GB/T 20273-2019 PDF in English
GB/T 20273-2019 (GB/T20273-2019, GBT 20273-2019, GBT20273-2019)
Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Name of Chinese Standard | Status |
GB/T 20273-2019 | English | 610 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information security technology -- Security technical requirements for database management system
| Valid |
GB/T 20273-2006 | English | 150 |
Add to Cart
|
0-9 seconds. Auto-delivery.
|
Information security technology -- Security techniques requirement for database management system
| Obsolete |
Standards related to (historical): GB/T 20273-2019
PDF Preview
GB/T 20273-2019: PDF in English (GBT 20273-2019) GB/T 20273-2019
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Replacing GB/T 20273-2006
Information Security Technology - Security Technical
Requirements for Database Management System
ISSUED ON: AUGUST 30, 2019
IMPLEMENTED ON: MARCH 1, 2020
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of
China.
Table of Contents
Foreword ... 3
1 Scope ... 5
2 Normative References ... 5
3 Terms, Definitions and Abbreviations ... 6
3.1 Terms and Definitions ... 6
3.2 Abbreviations ... 6
4 Description of Evaluation Target ... 7
4.1 An Overview of Evaluation Target ... 7
4.2 Security Features of Evaluation Target ... 8
4.3 Evaluation Target Deployment Mode ... 9
5 Definition of Security Issues ... 10
5.1 Data Assets ... 10
5.2 Threats ... 10
5.3 Organization Security Policy ... 13
5.4 Hypotheses ... 15
6 Security Objectives ... 18
6.1 TOE Security Objectives ... 18
6.2 Environment Security Objectives ... 22
7 Security Requirements ... 25
7.1 Extension Component Definition ... 25
7.2 Requirements of Security Function ... 27
7.3 Requirements of Security Assurance ... 46
8 Fundamental Principle ... 69
8.1 Fundamental Principle of Security Objectives ... 69
8.2 Fundamental Principle of Security Requirements ... 83
8.3 Component Dependency ... 93
Appendix A (informative) Instruction of Standard Amendment and Application
... 96
Bibliography ... 101
Information Security Technology - Security Technical
Requirements for Database Management System
1 Scope
This Standard stipulates the description of database management system evaluation
target; the definition, security objectives and requirements of security issues of different
evaluation assurance levels of database management system; the fundamental
principles between the definition of security issues and security objectives, and
between security objectives and security requirements.
This Standard is applicable to the test, evaluation and procurement of database
management system. It may also be applied to the guidance of the research and
development of database management system.
NOTE: Level-EAL2, Level-EAL3 and Level-EAL4 security requirements stipulated in this
Standard are applicable to not only the security evaluation of database
management system based on GB/T 18336.1-2015, GB/T 18336.2-2015 and
GB/T 18336.3-2015, but also GB/T 17859-1999-based database security
evaluation of second-level database system audit protection, third-level security
label protection, fourth-level structural protection. Please refer to A.1 in Appendix
A for relevant correspondences.
2 Normative References
The following documents are indispensable to the application of this document. In
terms of references with a specified date, only versions with a specified date are
applicable to this document. In terms of references without a specified date, the latest
version (including all the modifications) is applicable to this document.
GB/T 18336.1-2015 Information Technology - Security Techniques - Evaluation Criteria
for IT Security - Part 1: Introduction and General Model
GB/T 18336.2-2015 Information Technology - Security Techniques - Evaluation Criteria
for IT Security - Part 2: Security Functional Components
GB/T 18336.3-2015 Information Technology - Security Techniques - Evaluation Criteria
for IT Security - Part 3: Security Assurance Components
GB/T 25069-2010 Information Security Technology - Glossary
GB/T 28821-2012 Technical Requirements of Relational Database Management
System
4 Description of Evaluation Target
4.1 An Overview of Evaluation Target
In this Standard, target of evaluation (TOE) refers to management software and
database object that it manages included in the database management system
(DBMS).
Management software included in DBMS shall provide database language, which
defines, operates and manages database object; provide database control language
and maintain data integrity of DBMS operation through data model semantic
constraints; provide database backup, restore and recovery mechanism, guarantee
the availability of database when there are breakdowns in DBMS operation. Relational
database management system (RDBMS) shall provide transaction management
mechanism, guarantee the atomicity, consistency, isolation and durability (ACID) of
transactions in multi-user database concurrent operations.
