Security Target
HPE StoreOnce Backup System, Version 3.16
Document Version: 0.5
Date: Sep. 20, 2017
Prepared For:
Hewlett-Packard Enterprise
Long Down Avenue
Stoke Gifford
Bristol BS34 8QZ
UK
Prepared By:
1410 Blair Place, 7th floor
Ottawa, ON K1J 9B9, Canada
www.cgi.com/securitylab
Security Target
HPE StoreOnce Backup System, Version 3.16
Revision History
Ver #
Description of changes
Modified by
Date
0.1
Initial Draft
Matt Mulligan
3/8/2017
0.2
Updates for Lab observations
Matt Mulligan
3/20/2017
0.3
Updates made for CB observations. Parts of Sections
6.1.3.3 and 7.8 have been changed
Matt Mulligan
3/30/2017
0.4
“Vulnerability scanning” feature has been modified in
several sections as suggested by the Security scheme
Matt Mulligan
5/31/2017
0.5
TOE version and build information updated. Product
manual versions updated. CAVP information updated.
Matt Mulligan
9/20/2017
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 2 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
TABLE OF CONTENTS
1
Introduction .................................................................................................................................................. 7
1.1
ST Reference .................................................................................................................................................7
1.2
Target of Evaluation Reference ....................................................................................................................7
1.3
Conventions ..................................................................................................................................................7
1.4
TOE Overview ...............................................................................................................................................8
1.5
TOE Description ..........................................................................................................................................11
1.5.1 Physical Boundary ..................................................................................................................................12
1.5.2 Logical Boundary....................................................................................................................................14
1.5.3 Product Physical/Logical Features and Functions not Included in the TOE Evaluation .........................17
2
Conformance Claims.................................................................................................................................... 18
2.1
Common Criteria Conformance Claim ........................................................................................................18
2.2
Protection Profile Conformance Claim .......................................................................................................18
3
Security Problem Definition ........................................................................................................................ 19
3.1
Threats .......................................................................................................................................................19
3.2
Assumptions ...............................................................................................................................................20
3.3
Organizational Security Policy ....................................................................................................................20
4
Security Objectives ...................................................................................................................................... 21
4.1
Security Objectives for the TOE ..................................................................................................................21
4.2
Security Objectives for the Operational Environment ................................................................................21
4.3
Security Objectives Rationale .....................................................................................................................22
5
Extended Security Requirement Components Definition ............................................................................. 28
5.1
Extended TOE Security Functional Requirement Components ...................................................................28
5.1.1 FDP_AVL_EXT .........................................................................................................................................28
5.1.2 FAU_STG_EXT ........................................................................................................................................28
5.2
Extended TOE Security Assurance Requirement Components....................................................................29
6
Security Requirements ................................................................................................................................ 30
6.1
Security Functional Requirements ..............................................................................................................30
6.1.1 Security Audit (FAU)...............................................................................................................................31
6.1.2 Cryptographic Support (FCS)..................................................................................................................34
6.1.3 User Data Protection (FDP) ....................................................................................................................34
6.1.4 Identification and Authentication (FIA) .................................................................................................36
6.1.5 Security Management (FMT) .................................................................................................................37
6.1.6 Protection of the TSF (FPT) ....................................................................................................................40
6.1.7 TOE Access (FTA) ....................................................................................................................................40
6.1.8 Trusted Path/Channels (FTP) .................................................................................................................41
6.2
Dependency Rationale................................................................................................................................41
6.3
Security Functional Requirements Rationale..............................................................................................43
6.3.1 Security Functional Requirements Mapping..........................................................................................43
6.3.2 Security Functional Requirements Rationale .........................................................................................44
6.4
Security Assurance Requirements ........................................................................................................46
6.5
Security Assurance Requirements Rationale ..............................................................................................47
7
TOE Summary Specification ......................................................................................................................... 48
7.1
Security Audit .............................................................................................................................................48
7.2
Cryptographic Support ...............................................................................................................................49
7.3
User Data Protection ..................................................................................................................................50
7.4
Identification and Authentication ..............................................................................................................52
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 3 of 58
Security Target
7.5
7.6
7.7
7.8
8
HPE StoreOnce Backup System, Version 3.16
Security Management ................................................................................................................................54
Protection of the TSF ..................................................................................................................................55
TOE Access..................................................................................................................................................55
Trusted Path/Channels ...............................................................................................................................55
Acronyms .................................................................................................................................................... 57
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 4 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
LIST OF TABLES
Table 1 - Gen8 Model Specifications .............................................................................................................................8
Table 2 - Gen9 Model Specifications .............................................................................................................................9
Table 3 - Threats ..........................................................................................................................................................19
Table 4 - Assumptions..................................................................................................................................................20
Table 5 - TOE Security Objectives ................................................................................................................................21
Table 6 - Operational Environment Security Objectives ..............................................................................................21
Table 7 - Cross Reference of Threats, Assumptions and Policies ................................................................................22
Table 8 - Detailed Rationale of Threats, Policies and Assumptions .............................................................................23
Table 9 - TOE Security Functional Requirements ........................................................................................................30
Table 10 - Auditable Events .........................................................................................................................................31
Table 11 - Cryptographic Operations ...........................................................................................................................34
Table 12 – Dependency Rationale ...............................................................................................................................41
Table 13 – Mapping of SFR’s to Objectives..................................................................................................................43
Table 14 - Security Functional Requirements Rationale ..............................................................................................44
Table 15 – Security Assurance Requirements .............................................................................................................47
Table 16 - Cypher Suites ..............................................................................................................................................50
Table 17 – Acronym .....................................................................................................................................................57
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 5 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
LIST OF FIGURES
Figure 1 - HPE StoreOnce TOE Boundary .....................................................................................................................12
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 6 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
1 INTRODUCTION
This section identifies the Security Target (ST), Target of Evaluation (TOE), document conventions, and
terminology. It also provides TOE overview and describes the hardware and software that make up the
TOE as well as the physical and logical boundaries of the TOE.
1.1 ST Reference
ST Title
Security Target - HPE StoreOnce Backup System, Version 3.16
ST Revision
0.5
ST Publication Date
September 20, 2017
ST Author
CGI Global IT Security Labs – Canada
Matthew Mulligan
1.2 Target of Evaluation Reference
TOE Developer
Hewlett Packard Enterprise
TOE Name
HPE StoreOnce Backup System, Version 3.16.2-1712.1
TOE Models
Gen 8 models:
• HPE StoreOnce 2700 (Single-node)
• HPE StoreOnce 2900 (Single-node)
• HPE StoreOnce 4500 (Single-node)
• HPE StoreOnce 4700 (Single-node)
• HPE StoreOnce 4900 (Single-node)
• HPE StoreOnce 6500 (Multi-node)
TOE Type
Gen 9 models:
• HPE StoreOnce 3100 (Single-node)
• HPE StoreOnce 3520 (Single-node)
• HPE StoreOnce 3540 (Single-node)
• HPE StoreOnce 5100 (Single-node)
• HPE StoreOnce 5500 (Single-node)
• HPE StoreOnce 6600 (Multi-node)
Data Storage
1.3 Conventions
The Common Criteria allows for assignment, refinement, selection and iteration operations to be
performed on security functional requirements. All of these operations are used within this ST. These
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 7 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
operations are performed as described in Part 2 of the CC, and selected presentation choices are
discussed below to aid the Security Target reader:
•
•
•
•
An assignment operation is indicated by [bold text within brackets].
Selections are denoted by [underlined text within brackets].
Refinement of security requirements is identified using bold text. Any text removed is indicated
with a strikethrough (Example: TSF).
Iterations are identified by appending a number in parentheses following the component title,
for example, FIA_UAU.1 (1) and FIA_UAU.1 (2) refer to two iterations of the FIA_UAU.1 security
functional requirement component.
1.4 TOE Overview
The HPE StoreOnce Backup system is a disk-based storage appliance for backing up host network servers
or PCs to target devices on the appliance. These devices are configured as either Network-Attached
Storage (NAS) or Virtual Tape Library (VTL) or StoreOnce Catalyst stores for backup applications.
The Target of Evaluation (TOE) is an HPE StoreOnce Backup system appliance. The TOE runs on CentOS6
Operating System. The TOE models that offer either a single-node or a multi-node system and are
running Version 3.16 software are the target of evaluation. The following appliances allow the TOE to
provide varying types of fault-tolerance and are the hardware platform for the TOE.
The following tables describe the evaluated StoreOnce models in more detail.
Gen8 Models
Table 1 - Gen8 Model Specifications
Model 2700
Model 2900
Model 4500
Server platform
DL360p Gen 8
DL380p Gen 8
DL380p Gen 8
CPU
Intel Xeon E5-2620
Intel Xeon E5-2620
Intel Xeon E5-2660
No. of server nodes
1
1
1
Raw capacity
8TB
24TB - 48 TB
20TB - 44 TB
Expansion shelves
0
0
1-3
No. of disks available in head server
for user data storage
4
6
10
Max no. of disks available in head
server for user data storage
4
12
10
No. of 1GB Ethernet ports
4
4
4
No. of 10GB Ethernet ports
0
2
2
No. of Fibre Channel ports
0
0
2
Max No. of devices (VTLs, NAS shares,
StoreOnce Catalyst stores)
8
24
32
VTL protocol support
iSCSI / Fibre Channel
iSCSI / Fibre Channel
iSCSI / Fibre Channel
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 8 of 58
Security Target
NAS protocol support
HPE StoreOnce Backup System, Version 3.16
CIFS, NFSv3
CIFS, NFSv3
CIFS, NFSv3
Model 4700
Model 4900
Model 6500
Server platform
DL380p Gen 8
DL380p Gen 8
DL380p Gen 8
CPU
Intel Xeon E5-2690
Intel Xeon E5-2690
Intel Xeon E5-2690
No. of server nodes
1
1
2-8
Raw capacity
24TB - 192 TB
60TB - 560 TB
120TB – 2240TB
Expansion shelves
1-8
1-2
N/A
No. of disks available in head server
for user data storage
0
0
30 x 4TB – 560 x 4TB
Max no. of disks available in head
server for user data storage
0
0
0
No. of 1GB Ethernet ports
4
4
8 per couplet
No. of 10GB Ethernet ports
2
4
4 per couplet
No. of Fibre Channel ports
4
4
8 per couplet
Max No. of devices (VTLs, NAS shares,
StoreOnce Catalyst stores)
50
50
96 per couplet
VTL protocol support
iSCSI / Fibre Channel
iSCSI / Fibre Channel
Fibre Channel
NAS protocol support
CIFS, NFSv3
CIFS, NFSv3
CIFS, NFSv3
Model 3100
Model 3520
Model 3540
Server platform
DL360p Gen 9
DL380p Gen 9
DL380p Gen 9
CPU
Intel Xeon E5-2620 v3
Intel Xeon E5-2620 v3
Intel Xeon E5-2620 v3
No. of server nodes
1
1
1
Raw capacity
8TB
12 - 24TB
24 - 48TB
Expansion shelves
N/A
N/A
N/A
No. of disks available in head server
for user data storage
4 x 2TB
12 x 2TB
12 x 4TB
Max no. of disks available in head
server for user data storage
4 x 2TB
6 x 2TB – 12 x 2TB
6 x 4TB – 12 x 4TB
No. of 1GB Ethernet ports
4
4
4
No. of 10GB Ethernet ports
0
0-8
0-8
No. of Fibre Channel ports
0
0
0
Max No. of devices (VTLs, NAS shares,
StoreOnce Catalyst stores)
8
24
24
Gen9 Models
Table 2 - Gen9 Model Specifications
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 9 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
VTL protocol support
iSCSI
iSCSI
iSCSI
NAS protocol support
CIFS, NFSv3
CIFS, NFSv3
CIFS, NFSv3
Model 5100
Model 5500
Model 6600
Server platform
DL360p Gen 9
DL360p Gen 9
DL360p Gen 9
CPU
Intel Xeon E5-2640 v3
Intel Xeon E5-2680 v3
Intel Xeon E5-2680 v3
No. of server nodes
1
1
2-8
Raw capacity
48TB – 288TB
60TB – 1120TB
120TB – 2240TB
Expansion shelves
0–5
1-5
N/A
No. of disks available for user data
storage
12 x 4TB
15 x 4TB – 280 x 4TB
30 x 4TB – 560 x 4TB
Max no. of disks available in head
server for user data storage
12 x 4TB – 72 x 4TB
0
0
No. of 1GB Ethernet ports
4
4
4 per node
No. of 10GB Ethernet ports
0-8
0-6
0 – 6 per node
No. of Fibre Channel ports
2 x 8Gb
0 – 6 x 8Gb / 0 – 6 x
16Gb
0 – 6 x 8Gb / 0 – 6 x
16Gb per node
Max No. of devices (VTLs, NAS shares,
StoreOnce Catalyst stores)
32
50
50 per node
VTL protocol support
iSCSI, Fibre Channel
iSCSI, Fibre Channel
Fibre Channel
NAS protocol support
CIFS, NFSv3
CIFS, NFSv3
CIFS, NFSv3
HPE StoreOnce Single-node appliances operate as standalone devices and do not operate as part of a
cluster.
