Explorer 5 5 or above Microsoft NET Framework v1 1 SP2 and Adobe Acrobat Reader 7 0 or higher are also required If the McAfee Hercules amp Administrator Console is running on Windows 2000 the Windows 2000 High Encryption Pack is required The minimum hardware requirements for the McAfee Hercules Administrator Console are specified in the Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 10 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target McAfee Hercules Installation Guide The required setup of McAfee Hercules Administrator Console is described in the McAfee Hercules Secu
10. The TOE maintains an audit trail of the remediation activities performed by each McAfee Hercules server The McAfee Hercules server components and client systems create events in the logs which include stop start successful actions and failed actions These events are created on the McAfee Hercules server and the target machine that is being remediated The identity of the user who caused the event is also created on the McAfee Hercules server For Windows clients the McAfee Hercules server is capable of generating audit events in the Windows Event Viewer application s security and system categories Display Network Client Systems The TOE has the capability of displaying via a graphical user interface a list of devices connected to a McAfee Hercules Server Display Network Client Status The TOE has the capability of displaying via a graphical user interface the operational status of each client machine Display Profiles The TOE has the capability of displaying via a graphical user interface the list of vulnerabilities that will be remediated by the McAfee Hercules Server for a client machine or a group of client machines Display Remediation Status The TOE has the capability of displaying via a graphical user interface the remediation status of each client machine of each McAfee Hercules Server Display Remediation Signatures The TOE has the capability of displaying via a graphical
11. d McAfee Hercules Device Group User DGU e McAfee Hercules amp Remedy Writer Rem W f McAfee Hercules Remediator Rem g McAfee Hercules Policy Auditor CChk h McAfee Hercules Importer Imp and 1 McAfee Hercules Reporter Rep The McAfee Hercules system also enables the McAfee Hercules System Administrator to define new roles starting with no tasks assigned or starting from an existing role Each of the McAfee Hercules administrative tasks is associated with one or more roles An authorized user must be assigned to a role that is associated with a task before the user can perform the task A user may be assigned to more than one role in which case the user is able to perform any task associated with any of the roles to which the user is assigned A user that is not assigned to a role cannot perform any tasks 5 4 5 Network Access Information Flow Control Security Functional Policy CONNECT SFP The TOE allows authorized TOE users to restrict the ability of external devices equipped with McAfee Hercules Clients to communicate over networks until they have been remediated This connection restriction is controlled by the authorized user who acts through the McAfee Hercules Administrator Console to direct the McAfee Hercules Client to limit the ability of the remote device to communicate over the network The following device access features are provided a McAfee Hercules ConnectGu
12. selection value s e The iteration operation is used to apply a security functional requirement to more than one aspect of the TOE Iterations are denoted by assigning a number at the functional component level e g FDP_ACC 1 Subset access control 1 and FDP_ACC 1 Subset access control 2 Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 5 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target 1 4 2 Terms This section describes the terms that are used throughout this ST When possible terms are defined as they exist in the CC Assets Attack Audit Audit Trail Authentication Availability Compromise Confidentiality Evaluation Information Technology IT System Integrity IT Product Information or resources to be protected by the countermeasures of a TOE An attempt to bypass security controls on an IT System The attack may alter release or deny data Whether an attack will succeed depends on the vulnerability of the IT System and the effectiveness of existing countermeasures The independent examination of records and activities to ensure compliance with established controls policy and operational procedures and to recommend indicated changes in controls policy or procedures In an IT System a chronological record of system resource usage this includes user login file access or other activities and whether any actual or attempted se
13. 1566 001 D001 Version 1 3 Date 09 April 2008 Page 54 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target The O SCANDATA objective ensures that the scanner data used by the TOE is accurate and secure 8 2 SECURITY REQUIREMENTS RATIONALE Table 5 provides a bi directional mapping of Security Functional Requirements to Security Objectives and is followed by a discussion of how each Security Objective is addressed by the corresponding Security Functional Requirements Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 55 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target O ADMIN O USERAUTH O NETATK O REMDATA O SCANDATA O USERDATA O CLIENTREM PEBE gt gt rt rt ZZ SIL Bg O CLIENTPROT gt gt E gt SIL gt lt gt lt SW eset eee eer PTT j TTT TTT E I pomor IL Ty poonam TIT EN E m P E mE mE X X TT XU TIT TT EIS B TIT LD T T BM TIT TTT B LUTTE TTT TEE EMT _ xx x gt j j j tx p pq jJ p os I y sees TETTE ETE Doc 1566 001 D001 Version 1 3 Date 09 April 2008 Page 56 of 74 EMA Delivering the Right Assurance McAfee Hercules Securi
14. also maintains an audit trail of remediation requests which may help Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 57 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target O CLIENTREM O HMI O KNOWN O NETATK to identify an attack from a client machine FAU_GEN 1 FAU_GEN 2 The TOE also enforces CONNECT_SFP information flow control security functional policy to restrict the ability of external devices acting as Client Systems from communicating over networks until they have been remediated FDP_IFC 1 3 FDP_IFF 1 3 The TOE must provide effective remediation of known and reported vulnerabilities for client systems The TOE obtains its vulnerability and remediation data from trusted external sources using the IMPORT_SFP information flow control security function policy to govern the data import process FDP_IFC 1 1 FDP_IFF 1 1 The TOE protects its data from unauthorized modifications or corruption internally FMT_MSA 1 1 2 FMT_MSA 3 FPT_RVM 1 1 The TOE enforces the SERVER_SFP information flow control security functional policy when providing specific remediation data to authorized client systems FDP_IFC 1e FDP_IFF 1e The TOE permits authorized users to configure the list of client systems and vulnerabilities which will be remediated FMT_SMF 1 Under specific circumstances the TOE is capable of rolling back remediations FDP ROL 1 Fi
15. no additional SFP capabilities The TSF shall explicitly authorise an information flow based on the following rules assignment none The TSF shall explicitly deny an information flow based on the following rules assignment none FDP_IFC 1 Subset information flow control FMT_MSA 3 Static attribute initialisation Simple security attributes 3 No other components The TSF shall enforce the assignment CONNECT_SFP based on the following types of subject and information security attributes assignment 1 The identification of the external device 2 the remediation status of the external device and 3 the defined Network Access Policy for network connection for the external device The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold assignment For network access connection of remote devices the remediation status of the external device satisfies the defined Network Access Policy for that device The TSF shall enforce the assignment no additional information flow control SFP rules The TSF shall provide the following assignment no additional SFP capabilities The TSF shall explicitly authorise an information flow based on the following rules assignment none The TSF shall explicitly deny an information flow based on the following rules assignment none FDP_IFC 1 Subset information flow control
16. query assignment none the security attributes assignment identification and authentication of client machine to assignment McAfee Hercules Users authorized by the ADMIN ACCESS SFP FDP ACC 1 Subset access control or FDP_IFC 1 Subset information flow control FMT SMR 1 Security roles FMT_SMF 1 Specification of management functions Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 31 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target FMT_MSA 1 Hierarchical to FMT_MSA 1 1 2 Dependencies FMT_MSA 1 Hierarchical to FMT_MSA 1 1 3 Dependencies FMT_MSA 3 Hierarchical to FMT_MSA 3 1 Management of security attributes 2 No other components The TSF shall enforce the assignment IMPORT_SFP to restrict the ability to selection query assignment none the security attributes assignment identification and authentication of client machine to assignment McAfee Hercules Users authorized by the ADMIN_ACCESS SFP FDP_ACC 1 Subset access control or FDP_IFC 1 Subset information flow control FMT_SMR 1 Security roles FMT_SMEF 1 Specification of management functions Management of security attributes 3 No other components The TSF shall enforce the assignment ADMIN_ACCESS SFP to restrict the ability to selection create modify delete assignment the security attributes assignment user identification assig
17. FAU_SAR 1 2 Dependencies FAU_SAR 2 Hierarchical to 2 1 Dependencies FDP_ACC 2 Hierarchical to No other components The TSF shall provide assignment all TOE users who are assigned to the Reporting Role with the capability to read assignment all McAfee Hercules logs from the audit records The TSF shall provide the audit records in a manner suitable for the user to interpret the information FAU_GEN 1 Audit data generation Restricted audit review No other components The TSF shall prohibit all users read access to the audit records except those users that have been granted explicit read access FAU_SAR 1 Audit review Complete access control FDP_ACC 1 Subset access control Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 24 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target FDP_ACC 2 1 FDP_ACC 2 2 Dependencies FDP_ACF 1 Hierarchical to FDP_ACF 1 1 FDP_ACF 1 2 FDP_ACF 1 3 FDP_ACF 1 4 Dependencies The TSF shall enforce the assignment ADMIN_ACCESS SFP on assignment subjects McAfee Hercules Administrator Console operating in response to authorized users objects McAfee Hercules Servers McAfee Hercules Clients and all operations among subjects and objects covered by the SFP The TSF shall ensure that all operations between any subject in the TSC and any object within the TSC are cove
18. Hierarchical to FPT_ITT 1 1 Dependencies FPT_RVM le Hierarchical to FPT_RVM 1 1 Dependencies FPT_SEP le Hierarchical to FPT_SEP 1 1 FPT_SEP 1 2 Dependencies FPT_STM le Hierarchical to FDP ACC 1 Subset access control or FDP_IFC 1 Subset information flow control Basic internal TSF data transfer protection No other components The Environment shall protect TSF data from selection disclosure modification when it is transmitted between separate parts of the TOE No dependencies Non bypassability of the TSP No other components The Environment shall ensure that TSP enforcement functions are invoked and succeed before each function within the TSC is allowed to proceed No dependencies TSF domain separation No other components The Environment shall maintain a security domain for its own execution that protects it from interference and tampering by untrusted subjects The Environment shall enforce separation between the security domains of subjects in the TSC No dependencies Reliable time stamps No other components Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 38 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target FPT STM 1 1 The Environment shall be able to provide reliable time stamps to the TOE and for its own use Dependencies No dependencies 54 INFORMATION FLOW CONTROL SECURITY FUNCTIONAL POLICIES
19. In Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 2 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target enterprise reporting mode these reports may be aggregated to report data across multiple servers e Consistent Remediation McAfee amp Hercules provides a consistent method of remediation across an entire network it does not depend on the skill level of individual technicians when resolving vulnerabilities e Device Grouping Administrators can place devices into logical groups and schedule remediation by groups e Device Discovery Discovery of network devices from a Windows Active Directory or NT Domain structure as well as importing from a flat file or user defined IP address range e Device Inventory With AssetGuard users are able to perform inventory data collection on specific devices e Device Query This search mechanism can use inventoried device data properties in their query when locating devices that match a specific criteria e ActionPacks Administrators can associate groups of vulnerabilities with Device Queries allowing for an accurate application of security policy enforcement e Enhanced Security Inclusion of pre defined roles for role based authentication and device group access control Pre defined tasks for use with roles that correspond to major functions that can be performed by the McAfee Hercules Administrator Roll back
20. Security Target Download Server may be installed separately from the McAfee Hercules Server The McAfee Hercules Channel Server and the McAfee Hercules Download Server have the same operating system support requirements as the McAfee Hercules Server Vulnerability Scans and Device Discovery Data from 34 Party 4 McAfee Hercules Administrator File amp Patch Locations e g Sun Microsoft Server Zone configure Download File Request configure HTTP FTP Client Client Zone 1 Zonen Download File McAfee McAfee McAfee Hercules Hercules Hercules Client Client Client McAfee McAfee McAfee Windows Hercules HP UX Windows Hercules Client Client Client Solaris McAfee Red Hat McAfee Tru64 McAfee Hercules Hercules Hercules Client Client Client Mac OSX Windows AIX Figure 2 McAfee Hercules Distributed Network Architecture Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 12 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target 22 BOUNDARY 2 2 1 Physical Boundary The TOE Boundary for the McAfee Hercules product is shown in Figure 3 The TOE consists of a the Administrator Conso