DBMS mainly includes the following constituent parts:
a) Database: constituted of physical files, such as: data file that stores user data
and TOE security functionality (TSF) data; log file that stores database
transaction processing process; control file that maintains the integrity of
DBMS operations, etc. The database object being stored includes: model
object, non-model object, database dictionary object, etc.
b) Database instance: include components like query engine, transaction
manager, data storage manager, etc. Implement basic functions: the definition,
management, query, update and control of database object.
c) Database language and its access interface: provide database language and
database development interface specifications, such as: structured query
language (SQL), open database connectivity (ODBC), JAVA database
connectivity (JDBC), etc.; allow authorized users to define database structure
through database development interface, access and modify database object
data, demonstrate relevant configuration parameters of DBMS operation, and
execute various maintenance operations on user data and relevant data of
DBMS operation.
d) DBMS operation maintenance auxiliary means: provide DBMS operation
maintenance auxiliary means or interfaces, such as: initiation and shutdown
of database instance; online, offline, opening and closing of database or data
file; database checkpoint control; database log archiving; external data import,
etc.
user/authorized administrator’s functions like parallel sessions.
NOTE: DBMS software and the security of its management data assets are not
isolated. Under the production environment, the IT environment of DBMS
operation (operating system, network system and hardware, etc.), together
with DBMS, establish a security system of TOE. In the description of TOE,
security target (ST) author clearly indicates and identifies the correlation
between the architecture of DBMS evaluation, and the various components
of IT environment.
4.3 Evaluation Target Deployment Mode
If any internal and external entity of DBMS needs to obtain data assets of TOE
management, firstly, it shall satisfy corresponding security policies of TOE and the
operating environment. TOE operating environment target might include multiple
security control components, which involve multiple security policies, such as:
equipment’s physical security, environmental physical security, system’s physical
security and personnel security management, etc. These operating environment
security policies prevent DBMS software and the database that it manages from
security threats in the operating environment of DBMS.
This Standard may be adopted to evaluate DBMS security of multiple deployment
structures, which include, but are not limited to the following architectures:
a) Centralized architecture: DBMS software and database application program
are installed and operated on a host; user can only send out database access
requests or administrative commands through the application terminal, which
is transmitted to the host through communication lines; after database’s
instance response and processing on the host, the processing result is
returned to the user terminal through the communication lines.
b) Client/server system structure: client-side database application and server-
side database instance implement communication through network
connections; client-side sends database access requests or administrative
commands, demonstrates the returned data by database instance; server-
side securely executes user’s database access requests and administrative
commands. Front-end application may be implemented on the basis of
browser; through remote Web server or application server, implement
connections with database server; the remote server takes charge of the
interaction with the database server.
c) Distributed database architecture: database nodes are respectively stored on
multiple site database servers, which are physically mutually independent.
The database servers among these sites, which are connected through the
network, collaboratively provide distributed database data access service.
User may execute certain database access requests or administrative
operation data, which leads to failure of TSF security control mechanism.
5.2.3 Audit mechanism’s failure (T.AUDIT_FAILURE)
Malicious user or process might modify security audit strategy, which would lead to
disabled or invalidated database audit function, audit record loss or tampered audit
record. Or, through the invalidated audit data storage, the storage of the subsequent
audit record would be prevented, which would wipe out user’s database operation.
5.2.4 Cryptographic attack (T.CRYPTO_COMPROMISE)
Malicious user or process might lead to improper browse, modification or deletion of
executable codes of database storage and communication encryption function-related
key, data or ciphertext service components, which would undermine the database
encryption mechanism and leak the data protected by the encryption mechanism.
5.2.5 Data transmission eavesdropping (T.EAVESDROP)
Malicious user or process might observe or modify user data or TSF data transmitted
among TOE physically isolated components (including user requests and responses
between the client-side and the server, data transmission among different nodes of
distributed database, etc.).
5.2.6 Flawed design (T.FLAWED_DESIGN)
Unintentional logic errors in TOE demand specifications or design might lead to design
weaknesses or flaws. Malicious user might take advantage of these flaws to initiate
security attack against TOE.