Multi-node appliances operate as a cluster. A cluster is composed of from 1 to 4 couplets each couplet
having two nodes. A cluster is the scope of administrative control, with the configuration of the cluster
defining the behavior of all nodes within the cluster.
The 6500 and 6600 appliances are multi-node appliances. The number of nodes in models 6500 and
6600 is determined by the customer. The 6500 and 6600 can be ordered as a single couplet (2 nodes), a
2 couplet (4 node) cluster, a 3 couplet (6 node) cluster or a 4 couplet (8 node) cluster. A customer can
buy a cluster of one couplet and then buy additional couplets to expand the cluster up to a maximum of
4 couplets.
The total number of backup targets offered by an HPE StoreOnce Backup system is split between VTL,
NAS and StoreOnce Catalyst devices. The number of supported backup targets varies according to model
(for single-node appliances) or number of nodes (for clusters). Each node in a cluster on a HPE
StoreOnce 6500 or 6600 appliance is capable of supporting 48 target devices. So as examples, a couplet
can support 96 backup targets, while an 8 node (4 couplet) 6500 or 6600 can support 384 (i.e., 48 x 8)
backup targets. These devices may be all VTL, all NAS, all StoreOnce Catalyst or any combination of
StoreOnce Catalyst, NAS and VTL devices. The HPE StoreOnce Backup system supports both Common
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 10 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
Internet File System (CIFS) and Network File System (NFS) protocols for connectivity to TOE provided
NAS. This allows the TOE to provide backup targets for both Windows and UNIX/Linux hosts.
All devices (i.e., VTL, NAS and StoreOnce Catalyst) automatically include the TOE’s data Deduplication
functionality. Data Deduplication is a process in which the TOE compares blocks of data being written to
a backup device with data blocks previously stored on the device. If duplicate data is found, a pointer is
established to the original data, rather than storing the duplicate data. The TOE performs data
deduplication at the block level and not at the file level, which reduces the amount of data actually
stored on physical disks.
The HPE StoreOnce Backup system products are hardware appliances that offer network accessible
administration interfaces in the form of an HTTPS based Graphical User Interface or SSH protected
Command Line Interface.
The HPE StoreOnce Backup systems include hardware-based RAID 5 or RAID 6 to reduce the risk of user
data loss due to disk failure within a couplet.
1.5 TOE Description
This section primarily addresses the physical and logical components of the TOE included in the
evaluation.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 11 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
Figure 1 - HPE StoreOnce TOE Boundary
1.5.1
Physical Boundary
The physical boundary of an HPE StoreOnce Backup system is the physical boundary of the hardware.
Interfaces to this hardware include Ethernet/iSCSI and Fibre Channel ports for data connections,
Ethernet ports for server administration, and a serial port which provides limited administrative access.
The CentOS6 Operating System is installed on the TOE and is included within the TOE boundary.
There are three distinct networks supported by a HPE StoreOnce appliance: a management network, a
data network and an internal network. The management network would connect the product to any
devices associated with managing the product such as an administration workstation, NTP server or
LDAP server. The Data Network provides client hosts a communication path with the product. Finally,
the internal network is used for communication between nodes of a multi-node system.
For the multi-node appliances, 6500 and 6600, the management, data and internal networks are
separate. For the single-node appliances, the management and data traffic are combined in a single
network; there is no network separation.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 12 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
Management Interface:
The web interface is a graphical user interface that is secured by SSL/TLS and accessed from a client
management workstation or server. An HPE StoreOnce Backup system user would use the web interface
to configure Virtual Tape Libraries, CIFS or NFS shares or StoreOnce Catalyst objects, view performance
and storage metrics, view event logs and manage user accounts.
The CLI interface can be accessed either locally from a management console or remotely from a client
workstation or server using SSH. The functionality provided by the CLI includes system configuration,
and viewing system status.
An additional interface is provided to the shell to allow vulnerability scanners to scan the system. This
interface will be available with a read-only login profile. This interface is password-protected and the
connection is protected with the SSH protocol.
The Management Interface also provides capabilities of configuring communication with external
servers such as LDAP (Active Directory), SNMPv3, SMTP, NTP and Syslog servers. The Management
Interface includes an SNMPv3 Agent that can be configured to communicate with an external SNMPv3
Trap Receiver through a unique path. The agent responds to GET requests from SNMPv3 client (NMS),
generates notification messages (traps) for critical, warning and informational events and sends traps to
remote SNMPv3 Trap Receiver, warning events and informational events and alert state changes. The
implementation is SNMPv3-compliant as defined in RFC-3414.
StoreOnce Service Set:
A service set is a collection of various services, such as VTL, NAS, Replication and StoreOnce Catalyst.
There is one instance of each service per service set. The auto-configuration process registers and starts
a service set by launching a process on the server for each of the services.
Other Components
The TOE can be configured to rely on and utilize a number of other components in its operational
environment. All of the following external functionality is outside the scope of the evaluation.
•
•
•
•
•
AD server – The TOE can be configured to use Active Directory as an external authentication
server.
NTP server – The TOE can be configured to use a NTP server to synchronize the internal clock of
each individual node.
SNMPv3 client and SNMPv3 Trap Receiver - The TOE can be configured to generate notification
messages (traps) for critical events (alerts) and send traps to SNMPv3 Trap Receiver, warning
events and informational events and alert state changes. The TOE also runs SNMPv3 agent and
processes GET requests sent from SNMPv3 client.
SMTP server - The HPE StoreOnce Backup system can be configured to send email alerts to
specified recipients. These email alerts are generated when certain events occur on the HPE
StoreOnce Backup system such as a failed login.
FC and iSCSI client hosts – The TOE attaches to FC or iSCSI hosts, which access available storage
resources, either directly through available ports or indirectly through a suitable SAN connected
to available ports. Note that when connective via a SAN switch, the FC and iSCSI hosts are still
individually identified on the TOE ports with their own respective identifiers.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 13 of 58
Security Target
•
•
•
1.5.1.1
HPE StoreOnce Backup System, Version 3.16
Management Workstation – An appropriate client (third party client supporting SSHv2 and/or a
modern web browser supporting TLS 1.2) operating on a suitable workstation is required to use
the network-accessible administrative interfaces.
Network Storage Devices – The HPE StoreOnce Backup system is typically connected to a
storage controller that manages the actual physical storage.
External Audit Log Server - Log files may be offloaded to an external server via the syslog
protocol.
Guidance Documentation
The HPE StoreOnce Backup system offers a series of documents that describe the installation of the
product as well as guidance for subsequent use and administration of the applicable security features.
These documents include:
•
•
•
•
•
•
•
•
•
•
•
•
1.5.2
HP StoreOnce 6500 Backup System Installation Planning and Preparation Guide; Part Number:
BB897-90951; Published: August 2015; Edition: 4
HP StoreOnce 4900 Backup System Installation and Configuration Guide; Part Number: BB90390945; Published: August 2015; Edition: 5
HP StoreOnce 2700, 2900, 4500, and 4700 Backup System Installation and Configuration Guide;
Part Number: BB877-90938; Published: August 2015; Edition: 5
StoreOnce 3100, 3500, 5100 and 5500 System Installation and Configuration Guide; Part
Number: BB913-90958; Published: March 2017; Edition: 4
StoreOnce 6600 System Installation Planning and Preparation Guide; Part Number: BB91890911; Published: September 2016; Edition: 2
StoreOnce 6500 and 6600 Backup Systems User Guide For StoreOnce software version 3.16.x;
Part Number: BB918-90913; Published: March 2017; Edition: 3
StoreOnce 2xxx – 5xxx Backup Systems User Guide For StoreOnce software version 3.16.x; Part
Number: BB913-90960; Published: March 2017; Edition: 4
StoreOnce CLI Reference Guide (for software version 3.16.2); Part Number: BB913-90963;
Published: March 2017
StoreOnce Systems: Linux and UNIX Configuration Guide; Part Number: BB913-90945;
Published: September 2016; Edition: 10
StoreOnce 2700, 2900, 4500, 4700, and 4900 Service and Maintenance Guide; Part Number:
BB877-90942; Published: March 2017; Edition: 8
StoreOnce 3100, StoreOnce 3500 Series, and StoreOnce 5100 Systems Maintenance and Service
Guide; Part Number: BB913-90959; Published: March 2017; Edition: 3
StoreOnce 5500 Maintenance and Service Guide; Part Number: BB917-90911; Published: March
2017; Edition: 3
Logical Boundary
This section outlines the boundaries of the security functionality of the TOE; the logical boundary of the
TOE includes the security functionality described in the following sections.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 14 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
1.5.2.1 Security Audit
The HPE StoreOnce Backup system includes its own logging of management events and also user
authentication. Administrators can also review the audit data collected by the product. Finally, the
product protects audit data, and overwrites the storage space used for audit data once the available
storage space becomes full.
The StoreOnce appliance may be configured to offload Linux log files to an external Syslog Server.
1.5.2.2 Cryptographic Support
The HPE StoreOnce Backup system currently includes cryptographic functions to support SSHv2 and
HTTPS (using TLS) protection for communication with remote administrative sessions. Cryptographic
package in OpenJDK is used to support cryptographic functions for the HTTPS protocol and the libcrypto
library in OpenSSL is used to support cryptographic functions for the SSH protocol (OpenSSH is used to
implement SSH). The cryptographic algorithms are CAVP-certified.
1.5.2.3 User data protection
The HPE StoreOnce Backup system is designed to offer reliable disk-based backup storage services.
Access to TOE resources – Network-Attached Storage (NAS), StoreOnce Catalyst or Virtual Tape Library
(VTL) – is provided either through iSCSI, CIFS or NFS, Ethernet and Fibre Channel.
•
•
•
•
•
•
iSCSI VTL – The product permits access based upon assigned hosts using its iSCSI Qualified Name
(IQN).
CIFS-based NAS – The product permits access based upon a list of users with read-write or readonly permissions. Alternately, the product can use AD user accounts and AD defined access
permissions.
NFS-based NAS – The product permits access based upon a list of hosts defined as permitted for
the NFS share.
Fibre Channel VTL – The product permits Fibre Channel resources to be assigned to specific Fibre
Channel ports. Note that the SAN can be zoned to restrict access to specific devices, but that is
out of scope of the TOE.
StoreOnce Catalyst stores: A list of clients is created in the GUI under the StoreOnce Catalyst tab
and only these clients can be allowed to create StoreOnce Catalyst stores and access them.
Client hosts are attached through dedicated storage area networks (SANs) that are generally in
close proximity and therefore subject to the same physical protection assumption as the HPE
StoreOnce Backup system.
File permissions associated with files under CIFS/NFS shares shall be checked to further control access to
files under CIFS/NFS shares.
The TOE implements RAID on physical disks. The single-node architecture makes use of RAID 5 or RAID 6
to provide availability of user data stored by a node. Multi-node configurations support only RAID 6,
however, RAID of physical storage occurs inside a couplet with both nodes accessing the same RAID
arrays. There is no RAID or other redundancy between couplets in a cluster.
TSF data stored by a single-node appliance is protected only using the RAID array within the appliance.
TSF data is stored by a multi-node appliance (i.e., a couplet) as a mirrored set in a stripped set (i.e., RAID
1+0).
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 15 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
Any disk failure causes the TOE to generate an alert via SNMPv3 or SMTP. Failures of one node within a
couplet also generate an alert via SNMPv3 or SMTP.
1.5.2.4 Identification & Authentication
The HPE StoreOnce Backup system requires that administrators must login with username and password
prior to being able to access functions associated with their defined role. The HPE StoreOnce Backup
system uses only locally defined accounts to define the “Administrator” and “Operator” accounts.
The HPE StoreOnce Backup system can be configured to use an Active Directory (LDAP) server for user
identification and authentication associated with CIFS-based NAS access.