21. TOE O CLIENTPROT The TOE must protect itself against attacks initiated by client systems O CLIENTREM The TOE must provide effective remediation of known and reported vulnerabilities for client systems O HMI The TOE must provide a controlled interface to its functionality such that only authorized TOE users are able to access the interface O KNOWN The TOE must ensure that legitimate users of the system are identified before rights of access can be granted O NETATK The TOE must protect itself against network attackers O REMDATA The TOE must ensure that its remediation data is obtained from trusted sources and must provide a mechanism to ensure the integrity of this data O SCANDATA The TOE must ensure that its scanner data is obtained from trusted sources and must provide a mechanism to ensure the confidentiality and integrity of this data O USERDATA The TOE must ensure that exported user data is secure 42 SECURITY OBJECTIVES FOR THE ENVIRONMENT The list below details the security objectives for the environment in which the TOE resides These objectives are to be met through the application of procedural and or administrative measures They do not impose any additional security requirements upon the TOE OE AUTHUSER Only authorized personnel are permitted physical access to the TOE OE BACKUP Good backup and recovery procedures for the TOE must be in place OE DOMAIN The host operating system will provide domain separation
22. TOE includes design documentation which at a minimum consists of an informal functional specification an informal high level design and an informal correspondence demonstration between the TOE Summary Specification the Functional Specification and the High Level Design M DEVELOP The TOE includes documentation which describes the development security measures M DOCS The TOE includes user and administrator guidance documentation in the form of a User s Guide and an Installation Guide as well as an online help file accessible from the TOE HMI M ID The TOE incorporates a unique version identifier that can be displayed to the user M SETUP The TOE includes an automated installation and set up program compatible with the TOE operating system The installation process includes sufficient instructions to clearly document the installation process The default installation results in the secure installation and start up of the TOE M TEST A suitably configured TOE has been evaluated in a controlled networked environment to confirm that TOE functionality operates as specified and that the product can remediate a representative set of well known vulnerabilities from each of the vulnerability classes claimed by the developer TOE functionality has also been evaluated in a real world environment using a representative set of network systems configured with known vulnerabilities The TOE includes developer test documentation which consists of
23. X X X X X x T EXPLOIT X T NETEXPLOIT X T OS T REMSERVER X T SNIFF T SNIFFSCAN x IT SPOOF IT SPOOFCLIENT IT SPOOFSCAN x gt lt Table 4 Mapping of Security Objectives to Threats and Assumptions Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 51 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target A BACKUP A CMS A CONFIG A GOODOS A KNOWLEDGE A NOEVIL The organization operating the TOE has good backup and recovery procedures which are followed allowing the TOE to be recovered to a secure configuration after a hardware failure The OE BACKUP objective details the need for good backup and recovery procedures In an environment where the McAfee Hercules client software is installed by remote means on a client machine using the McAfee Hercules Client Management Services CMS the server and clients are assumed to reside on a protected network The OE SECURECOM objective ensures that communications between the McAfee Hercules Server and client machines using CMS are protected The servers running the Remediation Manager and the Administrator Console have been configured securely as described in the Guidance documents and are maintained in that secure configuration In particu
24. a basic configuration the McAfee Hercules Server component encompasses the Channel Server and File Download Server on one platform At a high level McAfee Hercules is designed to e Aggregate vulnerability and remediation information from leading sources including SecurityFocus BugTraq CER Ts and other internet sources e Import scan information from vulnerability scanners and combine this information to perform remediation from a single source e Create profiles and remediation signatures that match scanner independent vulnerability information and client machines with their corresponding remediations e Allow an administrator to target network machines for automated remediation e Support CVE compliance by displaying CVE identifiers and supporting searching using these identifiers Fundamentally the McAfee Hercules product provides enterprise administrators with the ability to manage a large scale vulnerability remediation process in a manner that is both systematic and comprehensive Today many organizations employ an incomplete hybrid of manual and partially automated techniques that are often implemented in an ad hoc manner McAfee Hercules is a tool that is intended to bring a defined and systematic maturity into these security critical processes In a Windows environment McAfee Hercules is a product that provides and includes all of the functionality typically associated with the vulnerability remediation capabili
25. and ensure that the TOE cannot be tampered with OE GOODOS Those portions of the client operating system required for the correct operation of the TOE must function correctly OE GOODUSER Knowledgeable non malicious users with system administrator privileges must be assigned to install configure administer operate Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 20 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target OE GUIDANCE OE PROTCOM OE SECURECOM and maintain the TOE The administrator s responsible for the TOE must ensure that the TOE is installed configured administered and operated in accordance with the guidance documents The operating system and environment in which the TOE is to be installed must support the use of digital certificates for identification and authentication as well as SSL SSH protocols to support the protection of communications between components The network on which the TOE resides must protect the confidentiality and integrity of information exchanged between the distributed elements of the TOE when client machines are initially installed remotely using the McAfee Hercules Client Management Service CMS Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 21 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target 5 IT SECURITY REQUIREMENTS 5 1 INTRODUCTION Section 5 provides security fu
26. identifiers Support for importing data in third party vulnerability scanner data is also supported Remediation data remediation profiles and roles can be managed through this component Remediation profiles can be approved and then the profile data along with remediation data can be pushed out to client Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 15 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target systems The Server receives remediation status back from the client Remediation activities can be scheduled to be performed on a single client or a group of clients The McAfee Hercules amp Windows Clients are services that perform remediation activities on client machines The clients establish HTTPS SSL based communication to the McAfee Hercules Server This component also generates audit events in the log including start stop successful actions and failed actions These audit events can be generated in the Windows Event Viewer application s security and system categories This component receives remediation and policy data that was pushed from the McAfee Hercules Server and then uses that data to remediate client systems and enforce the policy on the client The remediation status is then reported back to the McAfee Hercules8 Server Windows Clients also support rollback of a remediation e The McAfee Hercules Unix Clients provide functionality which is equivalent to
27. network attacker may monitor communications between the Remediation Manager and a vulnerability scanner to learn vulnerabilities of client systems T SPOOF A network attacker may attempt to imitate the Remediation Manager and provide erroneous remediation information to a client system in order to compromise the client Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 18 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target T SPOOFCLIENT network attacker may attempt to imitate a client system in order to gain information about the vulnerabilities of the client system T SPOOFSCAN A network attacker may attempt to provide the Remediation Manager with erroneous vulnerability assessment information in an attempt to prevent the remediation of vulnerable network systems 33 ORGANIZATIONAL SECURITY POLICIES There is no requirement for the TOE to comply with any organizational security policy statements or rules Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 19 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target 4 SECURITY OBJECTIVES 41 SECURITY OBJECTIVES FOR THE TOE O ADMIN The TOE must provide to authorized administrators a set of administrative functions that allow the effective management of TOE operations and security functions O USERAUTH The TOE must provide a mechanism for the identification and authentication of users to the
28. require complete and successful authentication before allowing any action to be performed FIA UAU 6 Re authenticating Authorized McAfee Hercules users will be re authenticated when changing McAfee Hercules amp Server F IAUSER FIA UID 2 User identification before any action The user identification and authentication mechanisms used by the TOE F IAUSER require successful identification either of the individual user or the requesting system before allowing any action to be performed Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 68 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target FIA USB 1 User subject binding The McAfee Hercules Administrator Console executes user identification with every request F IAUSER FMT MOF 1 Management of security functions behaviour Authorized users are subject to the ADIMN ACCESS SFP access control security functional policy for the management of role based access control F ACCESS The TOE provides the capability to create custom roles to which individual users and groups of users may be assigned FMT MSA 1 Management of Security Attributes 1 Only authorized McAfee Hercules users have access to the functions of the TOE F IAUSER These users are subject to the SERVER information flow control security functional policy for the import of vulnerability scan data F IMPDATA vulnerability rem
29. specified as a security functional requirement and FDP ACC 2 is hierarchical to FDP ACC FAU_GEN 1 FIA_UID 1 FAU_SAR 1 FAU_GEN 1 FAU SAR 2 FAU SAR 1 FDP_IFC 1 2 and FDP IFC 1 3 Satisfied by FDP IFF 1 1 FDP ETC 1 FDP_ACC 1 FDP_ACC 2 is specified as a security FDP IFC 1 functional requirement and FDP ACC is hierarchical to FDP ACC 1 FDP IFC 1 1 FDP IFF 1 FDP IFC 1 2 FDP IFF 1 Satisfied by FDP IFF 1 2 FDP_IFC 1 3 FDP IFF 1 Satisfied by FDP IFF 1 3 Satisfied by FDP_IFC 1 1 Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 61 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target Dependencies Dependency Satisfied rss We mes rss NN RN mmo e NN RN FDP IIC 1 FDP IFC 1 Yes Satisfied by FDP IFC 1 1 FDP IFC 1 2 and FDP IFC 1 3 FDP 1 FDP_IFC 1 Satisfied by FDP IFC 1 1 E and FDP_IFC 1 3 FIAATDI ATD 1 Noe a _UAU 2 CE _UID 1 NNNM Is specified as a security functional requirement and FIA_UID 2 is hierarchical to FIA_UID 1 Em C WR js WA HAUS CHA PI We Nn 00 ATO ya uum rna e wanu uum mama TYA TO iye TT Bur e 00 TT Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 62 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target Depen
30. user interface the steps required to remediate a specific vulnerability on a client machine Display Scanner Data The TOE has the capability of displaying imported scanner Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 44 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target F DISPVULN F EXPORTDATA F IAUSER F IMPREMDATA F IMPDATA information Display Vulnerabilities The TOE has the capability of displaying graphically the vulnerabilities on each machine on a network It shall be possible to list all of the vulnerabilities reported for each and all machines on the network or to display a list of machines which are susceptible to a specific vulnerability Export Data Each McAfee Hercules Server has the capability to export user data for backup purposes or as an efficient means for transferring to another McAfee Hercules server Identify and Authenticate Users The McAfee Hercules Administrator Console has the capability to identify and authenticate users of the console both on initial start up and when changing servers The McAfee Hercules Administrator Console executes using a Windows administrator account which is recognized by the machine hosting the McAfee Hercules server Identification and authentication is achieved though the use of a username and password pair This method of identification and authentication is also performed for the