5.2.7 Flawed implementation (T.FLAWED_IMPLEMENTATION)
Unintentional errors during the development of TOE might lead to weaknesses or flaws
in TOE implementation. Malicious user might take advantage of these unknown
loopholes to attack TOE.
5.2.8 Label data out-of-control (T.LBAC)
Malicious user or process might illegally browse, modify or delete label strategy data,
controlled subject classification label data and controlled object bond label data of TOE.
Authorized administrator’s illegal access to label management-based data assets of
controlled subject.
5.2.9 Masqueraded authorized user (T.MASQUERADE)
Malicious user or process might masquerade as authorized administrator or authorized
user to access database dictionary, system security configuration parameters or data
assets protected by DBMS.
It is assumed that there will be one or multiple authorized administrators with appointed
role permissions in TOE, and their roles are divided in accordance with security
principles like minimum privileges, separation of duties and in-depth defense (ST
author needs to explain the specific meaning of “security role” in accordance with the
system permissions supported by DBMS and the solutions to specific application that
DBMS targets at).
5.4.5 Multi-tier application accountability (A.MIDTIER)
In multi-tier application environment, in order to guarantee the security accountability
of TOE, the TOE operating environment component service of any middle tier shall
send the original authorized user identification to TSF (ST author shall explain the
specific meaning of “multi-tier application accountability” in accordance with the
solutions to specific application that DBMS targets at).
5.4.6 Administrator hypothesis (A.NO_HARM)
Authorized user and authorized administrator that use the database are equipped with
fundamental database security protection knowledge and good habits of using the
database. They are well-trained; they could comply with TOE administrator guidance
and use the database through secure modes.
5.4.7 Exclusive for server (A.NO_GENERAL_PURPOSE)
On the host where DBMS is operated, other programs or services that obtain universal
computation or storage capability (for example, compiler, editor or application program)
are not installed.
5.4.8 Physical security (A.PHYSICAL)
DBMS operating environment shall provide physical security that is consistent with the
data value under its management. For example, store and manage TOE-related data
(such as: configuration parameters and archived logs, etc.) that is stored outside the
database through a secure mode.
5.4.9 Communication security (A.SECURE_COMMS)
It is assumed that communication channels among different nodes in the distributed
database between data server and application terminal are safe and reliable (for
example, satisfied confidentiality and integrity). The implementation mode may be
through shared key, public/private key pair, or, the generation of session key through
other keys being stored.
management of DBMS products. TOE shall provide authorized user with user
operation manual documents related with database object establishment and
application (ST author shall base on TOE security mechanism to explain pre-
configurated database administrator role, so as to implement authorized management
of separated duties).
6.1.5 Administrator role separation (O.ADMIN_ROLE)
TOE shall provide authorized administrator role, which is consistent with different
database management operations, so as to provide role management functions, such
as: the separation of duties and role constraints, etc. In addition, these management
functions may implement security management through local or remote mode (ST
author shall base on TOE security mechanism to explain pre-configurated database
administrator role, so as to implement authorized management of separated duties).
6.1.6 Audit data generation (O.AUDIT_GENERATION)
TOE shall provide the capability of detecting and establishing user-related security
events, such as: database audit policy definition, audit function start-stop management,
database management operations and user database object operations, etc. (ST
author shall base on the composition and storage mechanism of TOE audit record to
explain the mode of audit data storage (inside and outside database), and audit data
security management mechanism).
6.1.7 Audit data protection (O.AUDIT_PROTECTION)
TOE shall have the capability of securely storing audit data and protecting audit events
being stored.
6.1.8 Available database service (O.AVAIL)
TOE shall provide data recovery mechanism for affairs, database instance and storage
medium failures; provide the capability of self-maintenance of database storage
structure in DBMS updates; guarantee the restorability of TOE management data
assets.
TOE shall provide primary and secondary server TSF control transfer and database
instance failover mechanism, so as to support distributed component deployment of
distributed database service for the management demand of availability.
6.1.9 Configuration identification (O.CONFIG)
TOE shall identify product component configuration and evaluation configuration items
of its documents, so as to provide methods of correcting and tracing them when DBMS
is re-distributed and correction errors are corrected.
NOTE: generally speaking, configuration identification refers to issuance baseline that is
TOE operating environment shall be equipped with database administrator group or
role; provide necessary functions and facilities for the management and configuration
of DBMS operation security; prevent these functions and facilities from unauthorized
usage.