CIFS users, who are configured with User authentication mode, must login with username and password
prior to access CIFS shares/files.
SNMPv3 users must login with username and password prior to viewing MIB objects.
1.5.2.5 Security Management
The HPE StoreOnce Backup system is responsible for enabling the management of available storage
resources and access by client-hosts. Administrators manage the product with either a graphical user
interface or command line interface. Both interfaces enforce the same administrative constraints which
limit the operations available to the user. Each user is assigned a role which is currently limited to
“administrator” (read and write functionality) or “operator” (read-only functionality).
There is implicitly a third type of users, i.e. NAS users, which access the CIFS shares and files, and NFS
shares and files. The TOE provides management of NAS users.
The HPE StoreOnce Backup system can also be configured to generate SNMP trap for network
monitoring of a running system. SNMPv3 users can be created through the SSH channel using the CLI
interface.
1.5.2.6 Protection of the TSF
The HPE StoreOnce Backup system includes a real-time clock for timestamps when generating audit
records.
1.5.2.7 TOE Access
The HPE StoreOnce Backup system can terminate an inactive remote administrative session after an
administrator-defined period of inactivity. Users may terminate their sessions at any time.
A login banner may be configured to display when users log in, either through the StoreOnce CLI or the
StoreOnce GUI. It may be used to provide legal or other conditions that apply to users of the device.
1.5.2.8 Trusted Paths/Channels
As mentioned above, the HPE StoreOnce Backup system currently provides cryptographic functions that
are used to protect administrator sessions. These cryptographic functions include SSHv2 and HTTPS
(TLS).
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 16 of 58
Security Target
1.5.3
HPE StoreOnce Backup System, Version 3.16
Product Physical/Logical Features and Functions not Included in the TOE Evaluation
Features/Functions that are not part of the evaluated configuration of the TOE are:
•
•
•
•
•
StoreOnce Catalyst Clients - Third party applications that have the Catalyst Client plug-in
software used to communicate directly with StoreOnce appliances
Other StoreOnce Appliances: StoreOnce appliances may communicate with other StoreOnce
appliances to copy and/or replicate data. The TOE evaluation will not include the connection
between multiple StoreOnce appliances.
Data at Rest Encryption, Data in Flight Encryption, and Secure Erase: They are not evaluated
security functions.
Local/External Key Management: It is not an evaluated security functions.
Vunerability Scanning: Operating system level security scans upon a StoreOnce appliance in
order to validate that generic security vulnerabilities are possible. This extended functionality
will not be tested in this evaluation.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 17 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
2 CONFORMANCE CLAIMS
2.1 Common Criteria Conformance Claim
The Security Target is conformant to Common Criteria Version 3.1 Revision 4, September 2012, Part 2
extended and Part 3 conformant. The ST claims conformance to Evaluation Assurance Level 2
augmented with ALC_FLR.2
2.2 Protection Profile Conformance Claim
The Security Target does not make any PP conformance claims.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 18 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
3 SECURITY PROBLEM DEFINITION
This section defines the security problem which the TOE and its operational environment are supposed
to address. Specifically, the security problem makes up the following:
•
•
Any known or assumed threats countered by the TOE or its operational environment.
Any assumptions about the security aspects of the environment and/or of the manner in which
the TOE is intended to be used.
This section identifies assumptions as A.assumption and threats as T.threat.
3.1 Threats
This section identifies the threats to the assets against which protection is required by the TOE or by the
security environment. The threat agents are divided into two categories:
•
•
Attackers who are not TOE users: They have public knowledge of how the TOE operates and are
assumed to possess a low skill level, limited resources to alter TOE configuration settings or
parameters and no physical access to the TOE.
TOE users: They have extensive knowledge of how the TOE operates and are assumed to
possess a high skill level, moderate resources to alter TOE configuration settings or parameters
and physical access to the TOE. (TOE users are, however, assumed not to be willfully hostile to
the TOE.)
The table below lists threats applicable to the TOE and its operational environment:
Table 3 - Threats
Threat
Description
T.ADMIN_ERROR
An administrator may unintentionally install or configure the TOE incorrectly,
resulting in ineffective security mechanisms that may go undetected.
T.DATA_AVAILABILITY
User data may become unavailable due to isolated storage resource failures,
node failures or due to resource exhaustion.
T.DATA_DISCLOSURE
A connected host might obtain access to user data for which they have no
authorization.
T.UNAUTHORIZED_ACCESS
A user may gain unauthorized access to the TSF data and TSF executable code. A
malicious user, process, or external IT entity may masquerade as an authorized
entity in order to gain unauthorized access to TSF data or TSF resources. A
malicious user, process, or external IT entity may misrepresent itself as the TSF
to obtain identification and authentication data.
T.UNDETECTED_ACTIONS
Malicious remote users or external IT entities may take actions that adversely
affect the security of the TOE. These actions may remain undetected and thus
their effects cannot be effectively mitigated.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 19 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
3.2 Assumptions
This section describes the security aspects of the environment in which the TOE is intended to operate.
The following specific conditions are assumed to exist in an environment where the TOE is employed.
Table 4 - Assumptions
Assumption
Description
A.NO_GENERAL_PURPOSE
It is assumed that there are no general-purpose computing capabilities (e.g.,
compilers or user applications) available on the TOE, other than those services
necessary for the operation, administration and support of the TOE.
A.PHYSICAL
Physical security, commensurate with the value of the TOE and the data it
contains, is assumed to be provided by the environment.
A.TRUSTED_ADMIN
TOE Administrators are trusted to follow and apply all administrator guidance in
a trusted manner. It is assumed that those assigned as Administrators of CIFS
shares are trusted, competent and not careless.
A.HOST_IDENTITY
It is assumed that iSCSI and Fibre Channel host identities properly reflect the
adapters and hence the hosts to which they are associated such that
authentication is not necessary.
A.MGMT_NET
It is assumed that a protected “Management Network” exists between nodes of
the TOE and hosts providing supporting services (e.g., NTP, SNMP, SMTP, Syslog
Server or AD).
A.DATA_NET
It is assumed that the confidentiality, integrity, and authenticity of the
connection between the TOE and the host shall be protected by environment.
The NAS clients shall authenticate NAS users (i.e. users who access NFS, and users
who access CIFS with AD authentication mode) and managed user accounts
properly.
A.INTERNAL_NET
It is assumed that a dedicated and protected “Internal Network” exists that
connects nodes of the TOE with network storage devices.
A.ETHERNET
It is assumed that network devices on the Internal Network do not intercept,
impersonate or otherwise modify communications on the Internal network.
3.3 Organizational Security Policy
An organizational security policy is a set of rules, practices, and procedures imposed by an organization
to address its security needs. For the purposes of this Security Target a single policy is described in the
section below.
OSP
Description
P.ACCESS_BANNER
The TOE shall display an initial banner describing restrictions of use, legal
agreements or any other appropriate information to which users consent by
accessing the TOE.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 20 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
4 SECURITY OBJECTIVES
Security objectives are concise, abstract statements of the intended solution to the problem defined by
the security problem definition. This high-level solution is divided into two parts: the security objectives
for the TOE, and the security objectives for the TOE’s operational environment. This section identifies
the security objectives for the TOE and its supporting environment.
4.1 Security Objectives for the TOE
The IT security objectives for the TOE are as follows:
Table 5 - TOE Security Objectives
Security Objective
Description
O.AVAILABILITY
The TOE will ensure that data can be stored in a manner that is
protected from underlying resource failure and exhaustion.
O.LIMIT_ACCESS
The TOE will ensure that connected hosts can access only data
resources for which they are authorized.
O.PROTECTED_COMMUNICATIONS
The TOE will provide protected communication channels for
administrators.
O.SYSTEM_MONITORING
The TOE will provide the capability to generate audit data and provide
the means to store and review those data. Audit data can be stored and
viewed locally or can be offloaded to an external syslog server.
O.TOE_ADMINISTRATION
The TOE will provide mechanisms to ensure that only administrators are
able to log in and configure the TOE, and restrict logged-in
administrators to authorized functions and TSF data.
O.DISPLAY_BANNER
A login banner will be displayed whenever users login, either to the CLI
or through the GUI. Such login banners consist of blocks of text that
may provide legal or other conditions that apply to users of the device.
4.2 Security Objectives for the Operational Environment
The security objectives for the operational environment are addressed below:
Table 6 - Operational Environment Security Objectives
Security Objective
Description
OE.NO_GENERAL_PURPOSE
There are no general-purpose computing capabilities (e.g., compilers or user
applications) available on the TOE, other than those services necessary for
the operation, administration and support of the TOE.
OE.PHYSICAL
Physical security, commensurate with the value of the TOE and the data it
contains, is provided by the environment.
OE.TRUSTED_ADMIN
TOE Administrators are trusted to follow and apply all administrator
guidance in a trusted manner. Those assigned as Administrators of CIFS
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 21 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
Security Objective
Description
shares are trusted, competent and not careless.
OE.HOST_IDENTITY
iSCSI and Fibre Channel hosts correctly reflect the iSCSI identifier (IQN) or
Fibre Channel World Wide Name (WWN).
OE.MGMT_NET
A protected “Management network” provides reliable and secure
communication between the TOE and peer hosts providing supporting
services such as NTP, SNMP, SMTP, Syslog Server or Active Directory.
OE.DATA_NET
The confidentiality, integrity, and authenticity of the connection between
the TOE and the host shall be protected by environment. The NAS clients
shall authenticate NAS users (i.e. users who access NFS, and users who
access CIFS with AD authentication mode) and managed user accounts
properly.
OE.INTERNAL_NET
A dedicated and protected “Internal Network” exists that connects nodes of
the TOE with one another and with network storage devices.
OE.ETHERNET
Hosts on the Internal Network do not intercept communications on the
Internal Network, do not modify communications on the Internal Network,
and do not impersonate endpoints on the Internal Network.
4.3 Security Objectives Rationale
This section provides the summary that all security objectives are traced back to aspects of the
addressed assumptions, threats, and Organizational Security Policies if applicable. The following table
provides a high level mapping of coverage for each threat, assumption, and policy:
O.AVAILABILITY
P.ACCESS_BANNER
A.ETHERNET
A.INTERNAL_NET
A.DATA_NET
A.MGMT_NET
A.HOST_IDENTITY
A.TRUSTED_ADMIN
A.PHYSICAL
A.NO_GENERAL_PURPOSE
T.UNDETECTED_ACTIONS
T.UNAUTHORIZED_ACCESS
X
O.LIMIT_ACCESS
X
O.PROTECTED_COMMUN
ICATIONS
O.SYSTEM_MONITORING
T.DATA_AVAILABILITY
T.DATA_DISCLOSURE
Objectives mapped to
Assumptions ,Threats and
Policies
T.ADMIN_ERROR
Table 7 - Cross Reference of Threats, Assumptions and Policies
X
X
O.TOE_ADMINISTRATION
Version 0.5 – September 20, 2017
X
X
X
Hewlett Packard Enterprise
Page 22 of 58
O.DISPLAY_BANNER
P.ACCESS_BANNER
A.ETHERNET
A.INTERNAL_NET
A.DATA_NET
A.MGMT_NET
A.HOST_IDENTITY
A.TRUSTED_ADMIN
A.PHYSICAL
A.NO_GENERAL_PURPOSE
T.UNDETECTED_ACTIONS
T.UNAUTHORIZED_ACCESS
T.DATA_AVAILABILITY
T.DATA_DISCLOSURE
Objectives mapped to
Assumptions ,Threats and
Policies
HPE StoreOnce Backup System, Version 3.16
T.ADMIN_ERROR
Security Target
X
OE.NO_GENERAL_PURPO
SE
X
OE.PHYSICAL
X
OE.TRUSTED_ADMIN
X
OE.HOST_IDENTITY
X
OE.MGMT_NETWORK
X
OE.DATA_NET
X
OE.INTERNAL_NET
X
OE.ETHERNET
X
Table 8 - Detailed Rationale of Threats, Policies and Assumptions
Threats, Policies and
Assumptions
Objectives
Security Objective Rationale
T.ADMIN_ERROR
An administrator may
unintentionally install or
configure the TOE incorrectly,
resulting in ineffective security
mechanisms that may go
undetected.
O.SYSTEM_MONITORING
This threat is countered by ensuring
that:
• O.SYSTEM_MONITORING: To
reduce the potential of an
administrative error might be
unnoticed or untraceable, the TOE
is expected to log security relevant
events and store that information
locally or in an external system log
server.