31. 08 Page ii of ii EMA Delivering the Right Assurance McAfee Hercules Security Target 1 INTRODUCTION 11 GENERAL This introductory section presents security target ST identification information an overview of the product and an overview of the ST structure A brief discussion of the ST development methodology is also provided An ST document provides the basis for the evaluation of an information technology IT product or system under the Common Criteria for Information Technology Security Evaluation CC Within the ST the product or system which is being evaluated is referred to as the Target of Evaluation TOE An ST principally defines e set of assumptions about the security aspects of the environment a list of threats which the product is intended to counter and any known rules with which the product must comply see Section 3 Security Environment e A set of security objectives and a set of security requirements are presented in Sections 4 and 5 Security Objectives and IT Security Requirements respectively e The IT security functions provided by the TOE which meet that set of requirements see Section 6 TOE Summary Specification The structure and contents of this ST comply with the requirements specified in the CC Part 1 Annex B and Part 3 Chapter 8 1 2 IDENTIFICATION Title Publication Date TOE Registration Common Criteria Conformance Claim Evaluation Assurance Level EAL
32. Capabilities Administrators have the ability to roll back system changes and patch installations when necessary e V Flash Administrators can stay current on the latest vulnerability remediation signatures through the McAfee Hercules V Flash update service Remediation Policies Users can define remediation policies for a single device or group of devices e Compliance Only capability Users assigned the policy auditor role can evaluate compliance of their network devices to policies without the ability to automate the remediation of vulnerabilities on non compliant devices e Policy Enforcement When you enforce a policy remedies are applied regardless of detected vulnerabilities With ConnectGuard disconnected machines are prevented from gaining access to the network until remedies have been applied that comply with the organizations security policy e Best Practices McAfee Hercules offers complete support for the best practices of vulnerability remediation Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 3 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target e Optional Distributed Architecture Remote deployment of the McAfee Hercules Channel Server and File Download Server components allow for an improved flow of data to areas that are geographically distant or across wide enterprise networks thus optimizing network bandwidth and server capacity In
33. EMA I Delivering the Right Assurance SECURITY TARGET MCAFEE HERCULES POLICY AUDITOR AND MCAFEE HERCULES REMEDIATION MANAGER MCAFEE HERCULES VERSION 4 5 Document No 1566 001 D001 Version 1 3 9 April 2008 Prepared for McAfee Inc 3965 Freedom Circle Santa Clara California 95054 Prepared by Electronic Warfare Associates Canada Ltd 55 Metcalfe St Suite 1600 Ottawa Ontario KIP 6L5 EMA Delivering the Right Assurance Security Target McAfee Hercules Policy Auditor and McAfee Hercules Remediation Manager McAfee Hercules Version 4 5 Document No 1566 001 D001 Version 1 3 9 April 2008 lt Original gt Approved by Project Engineer Ben Cuthbert 09 April 2008 Project Manager Grant Gibbs 09 April 2008 Program Director Erin Connor 09 April 2008 Signature Date EMA Delivering the Right Assurance McAfee Hercules Security Target TABLE OF CONTENTS 1 INTRODUCTION 1 1 1 GENERA Dr IUE 1 1 2 IDENTIFICATION rrenan munashannu as e k k kiy Reo k lae b kar kan 3 1 1 3 PRODUCT OVER VIEW 55 euin pe e a Rene 2 1 4 CONVENTIONS TERMINOLOGY AND ACRONYMS 5 TAT CONV ONS CEREREM 5 1 4 2 Terme nc 6 1433 Tm 8 2 TARGET OF EVALUATION DESCRIPTIONN
34. Management Service Patch Download Service or V Flash Service events in addition to the audit capabilities of the underlying operating system FAU_GEN 1 2 The Environment shall record within each audit record at least the following information a Date and time of the event type of event subject identity and the outcome success or failure of the event and b For each audit event type based on the auditable event definitions of the functional components included in the ST assignment no other audit relevant information Dependencies FPT_STM 1 Reliable time stamps Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 35 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target FAU_SAR le Audit review This component will provide authorised users the capability to obtain and interpret the information In case of human users this information needs to be in a human understandable presentation In case of external IT entities the information needs to be unambiguously represented in an electronic fashion Hierarchical to FAU_SAR 1 1 FAU_SAR 1 2 Dependencies FAU_SEL le Hierarchical to FAU_SEL 1 1 Dependencies FDP_IFC le Hierarchical to FDP_IFC 1 1 Dependencies No other components The Environment shall provide assignment authorised users with the capability to read assignment log data retained by the Environment from the audit records The Envir
35. McAfee Hercules Channel Server and the McAfee Hercules Download Server Import Remediation Data The TOE has the capability to import specific remediation information for reported vulnerabilities Import Scanner Data The TOE has the capability of importing vulnerability scanner information from the following third party vulnerability scanners 1 eEye Digital Security Retina Network Security Scanner 2 eEye Digital Security REM Security Management Console Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 45 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target 10 11 12 13 14 15 16 Foundstone Inc FoundScan Engine Harris STAT Scanner Harris STAT Scanner 6 2 1 and above Guardian Internet Security Systems Internet Scanner Internet Security Systems SiteProtector Internet Security Systems System Scanner Microsoft Baseling Security Analyzer MBSA nCircle IP360 Vulnerability Management System NexantiS SecureScout SP Qualys Inc QualysGuard Scanner Saint Corporation SAINT Scanning Engine Tenable Network Security Nessus Scanner Tenable Network Security NeWT Scanner The MITRE Corporation OVAL Definition Interpreter F IMPDEV Import Device Identifiers The TOE can import device identifiers from the following 1 2 Windows NT Domain Windows Active Directory Domain
36. TEST ensures that the TOE test documentation is sufficient to determine that the developer has functionally tested all TOE security functions This measure satisfies the requirements of ATE FUN 1 ATE IND 2 Independent Testing Sample Assurance Measure M TEST ensures that the TOE test documentation is sufficient for the evaluator to repeat a sample of the developers functional testing in order to confirm the test results as well as develop independent tests of the TOE security functions This measure satisfies the requirements of ATE IND 2 MSU 1 Examination of Guidance Assurance Measure M DOCS ensures that the TOE documentation includes guidance documentation This documentation may be examined for misleading unreasonable and conflicting guidance This measure satisfies the requirements for AVA_MSU 1 AVA_SOF 1 Strength of TOE Security Function Evaluation Assurance Measure M VULNER ensures that the TOE vulnerability analysis documentation includes a strength of TOE security function analysis for each mechanism identified in the ST as having a strength of TOE security function claim This measure satisfies the requirements of AVA_SOF 1 AVA_VLA 1 Developer Vulnerability Analysis Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 73 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target Assurance Measure M VULNER ensures that the TOE vulnerability analysis documentation includes an
37. The TOE provides the capability to create custom roles to which individual users and groups of users may be assigned F MANAGEROLES The ability to use specific features of the TOE such as the creation of user defined vulnerabilities may be assigned to custom roles FPT RVM 1 Non bypassability of the TSP Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 70 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target The TOE and supporting host operating system ensures that the TSP enforcement functions are invoked and successful before any function within the TSC is activated F RVM 8 6 TOE ASSURANCE MEASURES RATIONALE The McAfee Hercules product is designed to protect the TOE and its data from network attacks to limit the system s use of network interfaces to those specified by the user and to be simple enough for a knowledgeable system administrator to use An assurance level of EAL 3 Methodically Tested and Checked was selected as the threat to security is considered to be unsophisticated network attackers and the data to be protected consists primarily of user private data and system resources An evaluation at this level provides a moderate level of independently assured security via a thorough investigation of the TOE and its development Table 9 provides a bi directional mapping of Assurance Measures to Assurance Requirements and is followed by a short discussion of how the Assurance R
38. UTH ensures the user has authenticated to the console and O ADMIN ensures effective management of the TOE security functions provided to that user O USERDATA ensures exported user data is provided only to authorised users of the administration console A network attacker may attempt to exploit vulnerabilities on a Client system protected by the TOE in order to gain unauthorized access to the resources of the client system The O CLIENTREM objective ensures that the TOE provides effective remediation to client systems in order to remove or mitigate identified vulnerabilities Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 53 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target T NETEXPLOIT T OS T REMSER VER T SNIFF T SNIFFSCAN T SPOOF T SPOOFCLIENT T SPOOFSCAN A network attacker may attempt to exploit vulnerabilities on a Client system protected by the TOE in an attempt to compromise other network resources The O CLIENTREM objective ensures that the TOE provides effective remediation to client systems in order to remove or mitigate identified vulnerabilities An unauthorized user may attempt to gain access over the operating system by bypassing a security mechanism and use this access to elevate his her privileges over TOE functions and or data The OE DOMAIN environment objective ensures that the host operating system on which the TOE resides provides domain s
39. Version 1 3 Date 09 April 2008 Page 7 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target 1 4 3 Acronyms CC CERT CM CVE EAL ePO HMI IT O S SSH SSL ST TCP IP TOE TSC TSF TSP processing Common Criteria for Information Technology Security Evaluation Computer Emergency Response Team Configuration Management Common Vulnerabilities and Exposures Evaluation Assurance Level McAfee ePolicy Orchestrator Human Machine Interface Information Technology Operating System Secure Shell Secure Sockets Layer Security Target Transmission Control Protocol Internet Protocol Target of Evaluation TOE Scope of Control TOE Security Functions TOE Security Policy Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 8 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target 2 TARGET OF EVALUATION DESCRIPTION 2 1 EVALUATED CONFIGURATIONS 2 1 1 Overview The McAfee Hercules product is designed to facilitate the automatic vulnerability remediation of devices on a network The product imports vulnerability information from a number of third party commercial vulnerability scanner products and consolidates this information into a single view of the vulnerabilities of each device in the network The product provides a sequence of automatically executable remediation steps which will correct each recognized vulnerability Users of the product may downloa
40. Windows client capabilities Unix clients require a root account to install configure and execute Unix daemons use of Unix file system access control and the use of ssh for installation This component also generates audit events in the log including start stop successful actions and failed actions This component receives remediation and policy data that was pushed from the McAfee Hercules Server and then uses that data to remediate client systems and enforce the policy on the client The remediation status is then reported back to the McAfee Hercules Server e The McAfee Hercules Mac Clients provide functionality which is equivalent to Windows client capabilities Mac clients require a root account to install configure and execute Mac daemons use of pseudo access control and the use of ssh for installation This component also generates audit events in the log including start stop successful actions and failed actions This component receives remediation and policy data that was pushed from the McAfee Hercules Server and then uses that data to remediate client systems and enforce the policy on the client The remediation status is then reported back to the McAfee Hercules Server Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 16 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target 3 TOE SECURITY ENVIRONMENT 3 1 ASSUMPTIONS The following conditions are assumed to exist i
41. ability to view audit information F AUDIT Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 66 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target FDP ACC 2 Complete access control The TOE incorporates access control ACCESS Authorized users are subject to the ADIMN ACCESS SFP access control security functional policy for the management of role based access control Users are assigned to roles that allow specific administrative functionality on the McAfee Hercules amp Server MANAGEROLES FDP ACF 1 Security attribute based access control The TOE incorporates role based access control F ACCESS Authorized users are subject to the ADIMN ACCESS SFP access control security functional policy for the management of role based access control Users are assigned to roles that allow specific administrative functionality on the McAfee Hercules Server MANAGEROLES FDP ETC 1 Export of user data without security attributes The TOE exports F EXPORTDATA user data for backup or transfer to another McAfee Hercules Server FDP IFC 1 Subset information flow control 1 Each McAfee Hercules Server also enforces the IMPORT information flow control security functional policy when importing both vulnerability scan data F IMPDATA vulnerability remediation data F IMPREMDATA and device identifier data F IMPDEV FDP IFC 1 Subset information flow control 2 Each McAfe