6.2.5 Directory access control protection (OE.DIR_CONTROL)
DBMS operating environment that supports directory service (for example, LDAP
server) shall provide mechanisms like user identification, identity authentication and
access control, so as to prevent illegal user from accessing TSF data stored under the
directory service. The access control mechanism of directory service shall provide
security protection measures of TSF control data import/export.
6.2.6 IT domain separation (OE.DOMAIN_SEPARATION)
TOE operating environment under distributed deployment shall provide TOE operation
nodes with one separable security execution domain. Communication among different
DBMS nodes shall be conducted through a secure mode.
6.2.7 Administrator Integrity (OE.NO_HARM)
Organization that adopts TOE shall guarantee that authorized administrator is
trustworthy, well-trained, and can comply with organization security policy and relevant
database administrator guidance.
6.2.8 Exclusive for database server (OE.NO_GENERAL_PURPOSE)
Apart from providing necessary service components for TOE operation, management
and support, database server shall not have computation or storage functional
components (for example, compiler, editor or application program) that are irrelevant
with database instance operation.
6.2.9 Consistency of physical security (OE.PHYSICAL)
TOE operating environment shall provide physical security that is consistent with
DBMS and the value of its management data assets.
6.2.10 Communication security environment (OE.SECURE_COMMS)
TOE operating environment shall provide secure communication lines between remote
user/program and database server.
6.2.11 IT environment self-protection (OE.SELF_PROTECTION)
TOE operating environment shall maintain one execution domain which prevents
DBMS and its operating environment from external interference, damage or
unauthorized leakage.
FMT_MSA_EXT.1.2 TSF shall implement [option: label access control-based
security policy, [assignment: information flow control policy with appointed
mechanism by ST author]]; merely through [option: LBAC authorized user,
[assignment: authorized administrator appointed by ST author]], implement
[[assignment: security attribute] to [assignment: security label]].
NOTE: this requirement is applicable to EAL-3 evaluation assurance level.
7.1.3.2 Security attribute management [FMT_MSA_EXT.1(2)]
FMT_MSA_EXT.1.1 TSF shall implement [option: user control policy-based, role
control policy-based and user group control policy-based, [assignment:
compulsory access control defined by ST author]]; merely through [option:
authorized administrator, authorized user] to conduct [option: alteration of default
value, query, modification, deletion, [assignment: other operations]] on security
attribute [option: database object access permission, security role].
FMT_MSA_EXT.1.2 TSF shall implement [option: label access control-based
security policy, [assignment: information flow control policy with appointed
mechanism by ST author]]; merely through [option: LBAC authorized user,
[assignment: authorized administrator appointed by ST author]], implement
[[assignment: security attribute] to [assignment: security label]].
NOTE: this requirement is applicable to EAL-4 evaluation assurance level.
7.1.3.3 Static attribute initialization [FMT_MSA_EXT.3]
FMT_MSA_EXT.3.1 TSF shall implement [option: user control policy-based, role
control policy-based and user group control policy-based, [assignment: self-
access control defined by ST author]], so as to provide default value to the execution
of SFP security attribute [option: select one of them: restricted, permitted,
[assignment: other properties]].
7.2 Requirements of Security Function
7.2.1 Overview
Table 7 lists TOE security functional components of evaluation assurance level (EAL)
of DBMS: EAL2, EAL3 and EAL4. In the description of security functional component
elements, in square brackets [], bold font signifies already completed operations; bold
italics signifies assignment and options that still need to be determined by ST author
in the security objectives.
7.2.2.3 Security audit review (FAU_SAR.1)
FAU_SAR.1.1 TSF shall provide [assignment: authorized administrator] with the
authority to read the audit record and acquire the audit information listed below:
a) User, user group or role identification;
b) Type of audit events;
c) Database object identification;
d) [option: subject identification, host identification, null];
e) [option: successful auditable security event, failed auditable security
event, and [option: [assignment: list of selective audit events based on
other selection conditions], without any additional condition]];
f) Database permission [option: system permission, instance permission,
database permission, mode object permission, fine-grained data
permission].
FAU_SAR.1.2 TSF shall provide audit record in a mode that can be understood by
authorized user.