T.DATA_DISCLOSURE
A connected host might obtain
access to user data for which
they have no authorization.
O.LIMIT_ACCESS
This threat is countered by ensuring
that:
• O.LIMIT_ACCESS: To ensure that
connect client hosts cannot access
data for which they are not
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 23 of 58
Security Target
Threats, Policies and
Assumptions
HPE StoreOnce Backup System, Version 3.16
Objectives
Security Objective Rationale
authorized, the TOE is expected to
enforce an access policy limiting
connected hosts to access only
authorized resources.
T.DATA_AVAILABILITY
O.AVAILABILITY
User data may become
unavailable due to isolated
storage resource failures or due
to resource exhaustion.
This threat is countered by ensuring
that:
• O.AVAILABILITY: To reduce the
threat of lack of data access due to
resource failure or exhaustion, the
TOE is expected to ensure that data
can be stored in a manner
alleviating failure situations and
also to allow administrators to
configure limits so that user
accessible resources are limited
and warnings are issued when
limits are reached.
T.UNAUTHORIZED_ACCESS
O.PROTECTED_COMMUNICATIONS
A user may gain unauthorized
O.SYSTEM_MONITORING
access to the TSF data and TSF
O.TOE_ADMINISTRATION
executable code. A malicious
user, process, or external IT
entity may masquerade as an
authorized entity in order to
gain unauthorized access to TSF
data or TSF resources. A
malicious user, process, or
external IT entity may
misrepresent itself as the TSF
to obtain identification and
authentication data.
This threat is countered by ensuring
that:
• O.PROTECTED_COMMUNICATIONS:
To reduce the potential that an
attacker might gain unauthorized
access to the TOE or its data via
data transmitted across a network,
the TOE is expected to protect its
administrator communication
channels from disclosure,
modification, and also to ensure
the identity of the TSF.
• O.SYSTEM_MONITORING: To
reduce the potential of
unauthorized access attempts that
might go unnoticed, the TOE is
expected to log security relevant
events locally or in an external
system log server.
• O.TOE_ADMINISTRATION: To
reduce the potential of
unauthorized access to TOE
security functions and data, the
TOE is expected to be designed to
ensure that only presumably
authorized administrators can log
in and access security management
functions. Note that the TOE is
expected to restrict access to
security functions and TSF data so
that only authorized administrators
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 24 of 58
Security Target
Threats, Policies and
Assumptions
HPE StoreOnce Backup System, Version 3.16
Objectives
Security Objective Rationale
can access it and in some cases TSF
data is not accessible at all.
T.UNDETECTED_ACTIONS
O.SYSTEM_MONITORING
Malicious remote users or
external IT entities may take
actions that adversely affect
the security of the TOE. These
actions may remain undetected
and thus their effects cannot be
effectively mitigated.
This threat is countered by ensuring
that:
• O.SYSTEM_MONITORING: To
reduce the potential of security
relevant actions occurring without
notice, the TOE is expected to log
security relevant events and store
that information locally or in an
external system log server.
A.NO_GENERAL_PURPOSE
It is assumed that there are no
general-purpose computing
capabilities (e.g., compilers or
user applications) available on
the TOE, other than those
services necessary for the
operation, administration and
support of the TOE.
OE.NO_GENERAL_PURPOSE
This Assumption is satisfied by ensuring
that:
• OE.NO_GENERAL_PURPOSE: There
are no general-purpose computing
capabilities (e.g., compilers or user
applications) available on the TOE,
other than those services necessary
for the operation, administration
and support of the TOE.
A.PHYSICAL
Physical security,
commensurate with the value
of the TOE and the data it
contains, is assumed to be
provided by the environment.
OE.PHYSICAL
This Assumption is satisfied by ensuring
that:
• OE.PHYSICAL: Physical security,
commensurate with the value of
the TOE and the data it contains, is
provided by the environment.
A.TRUSTED_ADMIN
TOE Administrators are trusted
to follow and apply all
administrator guidance in a
trusted manner. It is assumed
that those assigned as
Administrators of CIFS shares
are trusted, competent and not
careless.
OE.TRUSTED_ADMIN
This Assumption is satisfied by ensuring
that:
• OE.TRUSTED_ADMIN: TOE
Administrators are trusted to
follow and apply all administrator
guidance in a trusted manner.
Those assigned as Administrators
of CIFS shares are trusted,
competent and not careless.
A.HOST_IDENTITY
OE. HOST_IDENTITY
It is assumed that iSCSI and
Fibre Channel host identities
properly reflect the adapters
and hence the hosts to which
they are associated such that
authentication is not necessary.
This Assumption is satisfied by ensuring
that:
• OE. HOST_IDENTITY: iSCSI and Fibre
Channel hosts correctly reflect the
iSCSI identifier (IQN) or Fibre
Channel World Wide Name (WWN)
associated with their Host Bus
Adapters (HBAs).
A.MGMT_NET
It is assumed that a dedicated
protected “Management
This Assumption is satisfied by ensuring
that:
• OE.MGMT_NET: A protected
Version 0.5 – September 20, 2017
OE.MGMT_NET
OE.PHYSICAL
Hewlett Packard Enterprise
Page 25 of 58
Security Target
Threats, Policies and
Assumptions
HPE StoreOnce Backup System, Version 3.16
Objectives
Security Objective Rationale
Network” exists between nodes
of the TOE and hosts providing
supporting services (e.g., AD,
NTP and Syslog Server)
•
“Management network” provides
reliable ad secured communication
between the TOE and peer hosts
providing supporting services such
as Active Directory, NTP and Syslog
Server.
OE.PHYSICAL: Physical security,
commensurate with the value of
the TOE and the data it contains, is
provided by the environment for
the Management network and all
connected devices.
A.DATA_NET
It is assumed that the
confidentiality, integrity, and
authenticity of the connection
between the TOE and the host
shall be protected by
environment. The NAS clients
shall authenticate NAS users
(i.e. users who access NFS, and
users who access CIFS with AD
authentication mode) and
managed user accounts
properly.
OE.DATA_NET
This Assumption is satisfied by ensuring
that:
• OE.DATA_NET: The confidentiality,
integrity, and authenticity of the
connection between the TOE and
the host shall be protected by
environment. The NAS clients shall
authenticate NAS users (i.e. users
who access NFS, and users who
access CIFS with AD authentication
mode) and managed user accounts
properly.
A.INTERNAL_NET
It is assumed that a dedicated
and protected “Internal
Network” exists that connects
nodes of the TOE with network
storage devices.
OE.INTERNAL_NET
OE.PHYSICAL
This Assumption is satisfied by ensuring
that:
• OE.INTERNAL_NET: The “Internal
Network” is dedicated to
connecting nodes of the TOE to one
another and to network storage
devices.
• OE.PHYSICAL: Physical security,
commensurate with the value of
the TOE and the data it contains, is
provided by the environment for
the Internal network and all
connected devices.
A.ETHERNET
It is assumed that network
devices on the Internal
Network do not intercept,
impersonate or otherwise
modify communications on the
Internal Network.
OE.ETHERNET
This Assumption is satisfied by ensuring
that:
• OE.ETHERNET: Hosts on the
Internal Network honour the
Ethernet protocol to not eavesdrop
upon or modify network traffic
(communications) that are not
addressed to the hosts. Further,
the hosts on the Internal Network
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 26 of 58
Security Target
Threats, Policies and
Assumptions
HPE StoreOnce Backup System, Version 3.16
Objectives
Security Objective Rationale
do not impersonate other
endpoints on the Internal network.
P.ACCESS_BANNER
Version 0.5 – September 20, 2017
O.ACCESS_BANNER
Hewlett Packard Enterprise
O.DISPLAY_BANNER satisfies this policy
by ensuring that the system displays a
banner that provides all authorized
users legal or other conditions that
apply to users of the device.
Page 27 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
5 EXTENDED SECURITY REQUIREMENT COMPONENTS DEFINITION
This section defines the extended Security Functional Requirements (SFRs) and extended Security
Assurance Requirements (SARs) met by the TOE.
5.1 Extended TOE Security Functional Requirement Components
This section specifies the extended SFRs for the TOE.
Extended SFR
Description
FDP_AVL_EXT.1
User data availability
FAU_STG_EXT
External Audit Event Storage
5.1.1
FDP_AVL_EXT
Family Behavior:
This family defines availability features provided by a network storage device. These features can be
applied to protection of information on disks or across physically pieces of the TOE. They are intended to
describe functionality specific to the TOE’s intended purpose as a provider of network storage.
Management: FDP_AVL_EXT.1
There are no management activities foreseen.
Audit: FDP_AVL_EXT.1
Basic Level: Status changes for protected resources
Rational: This SFR has been crafted specifically to address availability properties applicable to SAN type
TOEs. There are no SFRs in the CC that address the RAID-type reliability to support those objects
exported for use on a SAN. FDP_AVL_EXT.1 is defined as follows:
5.1.1.1 FDP_AVL_EXT.1 – User Data Availability
Hierarchical to:
No other components.
Dependencies:
None
FDP_AVL_EXT.1.1
The TSF shall be able to support a [assignment: availability policy] that
provides [assignment: availability metric] on [assignment: physical
resource].
5.1.2
FAU_STG_EXT
Family Behavior:
This component defines the requirements for the TSF to be able to transmit audit data between the TOE
and an external IT entity.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 28 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
Management: FAU_STG_EXT.1
The following actions could be considered for the management functions in FMT:
a) The initialization, configuration and deletion of the syslog target.
Audit: FAU_STG_EXT.1
The following actions should be auditable if FAU_GEN Security audit data generation is included in the
PP/ST:
a) No audit necessary.
Rational: This SFR has been crafted to define the ability of the TOE to export data to an external syslog
server. There are no SFRs in the CC that address the export of audit data to an external Syslog server.
5.1.2.1 FAU_STG_EXT.1 – External Audit Event Storage
Hierarchical to:
No other components.
Dependencies:
FAU_GEN.1 Audit data generation
FAU_STG_EXT.1.1
The TSF shall be able to transmit the generated audit data to an external
IT entity.
5.2 Extended TOE Security Assurance Requirement Components
There are no extended TOE Security Assurance Requirement Components.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 29 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
6 SECURITY REQUIREMENTS
This section defines the Security Functional Requirements (SFRs) and Security Assurance Requirements
(SARs) met by the TOE.
6.1 Security Functional Requirements
The functional security requirements for this Security Target consist of the components from Part 2 of
the CC, and those that were explicitly stated, all of which are summarized in the following table:
Table 9 - TOE Security Functional Requirements
Requirement Class
Requirement Name
Description
FAU Security Audit
FAU_GEN.1
Audit Data Generation
FAU_GEN.2
User Identity Association
FAU_SAR.1
Audit Review
FAU_SAR.3
Selectable Audit Review
FAU_STG.1
Protected Audit Trail Storage
FAU_STG.4
Prevention of Audit Data Loss
FAU_STG_EXT.1
External Audit Event Storage
FCS
Cryptographic support
FCS_COP.1
Cryptographic Operation
FDP
User data protection
FDP_ACC.2
Complete Access Control
FDP_ACF.1
Security Attribute Based Access Control
FDP_AVL_EXT.1(1)
Data availability (User Data)
FDP_AVL_EXT.1(2)
Data Availability (TSF Data)
FIA_ATD.1
User Attribute Definition
FIA_UAU.1
Timing of Authentication
FIA_UAU.5
Multiple Authentication Mechanisms
FIA_UAU.7
Protected Authentication Feedback
FIA_UID.2
User Identification Before Any Action
FMT_MSA.1(1)
Management of Security Attributes (other than file security
properties and file permissions)
FMT_MSA.1(2)
Management of Security Attributes (file security properties
and file permissions)
FMT_MSA.3(1)
Static Attribute Initialization (other than file security properties
and file permissions)
FMT_MSA.3(2)
Static Attribute Initialization (file security properties and file
permissions)
FIA
Identification and
Authentication
FMT
Security Management
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 30 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
Requirement Class
Requirement Name
Description
FMT_MTD.1
Management of TSF data
FMT_SMF.1
Specification of Management Functions
FMT_SMR.1
Security Roles
FPT
Protection of TSF
FPT_STM.1
Reliable Time Stamps
FTA
TOE Access
FTA_SSL.3
TSF-initiated Termination
FTA_SSL.4
User-initiated termination
FTA_TAB.1
Default TOE access banners
FTP_TRP.1
Trusted Path
FTP
Trusted path/channels
6.1.1
6.1.1.1
Security Audit (FAU)
FAU_GEN.1 Audit Data Generation
Hierarchical to: No other components.