42. administrative privileges on the machine running the console as well as the McAfee Hercules Server and all client machines The McAfee Hercules Administrator Console provides the HMI for the product and includes the display and input devices through which the user interacts with the McAfee Hercules application Information that can be gathered from this HMI include connected client systems client status list of vulnerabilities that will be remediated on a particular client or group of clients remediation status remediation signatures scanner data and vulnerabilities found on clients The McAfee Hercules Server using a basic configuration comprising the McAfee Hercules Server McAfee Hercules Download Server and McAfee Hercules Channel Server Windows service s that communicates with the McAfee Hercules Client to distribute remediation profiles and gather remediation progress data Multiple McAfee Hercules Servers may be deployed within a network and administered from a single McAfee Hercules Administrator Console The McAfee Hercules Server is designed to be installed and used on a trusted and appropriately configured and controlled Windows server This component also generates audit events in the log including start stop successful actions and failed actions The McAfee Hercules Server supports the export of user data for backup and transfer purposes as well as the import of remediation data scanner data and device
43. al The strength of function claim is therefore SOF BASIC This claim applies to the security function F JAUSER 61 TOE SECURITY FUNCTIONS A description of each of the TOE security functions follows F ACCESS Access Control Access to the TOE is restricted to authorized administrators through the use of user identification and authentication The TOE has the capability of incorporating role based access control Each of the McAfee Hercules administrative tasks can be associated with one or more roles An authorized user must be assigned to a role that is associated with a task before the user can perform the task F AGGVADATA Aggregate Scanner Data The TOE has the capability of merging vulnerability scanner information from the third party vulnerability scanners for a client machine into a single consistent vulnerability assessment for that machine F APPPROF Approve Profile The TOE provides the capability for a suitably authorized user to approve a remediation profile Once approved the remediation profile shall be automatically invoked by each client machine in the group to which the profile applies at the next scheduled remediation interval Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 43 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target F AUDIT F DISPCLIENT F DISPCLIENTSTATUS F DISPPROF F DISPREMSTATUS F DISPSIG F DISPVADATA Audit Remediation Activity
44. an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold assignment For the transfer of a remediation signature from the McAfee Hercules Server to a client machine a the requesting client machine has been identified as authorised by the server using either certificates or in the absence of certificates the IP Address Domain Name or NETBIOS name and b the format of the client machine remediation status information is recognized The Environment shall enforce the assignment no additional information flow control SFP rules The Environment shall provide the following assignment no additional SFP capabilities The Environment shall explicitly authorise an information flow based on the following rules assignment none The Environment shall explicitly deny an information flow based on the following rules assignment none FDP_IFC 1 Subset information flow control FMT_MSA 3 Static attribute initialisation Basic internal transfer protection No other components The Environment shall enforce the assignment SERVER_SFP to prevent the selection disclosure modification of user data when it is transmitted between physically separated parts of the TOE Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 37 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target Dependencies 1
45. analysis of obvious ways in which a user can violate the TOE security policies along with the disposition of these obvious vulnerabilities This measure satisfies the requirements of AVA_VLA 1 Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 74 of 74
46. ard blocks network traffic from remote and local client devices reconnecting to the network checks devices for compliance with their assigned Network Access Policies NAP and applies the appropriate NAPs along with their remedy actions to noncompliant machines b Cisco Systems Network Admission Control provides network access only to client devices that fully comply with the established NAP and ensures that noncompliant devices are denied access placed into quarantine for remediation or given restricted access to resources e McAfee Hercules Network Access Policy is a corporate security policy that can be configured to ensure that an active antivirus is installed and running on client devices or to ensure protection from a specified set of vulnerabilities The McAfee Hercules system provides a mechanism to apply the NAP and all remediations Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 41 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target associated with the policy to client devices to ensure that the devices are in compliance before they are allowed full access to the network 5 5 ASSURANCE REQUIREMENTS The security assurance requirements for the TOE comprise the requirements corresponding to the EAL 3 level of assurance as defined in the CC Part 3 The assurance components are summarized in the following table Assurance Components Assurance Class Conf
47. chines These scanner products fall outside the boundary of the TOE The data generated by the scanners is also initially outside the TOE boundary However authorised TOE users may import data from one of the recognised scanner products across the TOE boundary If the vulnerability data is selected by an authorised TOE user and conforms to the expected format of data from one of the supported third party scanner products then the TOE accepts that data as valid vulnerability information During the operation of the TOE the update of vulnerability remediation data must be performed on a regular basis These updates are obtained from the trusted McAfee Hercules V Flash server which falls outside the TOE boundary The TOE uses SSL to ensure the fidelity of the data downloaded from the V Flash server Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 39 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target 5 4 3 Data Exchange Information Flow Control Security Functional Policy EXCHANGE SFP The TOE allows authorised TOE users to export user data from a McAfee Hercules Server and import the exported data files to the same McAfee Hercules Server or to another McAfee Hercules Server The export and subsequent import are controlled by the authorized user who acts through the McAfee Hercules Administrator Console which then controls the McAfee Hercules Server This capability provides the abi
48. curity practices TOE Users are non hostile and follow all guidance documents The Server and Administrator elements of the TOE are physically secure and only authorized personnel have physical access to these elements of the TOE Access to the TOE is restricted to authorized users Authorized users are assigned to roles that in turn provide access to the administrative functions associated with that role A TOE user is capable of performing only the administrative tasks inherited by their assigned roles For the remainder of this document the phrase TOE User shall be employed to represent any authorized user with administrative privileges Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 17 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target 3 2 THREATS The threats discussed below are addressed by a compliant TOE The threat agents are either human users or external IT entities not authorized to use the TOE Additionally threat agents may be users with administrative privileges that introduce vulnerabilities by inadvertently miss configuring network systems from a security perspective Threat agents are assumed to have a low level of sophistication but may have knowledge of vulnerabilities and access to attack methods which are in the public domain The TOE is not designed to withstand attack by sophisticated highly motivated or well funded threat agents The assets that are subj
49. curity violations occurred legitimate and unauthorised To establish the validity of a claimed user or object Assuring information and communications services will be ready for use when expected An intrusion into an IT System where unauthorised disclosure modification or destruction of sensitive information may have occurred Assuring information will be kept secret with access limited to appropriate persons Assessment of a PP a ST or a TOE against defined criteria May range from a computer system to a computer network Assuring information will not be accidentally or maliciously altered or destroyed A package of IT software firmware and or hardware providing functionality designed for use or incorporation Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 6 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target Network Protection Profile PP Security Security Policy Security Target ST Target of Evaluation TOE Threat TOE Security Functions TSF TOE Security Policy TSP TSF Data TSF Scope of Control User Vulnerability within a multiplicity of systems Two or more machines interconnected for communications An implementation independent set of security requirements for a category of TOE that meet specific consumer needs A condition that results from the establishment and maintenance of protective measures that ensure a state o
50. cy Satisfied ADV HLD is specified as a security assurance requirement and ADV 2 is hierarchical to ADV HLD 1 ADV HLD is specified as a security assurance requirement and ADV 2 is hierarchical to gt j Table 7 Security Assurance Requirement Dependencies 8 5 SUMMARY SPECIFICATION RATIONALE Table 8 provides a bi directional mapping of Security Functions to Security Functional Requirements and is followed by a discussion of how each Security Functional Requirement is addressed by the corresponding Security Function FAU GEN FAU GEN FAU SAR 2 FDP ACE FC 1 2 FC 1 3 FDP FDP FMT_MSA 1 1 EMT MSA 1 2 TT kasava TJ J TT Farmer pose TITI posevapata reve JL EELELISEREEERELELEEEEELEEELELLT pasee EEE EEE EEL T ewr usar Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 65 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target 1 2 1 3 2 2 A_ATD 1 A UAU 6 lt FAU SAR FAU SAR FDP ACE EDP E E FMT MSA FMT REV FMT 5 1 1 Li et i IMPREMDATA IMPDATA IMPDEV MANAGEDATA MANAGEPROF MANAGEROLES PUSHREM PUSHPOLICY REMCLIENT REMPOLICY
51. d new signatures from the V Flash server operated by McAfee The McAfee Hercules product provides an interface which allows users to view the listed vulnerabilities of devices on the network Logical groupings of devices may be defined An automatic remediation schedule may be defined for a group In addition a specific list of vulnerabilities to be remediated may be defined for the group The McAfee Hercules product is to be evaluated in two configurations e Standalone and e Distributed The two configurations are described in separate sections below They contain the same components and differ only in packaging The TOE is software only and is identified as build 4 5 2 1 2 Standalone The Standalone configuration of the McAfee Hercules product is shown in Figure 1 Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 9 of 74 WENA 1 Delivering the Right Assurance McAfee Hercules Security Target McAfee Hercules Administrator Data from 3 Party Vulnerability Scans and Device Discovery V Flash Servier HTTP S Rollback Remediate PEDEM File amp Patch Install Uninstall Install Uninstall Locations ps baiting Start Stop Configure e g Sun Sr OP Reboot Clients Remediate Microsoft Reboot Clients Devices SSH Windows HTTP S Services McAfee McAfee McAfee McAfee McAfee McAfee Hercules Hercules Hercules
52. dencies Dependency Satisfied FMT MSA 3 FMT MSA 1 Yes Satisfied by FMT MSA 1 1 MSA 1 2 and FMT MSA 1 3 wawa RAT CL Ke L rurar e CL Re wj FMT_ s 1 FIA_UID 1 FIA_UID 2 is specified as a security functional requirement and FIA_UID 2 is hierarchical to FIA_UID 1 FPT_RVM FPT_RVM 1 None cor T s he We TT mser We ers We C WA L Table 6 Security Functional Requirement Dependencies Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 63 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target 8 4 SECURITY ASSURANCE REQUIREMENT DEPENDENCIES Dependencies Dependency Satisfied 1 3 l 1 Yes E Yes i N A S Yes ADV HLD 2 6 B Yes Yes Yes Yes ADV HLD 32 is specified as a security assurance requirement and Yes N A A Yes Yes Yes Yes B Yes es es ADV_HLD 2 is hierarchical to ADV_HLD 1 ATE_DPT 1 ATE_IND 2 M M GD D D D n D y w Y 058 1 ADV FSP 1 Yes ATE 2 ADV Yes N 71 Y L MSU 1 SOF1 ADV_ DVS CAP ADM RCR FSP 1 HLD FSP 1 FSP 1 Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 64 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target Dependen
53. e FDP_IFF 1 Simple security attributes Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 26 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target FDP_IFF 1 Hierarchical to FDP_IFF 1 1 1 FDP_IFF 1 2 1 FDP_IFF 1 3 1 FDP_IFF 1 4 1 FDP_IFF 1 5 1 FDP_IFF 1 6 1 Dependencies FDP_IFF 1 Hierarchical to FDP_IFF 1 1 2 FDP_IFF 1 2 2 Simple security attributes 1 No other components The TSF shall enforce the assignment MPORT SFP based on the following types of subject and information security attributes assignment 1 The identification of an authorized TOE user and 2 the format of the source data The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold assignment 1 For the import of Vulnerability Scan data to the server a the file to be imported has been specified by the authorized TOE User and 2 The file meets the format expected by the TOE for the file purpose The TSF shall enforce the assignment no additional information flow control SFP rules The TSF shall provide the following assignment no additional SFP capabilities The TSF shall explicitly authorise an information flow based on the following rules assignment none The TSF shall explicitly deny an information flow based on the following rules assignm
54. e Hercules Server enforces the EXCHANGE SFP information flow control security functional policy when exporting data files to the same or different McAfee Hercules Server F EXPORTDATA and subsequent import of remediation data F IMPREMDATA vulnerability scan data F IMPDATA and device identifier data F IMPDEV FDP IFC 1 Subset information flow control 3 Each McAfee Hercules Server enforces the CONNECT information flow control security functional policy which restricts the ability of client machines to communicate over the network until remediation data has been pushed to the device F PUSHPOLICY FDP IFF 1 Simple security attributes 1 The TOE uses the IMPORT information flow control security functional policy to govern the import of vulnerability scan information F IMPDATA vulnerability remediation data F IMPREMDATA and device identifier data F IMPDEV from trusted external sources by an authorized TOE user F IAUSER FDP IFF 1 Simple security attributes 2 Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 67 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target The TOE uses the EXCHANGE information flow control security functional policy to govern the exchange of data between McAfee Hercules Servers This policy states that the server must identify and authenticate the user before allowing them to export data files F EXPORTDATA and the subs
55. e be trusted to function correctly for those OS functions required by the TOE component that is installed on the client machine A GOODOS In addition the environment supports and monitors the correct functioning of the TOE by providing supplemental audit data generation FAU_GEN 1e a means of reviewing the supplemental audit data FAU_SAR 1e selective audit FAU_SEL le and reliable time stamps FPT_STM le Knowledgeable non malicious users with system administrator privileges must be assigned to install configure administer operate and maintain the TOE The environment is assumed to provide knowledgeable A KNOWLEDGE non hostile users who follow all guidance documents A NOEVIL and who have all necessary access to the device A TOEUSER The administrator s responsible for the TOE must ensure that the TOE is installed configured administered and operated in accordance with the guidance documents The environment is assumed to be securely configured and to remain in that configuration A CONFIG The operating system and environment in which the TOE is to be installed must support the use of digital certificates for identification and authentication as well as SSL SSH protocols to support the protection of communications between components The McAfee Hercules server can leverage the environment to protect data transferred to a client system using SSL for Windows clients and OpenSSH for Unix clients Digital ce
56. ect to attack are the components of the TOE itself and or the resources of the client systems protected by the TOE T BADDATA A network attacker may attempt to provide the Remediation Manager with erroneous remediation information in an attempt to compromise the Client systems T CLIENT An unauthorized person may have administrator root control of one of the client systems and may use that control to attempt to compromise the Remediation Manager T CONSOLE A network attacker may attempt to gain control of the TOE through the McAfee Hercules Administration Console T EXPLOIT A network attacker may attempt to exploit vulnerabilities on a client system protected by the TOE in order to gain unauthorized access to the resources of the client system T NETEXPLOIT A network attacker may attempt to exploit vulnerabilities on a client system protected by the TOE in an attempt to compromise other network resources T OS An unauthorized user may attempt to gain access over the operating system by bypassing a security mechanism and use this access to elevate his her privileges over TOE functions and or data T REMSERVER A network attacker may attempt to gain control of the McAfee Hercules Remediation Manager T SNIFF A network attacker may intercept and monitor communications between the Remediation Manager and the Client systems and use the information gained to compromise the Remediation Manager and or a Client system T SNIFFSCAN A
57. ediation data F IMPREMDATA and device identifier data F IMPDEV Authorized users may also display the imported vulnerability data F DISPVADATA and aggregate vulnerability information from multiple scans into a unified vulnerability picture for client systems F AGGVADATA Authorized TOE users have the ability to manipulate all of the vulnerability and remediation data held by TOE MANAGEDATA FMT MSA 1 Management of Security Attributes 2 Only authorized McAfee Hercules users have access to the functions of the TOE F IAUSER These users are subject to the IMPORT SFP information flow control security functional policy for the import of vulnerability scan data F IMPDATA vulnerability remediation data F MPREMDATA and device identifier data F IMPDEV Authorized users may also display the imported vulnerability data F DISPVADATA and aggregate vulnerability information from multiple scans into a unified vulnerability picture for client systems F AGGVADATA Authorized TOE users have the ability to manipulate all of the vulnerability and remediation data held by the TOE F MANAGEDATA FMT MSA 1 Management of Security Attributes 3 Only authorized McAfee Hercules users have access to the functions of TOE F IAUSER These users are subject to the ADMIN ACCESS SFP information flow control security functional policy which incorporates a role based access control capability F ACCESS The TOE provides the capabilit
58. ent none FDP IFC 1 Subset information flow control FMT MSA 3 Static attribute initialisation Simple security attributes 2 No other components The TSF shall enforce the assignment EXCHANGE based on the following types of subject and information security attributes assignment 1 The identification and authentication of the TOE user and 2 the format of the source data The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold assignment For the export of exchange data via XML files from the server the data to be exported has been specified by the authorized TOE User 2 For the import of exchange data via XML files to the server a the file to be imported has been specified by the Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 27 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target FDP_IFF 1 3 2 FDP_IFF 1 4 2 FDP_IFF 1 5 2 FDP_IFF 1 6 2 Dependencies FDP_IFF 1 Hierarchical to FDP_IFF 1 1 3 FDP_IFF 1 2 3 FDP_IFF 1 3 3 FDP_IFF 1 4 3 FDP_IFF 1 5 3 FDP_IFF 1 6 3 Dependencies authorized TOE User and b the file meets the format expected by the TOE for the file purpose The TSF shall enforce the assignment no additional information flow control SFP rules The TSF shall provide the following assignment
59. eparation A network attacker may attempt to gain control of the McAfee Hercules Remediation Manager The O NETATK objective ensures that the Remediation Manager is secure A network attacker may monitor communications between the Remediation Manager and the Client systems and use the information gained to compromise the Remediation Manager and or a Client system The OE PROTCOM objective ensures that the information passing between the distributed parts of the TOE is secure A network attacker may monitor communications between the Remediation Manager and a vulnerability scanner to learn vulnerabilities of client systems The O SCANDATA objective ensures that the scanner data used by the TOE is accurate and secure A network attacker may attempt to imitate the Remediation Manager and provide erroneous remediation information to a client system in order to compromise the client The OE PROTCOM environment objective ensures that it is not possible to imitate the Remediation Manger A network attacker may attempt to imitate a client system in order to gain information about the vulnerabilities of the client system The OE PROTCOM environment objective ensures that it is not possible for an attacker to imitate a client system A network attacker may attempt to provide the Remediation Manager with erroneous vulnerability assessment information in an attempt to prevent the remediation of vulnerable network systems Doc No
60. ependencies FDP_IFC 1 Hierarchical to FDP_IFC 1 1 2 Dependencies FDP_IFC 1 Hierarchical to FDP_IFC 1 1 3 Dependencies Export of user data without security attributes No other components The TSF shall enforce the assignment EXCHANGE_SFP when exporting user data controlled under the SFP s outside of the TSC The TSF shall export the user data without the user data s associated security attributes FDP_ACC 1 Subset access control or FDP_IFC 1 Subset information flow control Subset information flow control 1 No other components The TSF shall enforce the assignment JMPORT_SFP on assignment McAfee Hercules Servers when importing vulnerability scan data and vulnerability remediation data from outside the TOE boundary FDP_IFF 1 Simple security attributes Subset information flow control 2 No other components The TSF shall enforce the assignment EXCHANGE SFP on assignment McAfee Hercules Servers when exporting or importing vulnerability data ActionPacks custom policies custom device queries custom device query collections and remedies via XML files across the TOE boundary FDP_IFF 1 Simple security attributes Subset information flow control 3 No other components The TSF shall enforce the assignment CONNECT on assignment McAfee Hercules Clients when determining the network traffic that is permitted to flow to and from the devices on which they resid
61. equent import of remediation data F IMPREMDATA vulnerability scan data F IMPDATA and device identifier data F IMPDEV from trusted external sources by an authorized TOE user F IAUSER FDP IFF 1 Simple security attributes 3 The TOE uses the CONNECT SFP information flow control security functional policy to govern the exchange of data between a McAfee Hercules Server and one of its client systems This policy states that the server must identify and authenticate the client before allowing the client machines to communicate over the network until remediation data has been pushed to the device F PUSHPOLICY FDP ITC 1 Import of user data without security attributes When importing vulnerability scan data F IMPDATA or vulnerability remediation data F IMPREMDATA or device identifier data F IMPDEV from trusted external sources the TOE ignores any security attributes associated with the external data and instead applies the properties specified by the authorized TOE user to the imported data FDP ROL 1 Basic Rollback The TOE allows the rollback F ROLLB ACK of specific automatic vulnerability remediations under specified circumstances FIA ATD 1 User attribute definition The TOE restricts access through the use of user identification and authentication F ACCESS FIA UAU 2 User authentication before any action The user identification and authentication mechanisms used by the TOE F IAUSER
62. equirements are addressed by the corresponding Assurance Measures ACM_CAP 3 ADO_DEL 1 ADV_HLD 2 ADV_RCR 1 AGC_ADM 1 AGD_USR 1 ALC_DVS 1 ATE_COV 2 ATE_DPT 1 ATE_FUN 1 ATE IND 2 AVA_MSU 1 AVA_VLA 1 ACM_SCP 1 ADO_IGS 1 ADV_FSP 1 AVA_SOF 1 x x x MpELIVER x J MDESIN xxx j MpeveLop txt j jp mpocs xx mo x 724111 MsETUP x tT MrEST Jj Table 9 Mapping of Assurance Measures to Assurance Requirements ACM CAP 3 Authorisation Controls Assurance Measure M ID ensures that the TOE is uniquely identified and labelled with its identity Assurance Measure M CONFIG ensures that the TOE includes a configuration item list Assurance Measure M AUTH ensures that only authorised changes are permitted to the TOE These measures combine to satisfy the requirements of ACM_CAP 3 Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 71 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target ACM_SCP 1 TOE CM Coverage Assurance Measure M CONFIG ensures that the TOE includes a configuration item list The contents of this list ensure that the requirements of SCP 1 are met ADO DEL 1 Delivery Procedures Assurance Measure M DELIVER ensures t
63. f inviolability from hostile acts or influences The set of laws rules and practices that regulate how an organisation manages protects and distributes sensitive information A set of security requirements and specification to be used as the basis for evaluation of an identified TOE An IT product or system and its associated administrator and user guidance documentation that is the subject of an evaluation The means through which the ability or intent of a threat agent to adversely affect an automated system facility or operation can be manifest A potential violation of security A set of all hardware software and firmware of the TOE that must be relied upon for the correct enforcement of the TSP A set of rules that regulate how assets are managed protected and distributed within a TOE Data created by and for the TOE that might affect the operation of the TOE The set of interactions that can occur with or within a TOE and are subject to the rules of the TSP An entity human user or external IT entity outside of the TOE that interacts with the TOE Hardware firmware or software flaw that leaves an IT System open for potential exploitation A weakness in automated system security procedures administrative controls physical layout internal controls and so forth that could be exploited by a threat to gain unauthorised access to information unauthorised privileges or disrupt critical Doc No 1566 001 D001
64. hat the TOE includes documentation describing the delivery procedures for the TOE This measure satisfies the requirements of DEL l ADO IGS 1 Installation Generation and Start up Procedures Assurance Measure M SETUP ensures that the TOE includes documentation describing its secure installation generation and start up This measure satisfies the requirements of ADO IGS 1 ADV FSP 1 Informal Functional Specification Assurance Measure M DESIGN ensures that the TOE design documentation includes an informal function specification This measure satisfies the requirements of ADV FSP 1 ADV HLD 2 Security Enforcing High Level Design Assurance Measure M DESIGN ensures that the TOE design documentation includes an informal high level design which includes a description of the TSF in terms of subsystems a description of the purpose and method of use of all interfaces to the subsystems and a description of the separation of the TOE into TSP enforcing and other subsystems These features satisfy the requirements of ADV HLD 2 ADV Informal Correspondence Demonstration Assurance Measure M DESIGN ensures that the TOE design documentation includes an informal correspondence demonstration between the TOE Summary Specification the Functional Specification and the High Level Design This measure satisfies the requirements of ADV_RCR 1 ADM 1 Administrator Guidance Assurance Measure M DOCS ensures that the TOE documentation i