Dependencies: FPT_STM.1 Reliable time stamps
FAU_GEN.1.1
The TSF shall be able to generate an audit record of the following auditable events:
a) Start-up and shutdown of the audit functions;
b) All auditable events for the [not specified] level of audit;
c) [Specifically defined auditable events listed in Table 10]
FAU_GEN.1.2
The TSF shall record within each audit record at least the following information:
a) Date and time of the event, type of event, subject identity (if applicable),
and the outcome (success or failure) of the event; and
b) For each audit event type, based on the auditable event definitions of the
functional components included in the PP/ST, [the information detailed in
Table 10].
Table 10 - Auditable Events
COMPONENT
AUDITABLE EVENTS
Additional Audit Record Contents
FCS_COP.1
Failure on invoking functionality.
No additional information.
FDP_AVL_EXT.1(1)
Status changes for RAID protected disks
No additional information.
FDP_AVL_EXT.1(2)
Status changes for RAID protected disks
No additional information
FIA_UAU.1
All use of the authentication mechanisms
Provided user identity, origin of the
attempt (e.g., IP address).
FIA_UAU.5
All use of the authentication mechanism
Origin of the attempt (e.g., IP address)
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 31 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
COMPONENT
AUDITABLE EVENTS
Additional Audit Record Contents
FIA_UID.2
All use of the user identification mechanism,
including the user identity provided.
The user identity provided.
FMT_SMF.1
Use of the management functions:
• Managing VTLs
• Managing NAS
• Managing StoreOnce Catalyst Stores
• Managing SNMP
No additional information.
FMT_SMR.1
Modifications to the group of users that are part of
a role
User identity
FTA_SSL.3
The termination of an interactive session
No additional information
FTA_SSL.4
The termination of an interactive session
No additional information
FTP_TRP.1
Initiation of the trusted channel.
Identification of the claimed user
identity
Termination of the trusted channel.
Identification of the claimed user
identity
6.1.1.2
FAU_GEN.2 User Identity Association
Hierarchical to: No other components.
Dependencies: FAU_GEN.1 Audit data generation
FIA_UID.1 Timing of identification
FAU_GEN.2.1
6.1.1.3
For audit events resulting from actions of identified users, the TSF shall be able to
associate each auditable event with the identity of the user that caused the event.
FAU_SAR.1 Audit review
Hierarchical to: No other components.
Dependencies: FAU_GEN.1 Audit data generation
FAU_SAR.1.1
FAU_SAR.1.2
6.1.1.4
The TSF shall provide [all Administrative users] with the capability to read [all auditable
information] from the audit records.
The TSF shall provide the audit records in a manner suitable for the user to interpret the
information.
FAU_SAR.3 Selectable audit review
Hierarchical to: No other components.
Dependencies: FAU_SAR.1 Audit review
FAU_SAR.3.1
The TSF shall provide the ability to apply [sorting and filtering] of audit data based on
[date/time, and level].
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 32 of 58
Security Target
6.1.1.5
HPE StoreOnce Backup System, Version 3.16
FAU_STG.1 Protected Audit Trail Storage
Hierarchical to: No other components.
Dependencies: FAU_GEN.1 Audit data generation
FAU_STG.1.1
The TSF shall protect the stored audit records in the audit trail from unauthorized
deletion.
FAU_STG.1.2
The TSF shall be able to [prevent] unauthorized modifications to the stored audit
records in the audit trail.
6.1.1.6
FAU_STG.4 Prevention of audit data loss
Hierarchical to: FAU_STG.3 Action in case of possible audit data loss
Dependencies: FAU_STG.1 Protected audit trail storage
FAU_STG.4.1
The TSF shall [overwrite the oldest stored audit records] and [no other actions] if the
audit trail is full.
6.1.1.7 FAU_STG_EXT.1 – External Audit Event Storage
Hierarchical to:
No other components.
Dependencies:
FAU_GEN.1 Audit data generation
FAU_STG_EXT.1.1
The TSF shall be able to transmit the generated audit data to an external
IT entity.
Application Note: For selecting the option of transmission of generated audit data to an external IT
entity the TOE relies on a non-TOE audit server for storage and review of audit records. The storage of
these audit records and the ability to allow the administrator to review these audit records is provided by
the operational environment in that case.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 33 of 58
Security Target
6.1.2
HPE StoreOnce Backup System, Version 3.16
Cryptographic Support (FCS)
6.1.2.1
FCS_COP.1
Cryptographic Operation
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes, or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
The TSF shall perform [the operations described below] in accordance with a
specified cryptographic algorithm [algorithms in the modes of operation
described below] and cryptographic key sizes [key sizes described below] that
meet the following: [standards described below]:
FCS_COP.1.1
Table 11 - Cryptographic Operations
Operation
Algorithm (Mode)
Key Size (in bits)
Standards
CAVP
Certificate
AES in CTR and CBC
modes
128, 192, 256
FIPS 197, NIST SP
800-38A
4529
FIPS 46-3, ANSI
X9.52-1998
2413
SSH
Encryption and
Decryption
3DES in CBC mode
Keyed-hash
message
authentication
HMAC-SHA-1 (digest size
160 bits)
160
FIPS 198-1, FIPS
180-4
3710 (SHA)
2988 (HMAC)
Encryption and
Decryption
AES in CBC mode
128, 256
FIPS 197, NIST SP
800-38A
4528
Hashing
SHA-1, SHA-256 (digest
sizes 160 and 256 bits)
FIPS 180-4
3709
Digital
Signatures
RSA
FIPS 186-4
2465
SSL (Java)
6.1.3
2048
User Data Protection (FDP)
6.1.3.1 FDP_ACC.2
Complete access control
Hierarchical to: FDP_ACC.1 Subset access control
Dependencies: FDP_ACF.1 Security attribute based access control
FDP_ACC.2.1
The TSF shall enforce the [Access Control policy] on [
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 34 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
•
subjects: Fibre Channel hosts, iSCSI hosts, NFS client hosts, StoreOnce Catalyst
clients, CIFS/NFS users
• objects: CIFS-based Network-Attached Storage (NAS), NFS-based NAS, StoreOnce
Catalyst stores, iSCSI Virtual Tape Libraries (VTLs) and Fibre Channel-based VTLs]
and all operations among subjects and objects covered by the SFP.
FDP_ACC.2.2
The TSF shall ensure that all operations between any subject controlled by the TSF and
any object controlled by the TSF are covered by an access control SFP.
6.1.3.2 FDP_ACF.1
Security attribute based access control
Hierarchical to: No other components
Dependencies: FDP_ACC.1 Subset access control
FMT_MSA.3 Static attribute initialisation
FDP_ACF.1.1
The TSF shall enforce the [Access Control policy] to objects based on the following: [
• Subjects:
o NFS client host: identified by NFS client IP address,
o CIFS/NFS user, identified by user identifier,
o Fibre Channel host: identified by given PCI-E slot to which the FC host is
connected,
o iSCSI host: identified by iSCSI Initiator (IQN),
o StoreOnce Catalyst client: identified by Catalyst client ID
• Objects:
o CIFS-based NAS: identified by CIFS share names and file names under CIFS
shares,
o NFS-based NAS: identified by NFS share names and file names under NFS
shares,
o iSCSI-based VTL: identified by VTL name,
o Fibre Channel-based VTL: identified by VTL name,
o StoreOnce Catalyst Store: identified by Catalyst Store name.]
FDP_ACF.1.2
The TSF shall enforce the following rules to determine if an operation among controlled
subjects and controlled objects is allowed: [
• iSCSI-based VTLs can be accessed only if the iSCSI host is configured to permit
access based on its iSCSI Initiator (IQN);
• Fibre Channel-based VTLs can be access only if the FC host is connected to the PCIE slot via which the access is permitted;
• CIFS-based NAS can be accessed only by user specifically permitted to have readwrite or read-only access based on its user identifier;
• NFS-based NAS can be accessed only by an NFS client host that has been
specifically permitted access based on its IP address; meanwhile, the permission
associated with the file being accessed allows such access.
• StoreOnce Catalyst Store can be accessed only by the StoreOnce Catalyst Client
that has been specifically permitted access based on StoreOnce Client ID].
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 35 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
FDP_ACF.1.3
The TSF shall explicitly authorize access of subjects to objects based on the following
additional rules: [no additional explicit allow rules].
FDP_ACF.1.4
The TSF shall explicitly deny access of subjects to objects based on the following
additional rules: [no additional explicit denial rules].
6.1.3.3 FDP_AVL_EXT.1(1) Data Availability (User Data)
Hierarchical to: No other components
Dependencies: FDP_ACC.1 Subset access control
FDP_AVL_EXT.1.1
The TSF shall be able to support a [User-Data Disk Availability Policy] that
provides the following [RAID levels 5 or 6] on [physical disks on a node
containing user data].
6.1.3.4 FDP_AVL_EXT.1(2) Data Availability (TSF Data)
Hierarchical to: No other components
Dependencies: FDP_ACC.1 Subset access control
FDP_AVL_EXT.1.1
6.1.4
6.1.4.1
The TSF shall be able to support a [TSF-Data Disk Availability Policy] that
provides the following [RAID level 1+0] on [physical disks on a node containing
TSF data].
Identification and Authentication (FIA)
FIA_ATD.1 User Attribute Definition
Hierarchical to: No other components.
Dependencies: No dependencies.
FIA_ATD.1.1
The TSF shall maintain the following list of security attributes belonging to
individual users: [user identity, password and role]
Application Note: Not all roles are explicitly assumed by the user. The user role of SNMPv3 users, which
are defined for SNMPv3 agent, and the user role of CIFS/NFS users are implicitly assumed.
6.1.4.2
FIA_UAU.1 Timing of Authentication
Hierarchical to: No other components.
Dependencies: FIA_UID.1 Timing of identification.
FIA_UAU.1.1
The TSF shall allow [client-host access to data in accordance with the Access
Control Policy] on behalf of the user to be performed before the user is
authenticated.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 36 of 58
Security Target
FIA_UAU.1.2
HPE StoreOnce Backup System, Version 3.16
The TSF shall require each user to be successfully authenticated before allowing
any other TSF-mediated actions on behalf of that user.
6.1.4.3 FIA_UAU.5 Multiple authentication mechanisms
Hierarchical to: No other components.
Dependencies: No dependencies..
FIA_UAU.5.1
The TSF shall provide [local password, LDAP] to support user authentication.
FIA_UAU.5.2
The TSF shall authenticate any user's claimed identity according to the rules:
[password authentication - if the user is defined there, otherwise the LDAP
server will be consulted].
6.1.4.4 FIA_UAU.7 Protected authentication feedback
Hierarchical to: No other components.
Dependencies: FIA_UAU.1 Timing of authentication
FIA_UAU.7.1
6.1.4.5
The TSF shall provide only [obscured feedback] to the user while the
authentication is in progress.
FIA_UID.2 User identification before any action
Hierarchical to: FIA_UID.1 Timing of identification.
Dependencies: No dependencies..
FIA_UID.2.1
6.1.5
6.1.5.1
The TSF shall require each user to be successfully identified before allowing any
other TSF-mediated actions on behalf of that user.
Security Management (FMT)
FMT_MSA.1(1) Management of security attributes (other than file security properties and
file permissions)
Hierarchical to: No other components.
Dependencies: [FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 37 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
FMT_MSA.1.1 The TSF shall enforce the [Access Control Policy] to restrict the ability to [manage] the
security attributes [except for file security properties associated with files in CIFS
shares or file permissions associated with files in NFS shares] to [Admin Role].
6.1.5.2
FMT_MSA.1(2) Management of security attributes (file security properties and file
permissions)
Hierarchical to: No other components.
Dependencies: [FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MSA.1.1 The TSF shall enforce the [Access Control Policy] to restrict the ability to [manage] the
security attributes [of file security properties associated with files in CIFS shares or file
permissions associated with files in NFS shares] to [NAS user].
Application Note: A file or folder within a CIFS share has 'Full Control' permission set for the 'Everyone'
Group regardless of the owner. The Owner of the file or folder cannot change this security setting.
Therefore special consideration should be given to users assigned rights to the shares.
6.1.5.3
FMT_MSA.3(1) Static attribute initialization (other than file security properties and files
permissions)
Hierarchical to: No other components.
Dependencies: FMT_MSA.1 Management of security attributes
FMT_SMR.1 Security roles
FMT_MSA.3.1 The TSF shall enforce the [Access Control policy] to provide [restrictive] default values
for security attributes [except for file security properties and file permissions] that are
used to enforce the SFP.