65. ication Non bypassability of the TSP No other components The TSF shall ensure that TSP enforcement functions are invoked and succeed before each function within the TSC is allowed to proceed No dependencies 5 3 SECURITY FUNCTIONAL REQUIREMENTS FOR THE IT ENVIRONMENT The McAfee Hercules product relies upon the IT environment which comprises the underlying operating system and third party software to provide some of the security features of the product The security functional requirements for the IT environment consist of the following components from Part 2 of the CC summarized in Table 2 Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 34 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target 1 Basic internal TSF data transfer protection FPT_RVM le Non bypassability of the TSP FPT_SEP le TSF Domain Separation FPT_STM le Reliable time stamps Table 2 Summary of Security Requirements for the Environment Denotes the environment iteration for this component FAU_GEN le Audit data generation Hierarchical to No other components FAU_GEN 1 1 The Environment shall be able to generate an audit record of the following auditable events a Start up and shutdown of the audit functions b All auditable events for the selection not specified level of audit and c assignment use of the McAfee Hercules Client McAfee Hercules Client
66. ification of management functions Revocation No other components The TSF shall restrict the ability to revoke security attributes associated with the selection users subjects objects assignment none within the TSC to assignment the roles authorized by the ADMIN ACCESS SFP The TSF shall enforce the rules assignment none FMT SMR 1 Security roles Specification of Management Functions No other components The TSF shall be capable of performing the following security management functions assignment d specifying a list of client systems which are to be subject to Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 33 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target Dependencies FMT_SMR 1 Hierarchical to FMT_SMR 1 1 FMT_SMR 1 2 Dependencies FPT_RVM 1 Hierarchical to FPT_RVM 1 1 Dependencies automatic vulnerability remediation specifying which vulnerabilities are to be remediated scheduling automatic vulnerability remediations rolling back previously completed remediations performing collection inventory managing compliance configuring network access and defining control policies AO gt No dependencies Security roles No other components The TSF shall maintain the roles assignment as defined by the ADMIN_ACCESS SFP The TSF shall be able to associate users with roles FIA_UID 1 Timing of identif
67. iguration Management ACM_CAP 3 ACM_SCP 1 TOE CM coverage Delivery and Operation ADO_DEL 1 Delivery procedures ADO_IGS 1 Installation generation and start up procedures Development ADV_FSP 1 Informal functional specification ADV HLD 2 Security enforcing high level design Vulnerability Assessment AVA_MSU 1 AVA_SOF 1 Strength of TOE security function evaluation Developer vulnerability analysis Table 3 EAL 3 Assurance Requirements Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 42 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target 6 TOE SUMMARY SPECIFICATION This section provides a description of the security functions and assurance measures of the TOE that meet the TOE security requirements A typical attacker in the intended environment for the TOE is assumed to have a low level of sophistication but may have knowledge of vulnerabilities and access to attack methods that are in the public domain The purpose of the attacks could be 1 to gain access to the resources of the TOE 2 to gain access to the resources of the client systems protected by the TOE and or 3 to prevent the successful remediation of client systems and thus leave these systems in a vulnerable state Therefore the attack potential which is applicable for AVA_SOF 1 calculations 15 LOW Any residual vulnerabilities may only be exploited by an attacker of moderate or high attack potenti
68. ilities which will not be remediated 1 4 CONVENTIONS TERMINOLOGY AND ACRONYMS This section identifies the formatting conventions used to convey additional information and terminology having specific meaning It also defines the meanings of abbreviations and acronyms used throughout the remainder of this document 1 4 1 Conventions This section describes the conventions used to denote CC operations on security requirements and to distinguish text with special meaning The notation formatting and conventions used in this ST are largely consistent with those used in the CC Selection presentation choices are discussed here to aid the ST reader The CC allows several operations to be performed on functional and assurance components assignment iteration refinement and selection are defined in section 6 4 1 3 2 of the CC Part 1 v2 3 e The assignment operation is used to assign a specific value to an unspecified parameter such as the length of a password An assignment is indicated by showing the value in italicised text within square brackets assignment values e The refinement operation is used to add detail to a requirement and thus further restricts a requirement Refinement of security requirements is denoted by bold text There are no refinements within this ST e The selection operation is used to select one or more options provided by the CC in stating a requirement Selections are denoted by italicised text within square brackets
69. l have physical access to these elements of the TOE The OE AUTHUSER objective notes that only authorized personnel are permitted physical access to the TOE Access to the TOE is restricted to authorized users Authorized users are assigned to roles that in turn provide access to the administrative functions associated with that role A TOE user is capable of performing only the administrative tasks inherited by their assigned roles For the remainder of this document the phrase TOE User shall be employed to represent any authorized user with administrative privileges The OE GOODUSER objective describes the characteristics of the TOE Users and notes that these users must be authorized system administrators A network attacker may attempt to provide the Remediation Manager with erroneous remediation information in an attempt to compromise the Client systems The O REMDATA objective ensures that the remediation data used by the TOE is accurate and secure An unauthorized person may have administrator root control of one of the client systems and may use that control to attempt to compromise the Remediation Manager The O CLIENTPROT objective ensures that the TOE is protected against attacks by the client systems A network attacker may attempt to gain control of the TOE through the McAfee Hercules Administration Console The O HMI O NETATK and O KNOWN objectives ensure that the Administration Console is secure O USERA
70. lar a They are configured with the minimal operating system features installed and or enabled to permit operation of the TOE b They are configured with minimal system privileges C They are configured with user accounts for authorized system administrators only and do not provide any end user accounts The OE GUIDANCE objective ensures that the TOE will be configured securely The Operating System of the client machines has been configured in accordance with the McAfee Hercules Security Configuration Guide and therefore may be trusted to function correctly for those OS functions required by the TOE component that is installed on the client machine The OE GOODOS objective ensures that those functions of the operating system required by the TOE function correctly TOE Users have knowledge of the operating systems on which the TOE resides networking technology and general IT security practices The OE GOODUSER objective notes that TOE Users must be knowledgeable TOE Users are non hostile and follow all guidance documents The OE GOODUSER objective notes that TOE Users must be non malicious Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 52 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target A PHYSICAL A TOEUSER T BADDATA T CLIENT T CONSOLE T EXPLOIT The Server and Administrator elements of the TOE are physically secure and only authorized personne
71. le software b the McAfee Hercules Server software the Channel Server software d the Download Server software e the UNIX Client software f the Windows Client software and g the Mac Client software The TOE operates in an environment that consists of a the operating systems supporting the TOE software b the hardware platforms on which the TOE software runs and e third party software supporting the TOE software All interaction between the parts of the TOE takes place through the intermediary of the environment and the externals interact with the TOE through the intermediary of the environment Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 13 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target TOE BOUNDARY ENVIRONMENT Administrator Console Vulnerability Scan Data McAfee Hercules Server s Network Manager s Download Server s Windows Client s Device Applications Figure 3 TOE Boundary Diagram The third party software supporting the TOE consists of a Adobe Acrobat b Microsoft SQL Server c Microsoft Reporting Services d InstallShield installer e WodSSH library for SSH communications and f Infragistics Windows Control Library Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 14 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target These software products are
72. lity to backup custom user data and an efficient means of transferring this data to a different McAfee Hercules Server The following data items may be transferred individually a Vulnerabilities b ActionPacks c Custom Policies d Custom Device Queries e Custom Device Query Collections and f Remedies The data is exported as XML files from the McAfee Hercules Server within the TOE Boundary to the Environment The XML files in the TOE Environment are available for transfer to removable media or for transfer via the network Authorized TOE users may import the XML data files from the Environment to the McAfee Hercules Server across the TOE Boundary If the XML file is selected by an authorised TOE user and conforms to the expected format of data then the TOE accepts that data as valid information 5 4 4 Administrator Access Control Security Functional Policy ADMIN ACCESS SFP The McAfee Hercules system incorporates a role based access control capability that defines the tasks that authorized users are allowed to perform The McAfee Hercules system includes the following pre defined roles a McAfee Hercules System Administrator SysA b McAfee Hercules Server Administrator SrvA c McAfee Hercules Device Group Administrator Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 40 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target
73. n the operational environment A BACKUP A CMS A CONFIG A GOODOS A KNOWLEDGE A NOEVIL A PHYSICAL A TOEUSER The organization operating the TOE has good backup and recovery procedures which are followed allowing the TOE to be recovered to a secure configuration after a hardware failure In an environment where the McAfee Hercules client software is installed by remote means on a client machine using the McAfee Hercules Client Management Services CMS the server and clients are assumed to reside on a protected network The servers running the Remediation Manager and the Administrator Console have been configured securely as described in the Guidance documents and are maintained in that secure configuration In particular a They are configured with the minimal operating system features installed and or enabled to permit operation of the TOE b They are configured with minimal system privileges 6 They configured with user accounts for authorized system administrators only and do not provide any end user accounts The Operating System of the client machines has been configured in accordance with the McAfee Hercules Security Configuration Guide and therefore may be trusted to function correctly for those OS functions required by the TOE component that is installed on the client machine TOE Users have knowledge of the operating systems on which the TOE resides networking technology and general IT se
74. nally the TOE maintains a comprehensive audit trail of its actions FAU_GEN 1 GEN 2 The TOE must provide a controlled interface to its functionality such that only authorized TOE users are able to access the interface The TOE HMI is provided by the McAfee Hercules Administrator Console This component of the TOE is only accessible to authorized administrative users FIA_UAU 2 FIA_UID 2 FMT SMR 1 Authorized users of the McAfee Hercules Administrator may control all of the security functions of the TOE including setting security attributes and importing vulnerability scan and remediation data FMT_MSA 1 1 3 FMT MSA 3 SMF 1 Actions performed by authorized users are subject to auditing GEN 1 GEN 2 SAR 1 FAU SAR 2 The TOE must ensure that legitimate users of the system are identified before rights of access can be granted The TOE identifies user security attributes for individual users ATD 1 FIA_UID 2 FIA_USB 1 FMT_MSA 1 1 3 The TOE must protect itself against network attackers The TOE protects itself against network attackers through its identification and authentication functions FIA_UAU 2 FIA_UID 2 The collection of audit data GEN 1 Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 58 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target O REMDATA O SCANDATA O USERDATA OE AUTHUSER
75. ncludes a user manual and online help system Since all users of the TOE are also administrators refer to assumption A TOEUSER this documentation acts as both User and Administrator guidance This measure satisfies the requirements of AGD_ADM 1 AGD USR 1 User Guidance Assurance Measure M DOCS ensures that the TOE documentation includes a user manual and online help system This measure satisfies the requirements of AGD_USR 1 Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 72 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target ALC_DVS 1 Identification of Security Measures Assurance Measure M DEVELOP ensures that the TOE documentation includes a description of the security measures for the TOE development environment This measure satisfies the requirements of ALC_DVS 1 ATE COV 2 Analysis of Coverage Assurance Measure M TEST ensures that the TOE test documentation includes sufficient evidence to confirm that the developer has systematically tested the TOE against its functional specification and high level design This measure satisfies the requirements of ATE COV 2 ATE DPT 1 Testing High Level Design Assurance Measure M TEST ensures that the TOE test documentation includes sufficient evidence to demonstrate that the TSF operates in accordance with its high level design This measure satisfies the requirements of ATE DPT 1 ATE FUN 1 Functional Testing Assurance Measure M
76. nctional and assurance requirements that must be satisfied by a compliant TOE operating in a defined environment The requirements consist of functional components from Part 2 of the CC and an Evaluation Assurance Level EAL containing assurance components from Part 3 of the CC 52 TOE SECURITY FUNCTIONAL REQUIREMENTS The security functional requirements for the TOE consist of the following components from Part 2 of the CC summarized in Table 1 CC Part 2 Security Functional Components Foe CH FIA_UID 2 User identification before any action FIA_USB 1 User subject binding Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 22 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target DENS DENA PTS FPT_RVM 1 Non bypassability of the TSP Table 1 Summary of CC Part 2 Security Functional Requirements FAU_GEN 1 Audit data generation Hierarchical to No other components FAU_GEN 1 1 The TSF shall be able to generate an audit record of the following auditable events a Start up and shutdown of the audit functions b All auditable events for the selection not specified level of audit and c assignment management of ActionPacks management and control of McAfee Hercules Clients and the devices on which they are installed device data import device queries device se
77. nents The TSF shall associate the following user security attributes with subjects acting on the behalf of that user assignment user identification Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 30 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target FIA_USB 1 2 FIA_USB 1 3 Dependencies FMT_MOF 1 Hierarchical to FMT_MOF 1 1 Dependencies FMT MSA 1 Hierarchical to FMT MSA 1 1 1 Dependencies The TSF shall enforce the following rules on the initial association of user security attributes with subjects acting on the behalf of users assignment the TSF shall send the user identification with each request sent by a subject The TSF shall enforce the following rules governing changes to the user security attributes associated with subjects acting on the behalf of users assignment none FIA ATD 1 User attribute definition Management of security functions behaviour No other components The TSF shall restrict the ability to selection determine the behaviour of disable enable modify the behaviour of the functions assignment administrative functions to assignment the roles authorized by the ADMIN ACCESS SFP FMT SMR 1 Security roles FMT SMF 1 Specification of Management Functions Management of security attributes 1 No other components The TSF shall enforce the assignment SERVER to restrict the ability to selection
78. nment of users to roles to assignment McAfee Hercules System Administrator FDP_ACC 1 Subset access control or FDP_IFC 1 Subset information flow control FMT_SMR 1 Security roles FMT_SMEF 1 Specification of management functions Static attribute initialisation No other components The TSF shall enforce the assignment _5 to provide selection permissive default values for security attributes that are used to enforce the SFP Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 32 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target FMT_MSA 3 2 Dependencies FMT_MTD 1 Hierarchical to FMT_MTD 1 1 Dependencies FMT_REV 1 Hierarchical to FMT_REV 1 1 FMT_REV 1 2 Dependencies FMT SMF 1 Hierarchical to FMT SMF 1 1 The TSF shall allow the assignment authorised TOE users to specify alternative initial values to override the default values when an object or information is created FMT_MSA 1 Management of security attributes FMT SMR 1 Security roles Management of TSF data No other components The TSF shall restrict the ability to selection modify delete assignment aggregate display the assignment vulnerability data remediation data and client system vulnerability and remediation status to assignment McAfee Hercules users authorized by the ADMIN ACCESS SFP FMT SMR 1 Security roles FMT_SMEF 1 Spec
79. obtained as compiled libraries and linked to the McAfee code or as standalone applications that are interfaced to the McAfee product 2 2 2 Logical Boundary The McAfee Hercules product is designed for the use of network administrators and it is assumed that these users are appropriately trained and experienced Further it is assumed that the user does not have malicious intent and configures the product and its host platforms in accordance with the guidance documentation The product will not prevent a user from carelessly configuring or using the McAfee Hercules such that network protection is compromised Each major component of the McAfee Hercules product identified in the previous section contribute to the functionality provided by the TOE as a whole This functionality is summarized by component below e The McAfee Hercules Administrator Console provides the HMI for the product It uses SSL based communications with the McAfee Hercules Server s and has the ability to interact with Windows user accounts domain privileges and NTFS privileges It authenticates using Windows integrated authentication to Internet Information Server on the McAfee Hercules server The McAfee Hercules Administrator Console is designed to be installed and used on a trusted and appropriately configured and controlled Windows machine that is used for network administration Users of the McAfee Hercules Administrator Console require full
80. onment shall provide the audit records in a manner suitable for the user to interpret the information FAU_GEN 1 Audit data generation Selective audit No other components The Environment shall be able to include or exclude auditable events from the set of audited events based on the following attributes a selection event type b assignment client machine identification FAU_GEN 1 Audit data generation FMT_MTD 1 Management of TSF data Subset information flow control No other components The Environment shall enforce the assignment SERVER_SFP on assignment McAfee Hercules Servers and client machines when the client machine requests a remediation profile from a McAfee Hercules Server FDP_IFF 1 Simple security attributes Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 36 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target FDP_IFF le Hierarchical to FDP_IFF 1 1 FDP_IFF 1 2 FDP_IFF 1 3 FDP_IFF 1 4 FDP_IFF 1 5 FDP_IFF 1 6 Dependencies FDP_ITT le Hierarchical to FDP_ITT 1 1 Simple security attributes No other components The Environment shall enforce the assignment SERVER_SFP based on the following types of subject and information security attributes assignment 1 Identification and authentication of the client machine and 2 format of client machine remediation status information The Environment shall permit
81. red by an access control SFP FDP_ACF 1 Security attribute based access control Security attribute based access control No other components The TSF shall enforce the assignment ADMIN_ACCESS SFP to objects based on the following assignment subjects McAfee Hercules Administrator Console operating in response to users objects McAfee Hercules Servers McAfee Hercules Clients security attributes user identification user assignment to role role association with task The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed assignment user is assigned to a role that is authorized to perform the controlled operations on the controlled objects The TSF shall explicitly authorise access of subjects to objects based on the following additional rules assignment none The TSF shall explicitly deny access of subjects to objects based on the assignment user is not assigned to a role that is authorized to command the controlled subject i e the default is to deny permission FDP ACC 1 Subset access control FMT MSA3 Static attribute initialisation Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 25 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target FDP_ETC 1 Hierarchical to FDP_ETC 1 1 FDP_ETC 1 2 Dependencies FDP_IFC 1 Hierarchical to FDP_IFC 1 1 1 D
82. rious tasks Users assigned to these roles are not able to perform any other functions outside their role A user may be a member of multiple roles Restrictions to devices or device groups can be managed through the assignment of roles or available users to Device Groups Push Remediation Data The McAfee Hercules Server provides remediation data in the form of a remediation profile to client machines Push Policy Data A client can be denied network access until remediation data has been pushed to the device that complies with the security of the organization This can be accomplished through the use of McAfee Hercules ConnectGuard or Cisco Systems Network Admission Control NAC using a Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 47 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target F REMCLIENT F REMPOLICY F REPREMSTATUS F ROLLBACK F RVM F SCHEDREM McAfee Hercules Network Access Policy NAP Remediate Client System The TOE provides the capability to automatically remediate specific vulnerabilities on client machines Enforce Policy on Client Systems The TOE can enforce a remediation policy by enabling remedies that are part of a Remedy Group for a device or group of devices regardless of detected vulnerabilities for these device s Report Remediation Status The TOE has the capability of producing reports describing the remediation stat
83. rity Configuration Guide b One or more McAfee Hercules Server s executing on an Intel Pentium compatible based PC running Windows Server 2003 Standard Edition with Service Pack 1 or Windows Server 2003 Enterprise Edition with Service Pack 1 as the operating system IIS 6 0 is also required Internet Explorer 6 0 and Microsoft SQL Server 2005 Microsoft Reporting Services Microsoft NET Framework v1 1 SP2 Microsoft ASP Net are required for all installations The minimum hardware requirements for a McAfee Hercules Server are specified in the McAfee Hercules Installation Guide The required setup of a McAfee Hercules Server is described in the McAfee Hercules Security Configuration Guide c One or more network devices with McAfee Hercules Client Version 4 5 installed on a supported Windows operating system The supported versions of the Windows operating system are Windows NT 4 0 Workstation with Service Pack 6 Windows NT 4 0 Standard Server with Service Pack 6 Windows NT 4 0 Terminal Server with Service Pack 6 Windows 2000 Professional Windows 2000 Server Windows 2000 Advanced Server Windows XP Professional Windows Server 2003 Standard Edition Windows Server 2003 Enterprise Edition Windows Vista Home Basic Windows Vista Home Premium Windows Vista Business Windows Vista Enterprise and Windows Vista Ultimate For Windows NT 4 0 platforms Internet Explorer 5 5 with Service Pack 2 or above is also req
84. rtificates provide a two way authentication between servers and clients IFC 1e FDP IFF 1e The TOE also protects its data from disclosure and modification while transmitting this data to the client systems 1 network which the TOE resides must protect the confidentiality and integrity of information exchanged between the distributed elements of the TOE when client machines are initially installed remotely using the McAfee Hercules Client Management Service CMS Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 60 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target The network on which the TOE resides is assumed to be protected A CMS In addition the environment protects the data transferred between separate parts of the TOE against disclosure and modification FPT ITT 1e 8 3 SECURITY FUNCTIONAL REQUIREMENT DEPENDENCIES Table 6 identifies the TOE and IT Environment Security Functional Requirements and their associated dependencies It also indicates whether the TOE explicitly addresses each dependency Notes are provided for those cases where the dependencies are satisfied by components which are hierarchical to the specified dependency Dependency Satisfied FAU GEN STM 1 Satisfied by FPT_STM le FIA_UID 2 is specified as a security functional requirement and FIA_UID 2 is hierarchical to FIA_UID 1 FDP_ACF 1 FDP_ACC 2 is
85. rvice device group service policy enforcement policy service remediation service remedy group service remedy service role based security server V Flash vulnerability data import and vulnerability service FAU_GEN 1 2 The TSF shall record within each audit record at least the following information a Date and time of the event type of event subject identity and the outcome success or failure of the event and b For each audit event type based on the auditable event definitions of the functional components included in the ST assignment no other audit relevant information Dependencies FPT_STM 1 Reliable time stamps Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 23 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target FAU_GEN 2 Hierarchical to GEN 2 1 Dependencies FAU SAR 1 User identity association No other components The TSF shall be able to associate each auditable event with the identity of the user that caused the event GEN 1 Audit data generation FIA_UID 1 Timing of identification Audit review This component will provide authorised users the capability to obtain and interpret the information In case of human users this information needs to be in a human understandable presentation In case of external IT entities the information needs to be unambiguously represented in an electronic fashion Hierarchical to FAU_SAR 1 1