FMT_MSA.3.2 The TSF shall allow the [Admin role] to specify alternative initial values to override the
default values when an object or information is created.
6.1.5.4
FMT_MSA.3(2) Static attribute initialization (file security properties and files permissions)
Hierarchical to: No other components.
Dependencies: FMT_MSA.1 Management of security attributes
FMT_SMR.1 Security roles
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 38 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
FMT_MSA.3.1 The TSF shall enforce the [Access Control policy] to provide [restrictive] default values
for security attributes [associated with file security properties for CIFS or file
permissions for NFS] that are used to enforce the SFP.
FMT_MSA.3.2 The TSF shall allow the [NAS user] to specify alternative initial values to override the
default values when an object or information is created.
6.1.5.5
FMT_MTD.1 Management of TSF Data
Hierarchical to: No other components.
Dependencies: FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MTD.1.1 The TSF shall restrict the ability to [manage] the [TSF data] to the [Admin Role].
6.1.5.6
FMT_SMF.1 Specification of Management Functions
Hierarchical to: No other components.
Dependencies: No dependencies.
FMT_SMF.1.1 The TSF shall be capable of performing the following security management functions: [
• User management:
o Create, modify, delete local users.
o Add, modify, remove external users. (External users are those that are
defined in Active Directory).
o Add, modify, remove external groups.
• Active Directory settings:
o Join active directory domain
o Leave active directory doman
• Audit logging:
o Specify minimum retention period
o Export audit logs
• Event logs
o Export events
o Delete events
• Email alerts
o Enter SMTP server settings
o Configure email alert recipients
• SNMPv3 configuration
o Configure SNMPv3 trapsink addresses
o Configure SNMPv3 users
• Ability to view SNMPv3 MIB objects
• Ability to review audit events and
• Ability to manage VTL, StoreOnce Catalyst and NAS resources].
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 39 of 58
Security Target
6.1.5.7
HPE StoreOnce Backup System, Version 3.16
FMT_SMR.1 Security Roles
Hierarchical to: No other components.
Dependencies: FIA_UID.1 Timing of identification
FMT_SMR.1.1 The TSF shall maintain the roles: [admin, user, SNMP user and NAS user]
FMT_SMR.1.2 The TSF shall be able to associate users with roles.
Application Note: The NAS users only access NAS resources via CIFS or NFS. They cannot carry out TOE
administrative tasks via SSH or HTTPS, while users for admin and user roles are administrative users and
they may run TOE administrative tasks via SSH and HTTPS. SNMPv3 users can only view MIB objects.
6.1.6
Protection of the TSF (FPT)
6.1.6.1 FPT_STM.1 Reliable time stamps
Hierarchical to:
Dependencies:
No other components.
No dependencies.
FPT_STM.1.1
The TSF shall be able to provide reliable time stamps.
6.1.7
6.1.7.1
TOE Access (FTA)
FTA_SSL.3 TSF-initiated termination
Hierarchical to:
Dependencies:
No other components.
No dependencies.
FTA_SSL.3.1
The TSF shall terminate a remote interactive session after an [administratordefined interval of session inactivity].
6.1.7.2
FTA_SSL.4 User-initiated termination
Hierarchical to:
Dependencies:
No other components.
No dependencies.
FTA_SSL.4.1
The TSF shall allow user-initiated termination of the user's own interactive
session.
6.1.7.3 FTA_TAB.1 Default TOE Access Banners
Hierarchical to:
Dependencies:
No other components.
No dependencies.
FTA_TAB.1.1
Before establishing a user session, the TSF shall display an advisory warning
message regarding unauthorized use of the TOE.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 40 of 58
Security Target
6.1.8
HPE StoreOnce Backup System, Version 3.16
Trusted Path/Channels (FTP)
6.1.8.1 FTP_TRP.1 Trusted Path
Hierarchical to:
Dependencies:
No other components.
No dependencies.
FTP_TRP.1.1
The TSF shall provide a communication path between itself and [remote]
administrators using HTTPS/TLS or SSH that is logically distinct from other
communication paths and provides assured identification of its end points and
protection of the communicated data from [disclosure and modification].
FTP_TRP.1.2
The TSF shall permit [remote administrators] to initiate communication via the
trusted path.
FTP_TRP.1.3
The TSF shall require the use of the trusted path for [all remote administrative
actions].
6.2 Dependency Rationale
This section of the ST demonstrates that the identified SFRs include the appropriate hierarchy and
dependencies. The following table lists the TOE SFRs and the SFRs each are hierarchical to, dependent
upon and any necessary rationale.
Table 12 – Dependency Rationale
SFR
DEPENDENCY
Satisfaction of dependency
FAU_GEN.1
FPT_STM.1
Satisfied
FAU_GEN.2
FAU_GEN.1 and FIA_UID.1
Satisfied
FAU_SAR.1
FAU_GEN.1
Satisfied
FAU_SAR.3
FAU_SAR.1
Satisfied
FAU_STG.1
FAU_GEN.1
Satisfied
FAU_STG.4
FAU_STG.1
Satisfied
FAU_STG_EXT.1
FAU_GEN.1
Satisfied
FCS_COP.1
(FDP_ITC.1 or FDP_ITC.2 or
FCS_CKM.1), FCS_CKM.4
Satisfied: Although FCS_CKM.1 and
FCS_CKM.4 are missing, Canadian
Scheme Instruction #4 allows it.
FDP_ACC.2
FDP_ACF.1
Satisfied
FDP_ACF.1
FDP_ACC.1 and FMT_MSA.3
Satisfied
FDP_AVL_EXT.1(1)
None
None
FDP_AVL_EXT.1(2)
None
None
FIA_ATD.1
None
None
FIA_UAU.1
FIA_UID.1
Satisfied
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 41 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
SFR
DEPENDENCY
Satisfaction of dependency
FIA_UAU.5
None
None
FIA_UAU.7
FIA_UAU.1
Satisfied
FIA_UID.2
None
None
FMT_MSA.1(1)
FMT_SMR.1 and FMT_SMF.1 and
(FDP_ACC.1 or FDP_IFC.1)
Satisfied
FMT_MSA.1(2)
FMT_SMR.1 and FMT_SMF.1 and
(FDP_ACC.1 or FDP_IFC.1)
Satisfied
FMT_MSA.3(1)
FMT_MSA.1 and FMT_SMR.1
Satisfied
FMT_MSA.3(2)
FMT_MSA.1 and FMT_SMR.1
Satisfied
FMT_MTD.1
FMT_SMR.1 and FMT_SMF.1
Satisfied
FMT_SMF.1
None
None
FMT_SMR.1
FIA_UID.1
Satisfied
FPT_STM.1
None
None
FTA_SSL.3
None
None
FTA_SSL.4
None
None
FTA_TAB.1
None
None
FTP_TRP.1
None
None
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 42 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
6.3 Security Functional Requirements Rationale
This section provides rationale for the Security Functional Requirements demonstrating that the
SFRs are suitable to address the security objectives.
6.3.1
Security Functional Requirements Mapping
The following table provides a high level mapping of coverage for each security objective:
FAU_GEN.1
X
FAU_GEN.2
X
FAU_SAR.1
X
FAU_SAR.3
X
FAU_STG.1
X
FAU_STG.4
X
FAU_STG_EXT.1
X
FCS_COP.1
X
FDP_ACC.2
X
FDP_ACF.1
X
FDP_AVL_EXT.1(1)
X
FDP_AVL_EXT.1(2)
X
FIA_ATD.1
X
FIA_UAU.1
X
FIA_UAU.5
X
FIA_UAU.7
X
FIA_UID.2
X
FMT_MSA.1
X
FMT_MSA.3
X
FMT_MTD.1
X
Version 0.5 – September 20, 2017
O.ACCESS_BANNER
O.TOE_ADMINISTRATION
O.SYSTEM_MONITORING
O.PROTECTED_COMMUNICATIONS
O.LIMIT_ACCESS
SFR Mapped to Objectives
O.AVAILABILITY
Table 13 – Mapping of SFR’s to Objectives
Hewlett Packard Enterprise
Page 43 of 58
FMT_SMF.1
X
FMT_SMR.1
X
FPT_STM.1
X
FTA_SSL.3
X
FTA_SSL.4
X
FTA_TAB.1
X
FTP_TRP.1
6.3.2
O.ACCESS_BANNER
O.TOE_ADMINISTRATION
O.SYSTEM_MONITORING
O.LIMIT_ACCESS
SFR Mapped to Objectives
O.PROTECTED_COMMUNICATIONS
HPE StoreOnce Backup System, Version 3.16
O.AVAILABILITY
Security Target
X
Security Functional Requirements Rationale
The following table provides detailed evidence of coverage for each security objective:
Table 14 - Security Functional Requirements Rationale
Security Objective
SFR
Rationale
O.AVAILABILITY
FDP_AVL_EXT.1(1)
FDP_AVL_EXT.1(2)
This TOE Security Objective is satisfied by ensuring
that:
• FDP_AVL_EXT.1(1): The TOE provides RAID
functionality for physical disk drives used to store
user data, thus allowing the TOE to continue
operation following disk failures.
• FDP_AVL_EXT.1(2): The TOE provides RAID
functionality for physical disk drives used to store
TSF data, thus allowing the TOE to continue
operation following disk failures.
O.LIMIT_ACCESS
FDP_ACC.2
FDP_ACF.1
•
•
Version 0.5 – September 20, 2017
FDP_ACC.2: The TOE is required to implement an
access policy controlling all operations between
attached hosts and virtual storage managed by
the TOE.
FDP_ACF.1: The TOE is required to implement an
effective set of rules to enforce the access control
policy between hosts and virtual storage.
Hewlett Packard Enterprise
Page 44 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
Security Objective
SFR
Rationale
O.PROTECTED_COMMUNICATIONS
FCS_COP.1
FTP_TRP.1
•
•
O.SYSTEM_MONITORING
FAU_GEN.1
FAU_GEN.2
FAU_SAR.1
FAU_SAR.3
FAU_STG.1
FAU_STG.4
FAU_STG_EXT.1
FPT_STM.1
•
•
•
•
•
•
•
•
O.TOE_ADMINISTRATION
Version 0.5 – September 20, 2017
FIA_ATD.1
FIA_UAU.1
FIA_UAU.5
FIA_UAU.7
FIA_UID.2
FMT_MSA.1
FMT_MSA.3
FMT_MTD.1
FMT_SMF.1
FMT_SMR.1
FTA_SSL.3
•
•
•
FCS_COP.1: The TOE is required to implement
FIPS-conformant
o AES in support of cryptographic
protocols.
o RSA cryptographic digital signatures.
o SHA-1 and SHA-256 in support of
cryptographic protocols.
o HMAC SHA-1 in support of
cryptographic protocols.
FTP_TRP.1: The TOE is required to protect
communication between itself and its
administrators from disclosure and modification.
FAU_GEN.1: The TOE is required to be able to
generate audit events for security relevant
activities on the TOE.
FAU_GEN.2: The TOE is required to associate
audit events to users to ensure proper
accountability.
FAU_SAR.1: The TOE is required to provide the
means for a user to review recorded audit
records.
FAU_SAR.3: The TOE is required to provide
functions to sort audit records to make their
review more effective.
FAU_STG.1: The TOE is required to protect stored
audit records so they cannot be inappropriately
modified.
FAU_STG.4: The TOE is required to have welldefined behavior when the available audit
storage space becomes exhausted so that
appropriate procedures can be in place to
mitigate that possibility.
FAU_STG_EXT.1: The TOE is required to transmit
audit data between the TOE and an external IT
entity.
FPT_STM.1: The TOE is required to generate
reliable time stamps to be used in its audit
records for proper accounting.
FIA_ATD.1: The TOE is required to facilitate the
definition of users with appropriate user
attributes.
FIA_UAU.1: The TOE is required to ensure that
users must be authenticated in order to access
functions, other than those specifically intended
to be accessed without authentication (i.e., user
data resources available to client hosts).
FIA_UAU.5: The TOE is required to implement a
local authentication mechanism and can support
additional authentication mechanisms.
Hewlett Packard Enterprise
Page 45 of 58
Security Target
Security Objective
HPE StoreOnce Backup System, Version 3.16
SFR
Rationale
FTA_SSL.4
•
•
•
•
•
•
•
•
•
O.DISPLAY_BANNER
FTA_TAB.1
•
FIA_UAU.7: The TOE is required to not echo
passwords when being entered to mitigate the
chance of an accidental password disclosure.