86. s with the ability to prioritize and remediate vulnerabilities using automated fixes that have been developed tested verified as being correct and validated as being appropriate by trusted and dedicated IT security professionals New vulnerabilities are being discovered on a daily basis It has been estimated that it takes approximately one hour of labour to manually correct one vulnerability on one client machine For all but the smallest networks manually correcting vulnerabilities imposes an unacceptable workload and cost for valuable and often scarce network and security administration resources The McAfee Hercules product overcomes this problem McAfee Hercules offers the following significant features e Interoperability McAfee Hercules supports many industry leading vulnerability assessment scanners For the complete list see FIMPDATA e Multi tiered Architecture The McAfee Hercules Administrator Console can be configured to manage multiple McAfee Hercules Servers e Administrator Control Administrators maintain complete control over the selection of which vulnerabilities are to be remediated e Multiple O S Support McAfee Hercules supports Microsoft Windows Solaris Red Hat Linux HP UX AIX Tru64 and Mac OS X e Reporting Detailed reports organize the vulnerability remediation data and can be used to measure the ongoing success of frequent vulnerability remediation cycles
87. set access control or FDP_IFC 1 Subset information flow control User attribute definition No other components Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 29 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target FIA_ATD 1 1 Dependencies FIA_UAU 2 Hierarchical to FIA_UAU 2 1 Dependencies FIA_UAU 6 Hierarchical to FIA_UAU 6 1 Dependencies FIA_UID 2 Hierarchical to FIA_UID 2 1 Dependencies FIA_USB 1 Hierarchical to FIA_USB 1 1 The TSF shall maintain the following list of security attributes belonging to individual users assignment user identification user assignment to role No dependencies User authentication before any action UAU 1 Timing of authentication The TSF shall require each user to be successfully authenticated before allowing any other TSF mediated actions on behalf of that user FIA_UID 1 Timing of identification Re authenticating No other components The TSF shall re authenticate the user under the conditions assignment the user attempts to manage the McAfee Hercules Channel Server or the McAfee Hercules amp Download Server No dependencies User identification before any action FIA UID 1 Timing of identification The TSF shall require each user to identify itself before allowing any other TSF mediated actions on behalf of that user No dependencies User subject binding No other compo
88. ss to the F IAUSER These users are subject to the ADMIN ACCESS SFP information flow control security functional policy which incorporates role based access control capability F ACCESS The TOE provides the capability to restrict access to various tasks by removing those privileges to the use of specific functions F MANAGEROLES FMT SMF 1 Specification of Management Functions The TOE allows authorized users complete control of the vulnerability and remediation data for all client systems Users may create edit and approve remediation profiles for client systems or groups of client systems F MANAGEPROF F APPPROF Users may also schedule automatic remediation activity for client systems or groups of client systems F SCHEDREM F PUSHREM and F REMPOLICY This allows users to remove specific vulnerabilities from specific client systems F REMCLIENT If desired it is also possible is specific circumstances to roll back a previously applied remediation F ROLLBACK FMT SMR 1 Security Roles By default the TOE assigns the McAfee Hercules System Administrator role to the user name that installed the McAfee Hercules Server Members of this role have access to all of the functionality of the TOE and can perform any of the pre defined tasks Additionally only individuals authorized as administrators by the underlying operating system are recognized as members of the McAfee Hercules user role F JAUSER
89. test plans test procedure descriptions expected test results and actual test results The test documentation is sufficient to determine that the developer has systematically tested the TOE against both the functional specification and the high level design M VULNER The TOE includes vulnerability documentation which describes the strength of function analysis along with an analysis of obvious vulnerabilities in the TOE Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 49 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target 7 PROTECTION PROFILE CLAIMS This ST does not make compliance claims with respect to any Protection Profiles Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 50 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target 8 RATIONALE 8 SECURITY OBJECTIVES RATIONALE Table 4 provides a bi directional mapping of Security Objectives to Threats and Assumptions It is followed by a discussion of how each Threat or Assumption is addressed by the corresponding Security Objective s O ADMIN O USERAUTH O CLIENTPROT O CLIENTREM O HMI O KNOWN O NETATK O REMDATA O SCANDATA O USERDATA OE DOMAIN OE GOODOS OE GOODUSER OE GUIDANCE OE PROTCOM OE SECURECOM gt OE BACKUP A BACKUP A CMS A CONFIG A GOODOS A KNOWLEDGE A NOEVIL A PHYSICAL A TOEUSER T BADDATA X IT CLIENT x
90. thorized TOE users FMT MTD 1 This ensures the confidentiality and integrity of the data The audit trail records the details of scanner data import sessions FAU_GEN 1 GEN 2 The TOE must ensure that exported user data is secure The TOE enforces EXCHANGE data exchange information flow control security functional policy FDP IFC 1 2 FDP IFF 1 2 ETC 1 Only authorized personnel are permitted physical access to the TOE The environment is assumed to restrict physical access to the TOE A PHYSICAL which provides physical security and restricts physical access to authorized personnel Good backup and recovery procedures for the TOE must be in place The environment is assumed to provide good backup and recovery procedures A BACKUP The host operating system will provide domain separation and ensure that the TOE cannot be tampered with Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 59 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target OE GOODOS OE GOODUSER OE GUIDANCE OE PROTCOM OE SECURECOM The Environment shall maintain a security domain for its own execution that protects it from interference and tampering by untrusted subjects FPT_SEP 1e Those portions of the client operating system required for the correct operation of the TOE must function correctly The environment is assumed to be properly configured and may therefor
91. ties of commercial and open source vulnerability scanners These typically provide registry fixes for Windows machines However this type of vulnerability only represents a small sub set of the vulnerabilities that require remediation The McAfee Hercules product expands this set to include the automated remediation of vulnerabilities associated with the following five classes of vulnerabilities e Software Defects Hot fixes patches registry settings etc e Unnecessary Insecure Services Telnet Remote Access FTP etc e Insecure Accounts Null Passwords Admin No Password etc e Back Doors NetBus BackOrifice SubSeven etc e Miss Configurations NetBIOS file system privileges Null Sessions etc Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 4 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target The McAfee Hercules product is designed to operate on standard TCP IP networks and can remediate vulnerabilities on Microsoft Windows Solaris Red Hat Linux HP UX AIX Tru64 and Mac OS X based clients The McAfee Hercules human machine interface HMI provides the user with complete control over the functionality of the product The HMI allows the user to specify e An automated frequency with which client systems will request updated vulnerability remediations e Manual remediations for selected client machines e Specific vulnerab
92. trol Security Functional Policy SERVER SEP uuu aaye sua 39 5 4 2 Vulnerability Scanner Import Information Flow Control Security Functional Policy IMPORT SEP e 39 5 4 3 Data Exchange Information Flow Control Security Functional Policy EXCHANGE 5 H pay a k 40 5 4 4 Administrator Access Control Security Functional Policy ADMIN_ACCESS SFP 40 Doc No 1566 001 D001 Version 1 3 Date 9 Apr 2008 Page i of ii EMA Delivering the Right Assurance McAfee Hercules Security Target 5 4 5 Network Access Information Flow Control Security Functional Policy CONNEC T 41 5 5 SECURITY ASSURANCE REQUIREMENTS 42 6 TOE SUMMARY SPECIFICA TIONN 43 6 1 TOE SECURITY FUNCTIONS ua aa 43 62 ASSURANCE MEASURES a k daner b 49 7 PROTECTION PROFILE CLAIMS 50 8 RATIONALE os 51 8 1 SECURITY OBJECTIVES RATIONALEE keke ke kk ek kek ke KAKE KA KAKA 51 82 SECURITY REQUIREMENTS RATIONALE kk ee KAR KAKA 55 8 3 SECURITY FUNCTIONAL REQUIREMENT DEPENDENCIES 61 8 4 SECURITY ASSURANCE REQUIREMENT DEPENDENCIES
93. ty Target O NETATK O REMDATA O SCANDATA O USERDATA OE PROTCOM PEND OE SEURECOM ke lt 15 NN NN NN Temame BERDE Table 5 Mapping of Security Functional Requirements to Security Objectives O ADMIN The TOE must provide to authorized administrators a set of administrative functions that allow the effective management of TOE operations and security functions The TOE enforces ADMIN_ACCESS SFP administrator access control security functional policy FDP_ACC 2 FDP_ACF 1 FMT_MOF 1 5 1 3 FMT MTD 1 FMT_REV 1 FMT_SMR 1 O USERAUTH The TOE must provide a mechanism for the identification and authentication of users to the TOE Identification and authentication functional requirements FIA UAU 2 FIA UAU 6 FIA_UID 2 FIA_ATD 1 ensure that the identification and authentication activities complete successfully before information is transferred O CLIENTPROT The TOE must protect itself against attacks initiated by client Systems The TOE will only respond to requests for remediations which are received from identified and authorized client machines FDP IFC 1e FDP IFF 1e UAU 2 FIA UID 2 The TOE also enforces the ADMIN ACCESS SFP administrator access control security functional policy to define the tasks that authorized users are allowed to perform FDP ACC 2 ACF 1 The TOE
94. uired The minimum system requirements for Windows Clients are specified in the McAfee Hercules Enterprise Installation Guide d One or more network devices with McAfee Hercules Client Version 4 5 installed on a supported version of the UNIX operating system The supported versions of the UNIX operating system are Solaris 2 6 7 8 9 10 Red Hat Desktop 7 3 8 9 Red Hat Enterprise Linux AS EW WS 2 1 3 0 4 0 AIX 5 1 5 2 5 3 HP UX 11 0 11iv1 and Tru64 5 1B OpenSSH v3 5pl or higher SSL HTTPS enabled with OpenSSL 0 96 or higher sudo v1 6 7 or later are also required The minimum system requirements for UNIX Clients are specified in the McAfee Hercules Installation Guide e or more network devices with McAfee Hercules Client Version 4 5 installed on a supported version of the Mac operating system The supported versions of the Mac operating system are Mac OS X 10 2 10 3 and 10 4 OpenSSH v3 5pl or higher SSL HTTPS enabled with OpenSSL 0 96 or higher sudo v1 6 7 or later are also required The minimum system requirements for Mac Clients are specified in the McAfee Hercules Installation Guide 2 1 3 Distributed The distributed McAfee Hercules configuration is shown in Figure 2 In this configuration the McAfee Hercules Channel Server and the McAfee Hercules Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 11 of 74 WENA 1 Delivering the Right Assurance McAfee Hercules
95. us of each client machine of each McAfee Hercules Server The user can select reports which show the details and summaries of remediation sessions import sessions devices groups vulnerabilities policies and remedies Rollback Remediation The TOE has the capability to systematically rollback the last remediation session performed on a Windows client machine Reference Monitor The TOE provides reference mediation e g when a user process requires access to a resource its requests a handle token for the resource from the operating system Reference mediation is supported by the operating system platform used by the TOE Schedule Remediation The TOE provides the capability to schedule remediation activities for a single client machine or groups of client machines Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 48 of 74 EMA Delivering the Right Assurance McAfee Hercules Security Target 6 2 ASSURANCE MEASURES A description of each of the TOE assurance measures follows M AUTH The TOE includes documentation which describes the authorization controls used by the developer to ensure that only authorized modifications may be made to the TOE M CONFIG The TOE includes a configuration item list that identifies those items of the TOE that are subject to configuration control by the developer M DELIVER The TOE includes documentation describing the secure delivery of the TOE M DESIGN The
96. y to create custom roles to which individual users and groups of users may be assigned F MANAGEROLES FMT MSA 3 Static attribute initialization Only authorized McAfee Hercules users have access to the TOE for the purposes of initializing security attributes F LAUSER The security attributes are used for mutual identification and authentication between the McAfee Hercules Server and the client Doc No 1566 001 D001 Version 1 3 Date 09 April 2008 Page 69 of 74 EMA 1 Delivering the Right Assurance McAfee Hercules Security Target machines The McAfee Hercules users are subject to the IMPORT information flow control security function policy for the import of vulnerability scan data F IMPDATA vulnerability remediation data F IMPREMDATA and device identifier data F IMPDEV Authorized TOE users may specify alternative initial values to override default values when data is imported FMT MTD 1 Management of TSF Data Only authorized McAfee Hercules users have access to the TOE F IAUSER Only these users have the ability to manipulate display modify delete aggregate vulnerability data F AGGVADATA F DISPVADATA F DISPSIG remediation data F DISPPROF F MANAGEPROEF F APPPROF and client system vulnerability and remediation data F DISPVULN F DISPCLIENT F DISPCLIENTSTATUS F DISPREMSTATUS F SCHEDREM FMT REV 1 Revocation Only authorized McAfee Hercules users have acce
Download Pdf Manuals
Related Search