FIA_UID.2: The TOE is required to ensure that
users must be identified in order to access
functions of the TOE.
FMT_MSA.1: The TOE is required to limit the
ability to manage the security attributes except
for file permissions to authorized administrators.
The TOE allows the CIFS/NFS users to manage file
permissions.
FMT_MSA.3: The TOE is required to implement
default secure values (other than file
permissions) and limit the management of
default values (other than file permissions) to
authorized administrators. The TOE allows the
CIFS/NFS users to set restrictive defaults values
for file permissions.
FMT_MTD.1: The TOE is required to restrict
access to security relevant data to administrators.
FMT_SMF.1: The TOE is required to provide a
minimum set of security functions to ensure the
TOE security features can be properly managed.
FMT_SMR.1: The TOE is required to implement a
minimum of the admin and user roles and can
implement additional roles where necessary.
There are implicitly additional types/roles of
users: NAS users which access CIFS/NFS shares
and files and SNMP users that can view
networking information. NAS users can be
configured by admin role. SNMP users can be
configured through the CLI by admin role.
FTA_SSL.3: The TOE is required to terminate a
remote interactive session after an administratordefined interval of session inactivity.
FTA_SSL.4: The TOE is required to allow userinitiated termination of the user's own interactive
session.
The TOE is required to display an advisory
warning message regarding unauthorized use of
the TOE before establishing a user session.
6.4 Security Assurance Requirements
This section defines the Security Assurance Requirements (SARs) for the TOE. The assurance
requirements are taken from EAL 2 components as specified in Part 3 of the CC and are augmented with
ALC_FLR.2 requirements. The assurance components are summarized in the following table:
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 46 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
Table 15 – Security Assurance Requirements
CLASS
FAMILY
DESCRIPTION
ASE: Security Target
ASE_INT.1
ST Introduction
ASE_CCL.1
Conformance Claims
ASE_SPD.1
Security Problem Definition
ASE_OBJ.2
Security Objectives
ASE_ECD.1
Extended Components Definition
ASE_REQ.2
Derived security requirements
ASE_TSS.1
TOE Summary Specification
ADV_ARC.1
Security Architecture Description
ADV_FSP.2
Security-enforcing Functional
Specification
ADV_TDS.1
Basic Design
AGD_OPE.1
Operational User Guidance
AGD_PRE.1
Preparative Procedures
ALC_CMC.2
Use of a CM System
ALC_CMS.2
Parts of the TOE CM coverage
ALC_DEL.1
Delivery Procedures
ALC_FLR.2
Flaw Reporting Procedures
ATE_COV.1
Evidence of Coverage
ATE_FUN.1
Functional Testing
ATE_IND.2
Independent Testing - Sample
AVA_VAN.2
Vulnerability Analysis
ADV: Development
AGD: Guidance Documents
ALC: Lifecycle Support
ATE: Tests
AVA: Vulnerability Assessment
6.5 Security Assurance Requirements Rationale
The security assurance requirements for the TOE are the EAL 2 augmented with ALC_FLR.2 components
as specified in Part 3 of the Common Criteria. No operations are applied to the assurance components.
EAL 2 augmented with ALC_FLR.2 was chosen to provide a low to moderate level of assurance that is
consistent with standard commercial practices. The chosen assurance level is appropriate given the
threats defined for the operational environment.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 47 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
7 TOE SUMMARY SPECIFICATION
This section presents information to detail how the TOE meets the security functional requirements
described in previous sections of this ST. The following security functions will be described:
•
•
•
•
•
•
•
•
Security audit
Cryptographic support
User data protection
Identification and authentication
Security management
Protection of the TSF
TOE Access
Trusted path/channels
7.1 Security Audit
The TOE includes a logging mechanism that gathers and displays information about events occurring
within the TOE. The TOE generates audit records (i.e., messages) and places them into an Event Log.
Messages written into the Event Log describe activity pertaining to the operation of the user data
handling mechanisms and security features.
The configuration and event log data is stored on the RAID1+0 partition of each node in the cluster.
The following is a list of the events that cause audit records to these two sources.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
System Startup
System Shutdown or Reboot
Failed cryptographic operations during generation of random numbers for key generation
TOE failure to encrypt or decrypt data
TOE failure to generate a hash
TOE failure to generate a keyed-has message authentication code
Successful SSH session establishment
SSH Session termination
Successful and TLS session establishment
TLS Session termination
Changes to the RAID status for physical storage resources
Failures of nodes within a couplet
Creating and deleting VTLs, StoreOnce Catalyst stores and NAS shares
Changing configuration data for VTLs, StoreOnce Catalyst stores and NAS shares
All login activities
The information within an Event Log audit record includes the following:
•
•
•
Date and time of the event,
Severity Level,
Message
The message indicates relevant information about the event such as outcome, subjects (e.g. client host
identifier, user identifier) and physical node/disk/device causing the event.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 48 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
The TOE stores audit records internally and provides access to that data only to the “Administrator”
account and to the “Operator” account (see section 7.4 for information about these accounts). These
accounts have the ability to view Event Log data through the graphical user interface (GUI). Using the
GUI, these accounts can sort displayed data based on time and severity level. These accounts can also
establish filters for the audit records displayed in the GUI using severity level and event ID.
The TOE does not offer GUI or CLI interfaces which allow for the modification of audit data. The entire
Event Log can be completely cleared, or events from the previous N (i.e., Administrator specified
number) days can be erased, but individual records cannot be changed.
The TOE stores audit records (Event Logs) in a round-robin fashion where the oldest records are
overwritten as necessary. An administrator configures the amount of space that the TOE can allocate for
the Event Log. The logs expand until all of the space has been allocated. Subsequent write operations to
the logs overwrite the oldest records as necessary. Thus, the audit space allocated to each type of log or
file becomes full and remains perpetually full. The amount of space available for audit records is limited
by the amount of space the administrator chooses to dedicate to log records.
All StoreOnce audit logs and Linux logs can be offloaded to other network entities using the syslog
protocol. Most configuration will be handled through the CLI interface. Overall enablement of the
feature will allow visibility of the appropriate pages on the GUI; otherwise GUI pages related to this
feature will not appear. This feature is meant for a limited set of users as selected by the Administrator
and the feature will have to be explicitly enabled before related commands are usable.
The Security audit function is designed to satisfy the following security functional requirements:
FAU_GEN.1, FAU_GEN.2, FAU_SAR.1, FAU_SAR.3, FAU_STG.1, FAU_STG.4, FAU_STG_EXT.1
7.2 Cryptographic Support
The TOE uses cryptography for protection of the communications surrounding remote administrator
sessions. A remote administrative session can occur using either a GUI or CLI. Administrators use an
SSHv2 session to connect to the TOE to establish a CLI session. Administrators connect to the TOE using
the GUI through a TLS session. All protocols involved in support of the administrative GUI are tunneled
through TLS.
TLS and SSH are used to provide protection of the communications surrounding the remote
administrative sessions from disclosure and from modification.
The TOE provides cryptographic support for communications on the manageability path using
unmodified cryptographic package in OpenJDK for the HTTPS protocol and libcrypto of OpenSSL in
OpenSSH for the SSH protocol. The libraries have been shown to operate in a FIPS approved manner as
used by the TOE when subjected to the Cryptographic Algorithm Verification Program (CAVP).
The TOE implements the AES algorithm as defined by FIPS PUB 197 and consistent with NISP SP 80038A. The TOE uses AES for encryption and decryption of data as part of the support for the SSH and TLS
protocols. The TOE can use AES in CBC or CTR modes. The TOE supports the use of 128-bit, 192-bit and
256-bit AES keys.
The TOE also provides cryptographic hashing services using the SHA-1 and SHA-256 algorithms as
defined by FIPS 180-3 ‘Secure Hash Standard’. The TOE supports message digest sizes of 160-bits and
256 bits for this hashing service. These cryptographic hashing services are used by the TOE
implementation of SSHv2 and TLS.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 49 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
The TOE provides keyed-hash authentication using HMAC-SHA-1 with a keys size of 160-bits. The TOE
implementation of HMAC-SHA-1 is built to meet FIPS Pub 198-1 and FIPS Pub 180-3. These crypto keyedhash authentication services are used by the TOE implementation of SSHv2 and TLS.
The TOE implements HTTPS as specified by RFC 2818. The TOE does not support HTTP connections for
administration. The TOE implements TLS versions using the following cipher suites:
Table 16 - Cypher Suites
Protocols
Ciphers
TLSv1.1
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLSv1.2
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
The Cryptographic support function is designed to satisfy the following security functional requirements:
FCS_COP.1
7.3 User Data Protection
The TOE implements NAS, StoreOnce Catalyst and VTLs as storage locations. The TOE makes storage
locations available to client hosts on Ethernet (i.e. Ethernet hosts), Fibre Channel (i.e. Fibre Channel
hosts) or iSCSI (i.e. iSCSI hosts). These storage locations can be a Virtual Tape Library (VTL), StoreOnce
Catalyst stores or Network Attached Storage (NAS). The VTLs can be accessed either through Ethernet or
Fibre Channel protocols. The NAS can be accessed as either CIFS-based storage devices or NFS-based
storage devices.
Thus, the TOE makes NAS, StoreOnce Catalyst stores and VTL storage accessible via iSCSI, NFS, CIFS, and
Fibre Channel connections and protocols. The TOE provides NAS, StoreOnce Catalyst stores and VTL
storage access only to network devices and users specifically configured to have access. The TOE
implements an access policy whereby client-hosts can access configured NAS, StoreOnce Catalyst stores
and VTL resources.
•
Ethernet-based (i.e., iSCSI) VTLs are configured to specify access by specific IQNs.
The TOE enforces the following access requirements upon client host operations on TOE
provided storage. For Ethernet-based client hosts accessing VTLs, the Ethernet host specified in
the IQN must be configured in access. This is done by configuring the VTL to include the host
identifier of the client host (e.g., IP address or Domain Name). An IQN is a text string composed
of the following four (4) fields each concatenated by periods (“.”).
o
o
o
o
The literal “iqn”;
A date that the naming authority took ownership of the domain (in the form YYYY-MM);
A reversed domain name for the authority; and
A string defined by the naming authority specifying the name of the storage target.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 50 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
An example of an IQN would be, iqn.2011-09.com.hp.somehost:storage:tape1.sys1.hp.com. In
this example, the iSCSI host would be “somehost.hp.com” and the storage device would be
“tape1.sys1.hp.com”.
•
Fibre Channel-based VTLs are configured to specify access by a specific Fibre Channel port.
For client hosts on a Fibre channel network that are accessing VTLs, the VTL must be configured
to include the Fibre Channel port used by the client host.
•
NFS-based NAS are configured to specify access by a specific list of hosts.
A NAS configured for NFS access can be accessed only by an Ethernet client host. The host
identifier (i.e., IP Address or DNS name) must be included in the TOE’s configuration of the NFS
share in order for access to be permitted. Each client host can have “Read/Write Access”, “ReadOnly Access” or “No Access” to the NFS share.
•
CIFS-based NAS are configured to specify access by specific users who are assigned read-write
or read-only access.
A NAS configured for CIFS-based access can be accessed by specific users. The following are the
three (3) types of access configuration for CIFS shares:
None: no access control, the share is accessible to anyone;
User: Users are created on the TOE. Each user that is created has its own user ID and
password. Access by a user to each CIFS share can be controlled, the access modes
being “Access” & “No Access”
o Active Directory: The TOE is registered with the AD server as a device within the
domain, just like another server in the domain. The TOE does not create users in the
Active Directory nor assign permission (read-write, read only or no access) to access the
CIFS share. Users and permissions are assigned directly with the AD server, not through
the TOE.
StoreOnce Catalyst stores: A list of clients is created in the GUI under the StoreOnce Catalyst
tab and only these clients can be allowed to create StoreOnce Catalyst stores and access them.
o
o
•
Access to files under CIFS/NFS shares are further controlled based on file permissions.
Client hosts are attached through dedicated storage area networks (SANs) that are generally in close
proximity and therefore subject to the same physical protection assumption as the HPE StoreOnce
Backup system. Client hosts should be placed on a restricted network segment. While difficult, access by
untrustworthy entities, or hosts, could lead to the spoofing on these network segments. This could
result in unintended access to backup targets by those untrustworthy entities. It is therefore assumed
that administrators allow only trusted hosts access to these connections and that the hosts themselves
are protected from access by untrustworthy entities.
The TOE implements RAID on physical disks. The TOE supports RAID 5, RAID 6 and RAID 1+0.
•
•
•
RAID 5: provides data redundancy by distributing data blocks across all disks in a RAID set.
Redundant information is stored as parity distributed across the disks.
RAID 6: may be thought of as RAID5 with dual parity. The dual parity of RAID6 provides fault
tolerance from two drive failures in each of two RAID sets. Each array continues to operate with
up to two failed drives. RAID6 significantly reduces the risk of data loss if a second hard disk
drive fails while the RAID array is rebuilding.
RAID 1+0: provides mirrored sets in a striped set (minimum four drives; even number of drives).
RAID 1+0 provides fault tolerance and improved performance but increases complexity.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 51 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
The single-node architecture makes use of RAID 5 or RAID 6 to provide availability of user data stored by
a node. Multi-node configurations also support RAID 5 or RAID 6; however, RAID of physical storage
occurs inside a couplet with both nodes accessing the same RAID arrays. There is no RAID or other
redundancy between couplets in a cluster.
TSF data stored by a single-node appliance is protected only using the RAID array within the appliance.
TSF data is stored by a multi-node appliance (i.e., a couplet) as a mirrored set in a stripped set (i.e., RAID
1+0).
The TOE clears resources when they are initially introduced (e.g., a new disk volume). When a VTL
resource is assigned, the resource is treated as a tape and an End-of-Tape mark is written by the TOE to
the beginning of the resource. The TOE does not allow reading past this End-of-Tape mark. Storage is
assigned to a VTL resource only as needed (the entire tape is NOT preallocated). When a NAS resource is
assigned no storage is associated with the resource until a write operation is performed.
The TOE performs data deduplication at the block level on all backup resources. Data deduplication is a
process in which the TOE compares blocks of data being written to a backup device with data blocks
previously stored on the device. If duplicate data is found, a pointer is established to the original data,
rather than storing the duplicate data.
When data is deleted by the TOE (e.g. a VTL cartridge is overwritten or erased), any unique blocks are
marked for removal, any non-unique blocks are de-referenced and their reference count decremented.
The process of removing blocks of data is not an inline operation because this would significantly impact
performance. This process, termed “housekeeping”, runs on the appliance as a background operation, it
runs on a per VTL cartridge and NAS file or StoreOnce Catalyst object basis and will run as soon as the
VTL cartridge is unloaded and returned to its storage slot or a NAS file or StoreOnce Catalyst object has
completed writing and has been closed by the appliance.
The User data protection function is designed to satisfy the following security functional requirements:
FDP_ACC.2, FDP_ACF.1, FDP_AVL_EXT.1(1), FDP_AVL_EXT.1(2)
7.4 Identification and Authentication
The TOE supports different user communities: administrative accounts and CIFS users.
For administrative accounts, the TOE recognizes two accounts as being permitted to perform
administrative operations (i.e., the administrative accounts) and a restricted “root” account. The two
administrative accounts are the “Administrator” and the "Operator" accounts. A site (i.e., a customer
installing the product) is expected to assign the two administrative accounts in a manner suitable for the
customer’s needs. Each account has associated with it a password for authentication. The TOE verifies
this authentication information before the TOE allows the user to perform any actions. The TOE also
recognizes a “root” account that can login only at the local console. This account is not used for normal
administrative activity, but instead is provided only for special maintenance operations (e.g., resetting
password of the “administrator” account). The "root" account is not shared with end users.
The GUI and local CLI connections require the use of a password as the authentication information. A
remote administrative session using SSH to connect to a CLI session can authenticate using either
cryptographically with a public/private key pair exchange or using a password. Regardless the
authentication information the TOE does not provide any CLI or GUI services until the authentication
information has been verified for the account.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 52 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
The “Administrator” account is a read-write account that has the ability to handle configuration and has
predominantly full control over the CLI and GUI commands. The TOE also supports the "operator"
account, which is read-only and provides a more limited CLI and GUI functionality. Both the
"Administrator" and "Operator" accounts typically do not have access to any of the user data.
For locally defined administrative accounts, the information that the TOE stores about each user is
maintained in an internal shadow password file. The TOE does not offer general purpose shells to
administrative users, but rather starts the CLI following successful login. The TOE maintains the following
information about each locally defined administrative account.
•
•
•
UID – A TOE internal user identifier that uniquely designates the user account within the system.
Username – An identifier allowing a person to identify themselves to the TOE.
Password – A hashed value known only to the TOE and the user.
Administrators must login either through the GUI or CLI prior to having the ability to perform any TOE
management operations. The login process occurs slightly differently at the GUI than the CLI. The
following occurs during a password-based login at either at the local console or through an SSH session:
•
•
•
•
•
the TOE prompts the user for username,
the user provides a username,
the TOE prompts for a password,
the user provides a password, and
the TOE validates that the username and password provided by the user are a valid pair.
During logon at the GUI, the following occurs:
•
•
•
the TOE offers a logon window requesting a username and password,
the user provides both a username and password to the TOE, and
the TOE validates that the username and password provided by the user are a valid pair.
In these cases, no management operations are provided to a user prior to their providing a valid
username and password pair. Also, when a user is providing a password at a local console, an SSH or GUI
Session, the TOE does not echo that password to the screen.
During a public-key based authentication using SSH, the user’s private key is used by the SSH client to
cryptographically authenticate to the TOE’s SSH server. If the TOE and SSH client can successfully
negotiate and establish an SSH session using the public/private key of the user, then the user’s identity
is authenticated and the TOE starts a CLI session using the authenticated SSH tunnel.
The TOE supports access controls based upon a user’s identity during client host operations upon
Common Internet File System (CIFS) storage objects. A NAS configured as a CIFS share can be accessed
by users that are defined either locally within the TOE or remotely using an external Active Directory
(AD) server. However, these users do not have access to any TOE management tasks. The AD
authentication can be supported over a remote, secure connection using TLS. The Active Directory
server is provided by the environment.
For authentication of a user accessing a CIFS share, the TOE collects a user ID & Password from the user.
If the share is configured to use local authentication, the TOE verifies the user ID & password. If the
share is configured to use Active Directory authentication, the TOE passes the ID & Password to the AD
server for verification. The TOE then permits or denies permission to the CIFS-share based upon the
permissions configured for that user.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 53 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
The Management Interface includes an SNMP v3 Agent. SNMPv3 users must successfully authenticate to
the SNMPv3 agent in the TOE prior to viewing MIB objects. The SNMPv3 users can be created through
the SSH channel using the CLI interface.
The TOE offers another read-only interface to the CentOS 6 (Linux) shell for the purpose of vulnerability
scanners to perform operating system level security scans upon a StoreOnce appliance. The
Administrator can configure users with a new access level called “scanner”; these users can log into the
appliance after proper authentication using ssh and be given access to a shell prompt within a chroot
environment. The security scan environment can be configured (by an Admin user) to be enabled for a
fixed period of time during which the scan is to take place, it then becomes disabled in order that the
chroot access is not left open continuously on the appliance. The scanning feature is not evaluated as
previously noted in Section 1.5.3.
The Identification and authentication function is designed to satisfy the following security functional
requirements: FIA_ATD.1, FIA_UAU.1, FIA_UAU.5, FIA_UAU.7, FIA_UID.2
7.5 Security Management
The TOE restricts the management of storage resources to the administrative accounts: “Administrator”
and “Operator”. The “Operator” account can query, but cannot change any settings. The TOE restricts
management of storage resources to the “Administrator” account which has read/write access.
The nodes within a cluster cooperate to provide backup storage services to client hosts. In multi-node
systems, the TOE replicates configuration data across all nodes in the cluster. This keeps configuration
data available to operational nodes despite the failure of one node in each couplet. Single-node
appliances operate as standalone systems and thus do not replicate configuration data.
The HPE StoreOnce Backup system products do not support an explicit notion of default values, rather
by implicit default when a new resource becomes available no access is possible until it is specifically
configured (i.e., to be accessible by an iSCSI host) at which time explicit access rights (i.e., read-write,
read-only, or none) to a host are also defined.
The HPE StoreOnce Backup system products offer a full range of management functions. Through the
GUI and CLI the TOE offers the ability to perform the following actions.
•
•
•
•
User management:
o Create, modify, delete local users.
o Add, modify, remove external users. (External users are those that are
defined in Active Directory).
o Add, modify, remove external groups.
Active Directory settings:
o Join active directory domain
o Leave active directory doman
Audit logging:
o Specify minimum retention period
o Export audit logs
Event logs
o Export events
o Delete events
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 54 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
•
Email alerts
o Enter SMTP server settings
o Configure email alert recipients
• SNMPv3 configuration
o Configure SNMPv3 users
o Configure SNMPv3 trapsink addresses
• Ability to view SNMPv3 MIB objects
• Ability to review audit events and
• Ability to manage VTL, StoreOnce Catalyst and NAS resources
The Security management function is designed to satisfy the following security functional requirements:
FMT_MSA.1, FMT_MSA.3, FMT_MTD.1, FMT_SMF.1, FMT_SMR.1
7.6 Protection of the TSF
The TOE uses an internal hardware clock within each node as the source for timestamps when
generating audit records. Each node of a cluster operates as an NTP client obtaining its time from the
Active Manager which is running an NTP server available only to other nodes. The Active Manager can
be configured to synchronize time (i.e., be an NTP client) to other connected hosts using NTP. The Active
Manager can also obtain time using NTP from an external NTP server on the Management network.
The Protection of the TSF function is designed to satisfy the following security functional requirements:
FPT_STM.1
7.7 TOE Access
The TOE allows only one (1) active session for each account. The TOE monitors for inactivity at the GUI
and CLI interfaces. By default, after a period of 20 minutes of user inactivity the session will time out and
return to the Login screen.
Administrators can log out of their individual sessions, thereby terminating the session.
A login banner may be configured to display when users log in, either to the StoreOnce CLI or through
the StoreOnce GUI. It consists of blocks of text, uploaded to the StoreOnce system as a file by an Admin
user that may be used to provide legal or other conditions that apply to users of the device. The login
banner is configured using the StoreOnce CLI.
The TOE Access function is designed to satisfy the following security functional requirements: FTA_SSL.3,
FTA_SSL.4, FTA_TAB.1
7.8 Trusted Path/Channels
A remote administrative session can occur using either a graphical user interface (GUI) or command-line
interface (CLI). Administrators use an SSHv2 session to connect to the TOE to establish a CLI session. An
administrative GUI is provided through the HTTPS protocol using TLS.
TLS and SSHv2 are used to provide protection of the communications surrounding the remote
administrative sessions from disclosure and from modification. This functionality is provided by default
by the industry standard OpenSSL and OpenSSH packages that installed on the TOE. Protection from
disclosure and modification is inherent with the TLS and SSH protocols.
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 55 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
Using public-key cryptography with the TLS and SSHv2 protocols, the TOE identifies itself to clients.
Under SSH, the TOE’s public key must be known to the client prior to the communications (this must be
done out-of-band).
The Trusted path/channels function is designed to satisfy the following security functional requirements:
FTP_TRP.1
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 56 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
8 ACRONYMS
Table 17 – Acronym
Acronym
Definition
AD
Active Directory
CAVP
Cryptographic Algorithm Validation Program
CBC
Cipher Block Chaining
CC
Common Criteria
CEM
Common Evaluation Methodology
CIFS
Common Internet File System
FC
Fibre Channel
FIPS
Federal Information Processing Standard
HTTP
Hypertext Transfer Protocol
HTTPS
Hypertext Transfer Protocol Secure
iSCSI
Internet Small Computer System Interface
IQN
iSCSI Qualified Name
LAN
Local Area Network
LDAP
Lightweight Directory Access Protocol
MIB
Management Interface Base
NAS
Network Attached Storage
NFS
Network File System
NTP
Network Time Protocol
PP
Protection Profile
SAN
Storage Area Network
SAR
Security Assurance Requirement
SFR
Security Functional Requirement
SNMP
Simple Network Management Protocol
SMTP
Simple Mail Transfer Protocol
SSH
Secure Shell
ST
Security Target
TLS
Transport Layer Security
TOE
Target of Evaluation
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 57 of 58
Security Target
HPE StoreOnce Backup System, Version 3.16
TSF
TOE Security Functionality
VTL
Virtual Tape Library
Version 0.5 – September 20, 2017
Hewlett Packard Enterprise
Page 58 of 58
Download PDF
Similar pages