7.2.2.4 Restriction of audit review (FAU_SAR.2)
FAU_SAR.2.1 authorizes specific permission of reading and accessing audit data to
authorized administrator. Apart from this, TSF shall prohibit all the authorized users
from reading or accessing audit record.
7.2.2.5 Optional audit review (FAU_SAR.3)
FAU_SAR.3.1 TSF shall provide the capability of [searching and sequencing]
reviewed audit data in accordance with [searching and classification conditions of
the value in audit data field].
7.2.2.6 Selective audit (FAU_SEL.1)
FAU_SEL.1.1 TSF shall be able to select auditable events from a set of auditable
events in accordance with the following attributes:
a) User identity [option: object identity, user identity, group identity, subject
identity, host identity];
b) Operation type [option: definition statement, query statement, update
statement, control statement];
c) Permission level [option: system permission, instance permission,
database permission, mode object level audit, fine-grained data
organization in accordance with the specific condition of cryptographic algorithm.
7.2.3.2 Key destruction (FCS_CKM.4)
FCS_CKM.4.1 TSF shall destruct keys in accordance with a specific key destruction
method [assignment: key destruction method] that complies with the following
standard [assignment: cryptographic management-related standards or
specifications requested by the state or the industry].
7.2.3.3 Cryptographic operation (FCS_COP.1)
FCS_COP.1.1 TSF shall execute [assignment: cryptographic operation list] in
accordance with a specific cryptographic algorithm [assignment: cryptographic
algorithm] that complies with the following standard [assignment: cryptographic
management-related standards or specifications requested by the state or the
industry]and key length [assignment: key length].
7.2.4 User data protection (Type-FDP)
7.2.4.1 Subset access control (FDP_ACC.1)
FDP_ACC.1.1 TSF shall execute the following access control policy [option: user
control policy-based, role control policy-based, user group control policy-based,
[assignment: self-access control policy defined by ST author]] defined by subject
(system and user) on authorized database object operation list.
7.2.4.2 Security attribute-based access control (FDP_ACF.1)
FDP_ACF.1.1 TSF shall execute access control on the operation of database object in
accordance with [option: user control policy-based, role control policy-based, user
group control policy-based, [assignment: self-access control defined by ST
author]], which shall include the following:
a) Subject-related authorized user identity and/or role and/or group member
relationship;
b) Executable access operation and/or role/group permission of controlled
database object;
c) Controlled database object identification;
d) Execute [option: user control policy-based, role control policy-based,
user group control policy-based, [assignment: self-access control
policy defined by ST author]] on database object.
FDP_ACF.1.2 TSF shall execute [assignment: between controlled subject and
controlled database object, manage access rules by adopting controlled
operation on controlled database object], so as to determine whether an operation
a) There is an ordered function which can determine whether two valid security
attributes being provided are equivalent, whether one security attribute is
larger than the other, or, whether they are incomparable;
b) A “minimum upper bound” exists in the security attribute set. In terms of two
valid security attributes being provided, there is a valid security attribute that
is larger than, or, equals to the two security attributes;
c) A “maximum lower bound” exists in the security attribute set. In terms of two
valid security attributes being provided, there is a valid security attribute that
is not larger than the two attributes.
7.2.4.5 User data output with security attribute (FDP_ETC.2)
Under SFP control, when FDP_ETC.2.1 outputs user data to beyond TOE, TSF shall
execute [assignment: access control SFP and/or information flow control SFP].
FDP_ETC.2.2 TSF shall output user data and user data-associated security attribute.
FDP_ETC.2.3 TSF shall ensure that when security attribute is output to beyond TOE,
it is exactly associated with the output user data.
FDP_ETC.2.4 when user data is output from TOE, TSF shall execute the following rule
[assignment: additional output control rule].
7.2.4.6 User data input without security attribute (FDP_ITC.1)
Under SFP control, when FDP_ITC.1.1 inputs user data from beyond TOE, TSF shall
execute [assignment: access control SFP and/or information flow control SFP].
When FDP_ITC.1.2 inputs user data from beyond TOE, TSF shall neglect any security
attribute associated with user data.
Under SPF control, when FDP_ITC.1.3 inputs user data from beyond TOE, TSF shall
execute the following rule: [assignment: additional input control rule].
7.2.4.7 Basic internal transmission protection (FDP_ITT.1)
When FDP_ITT.1.1 transmits user data among physically divided parts on TOE, TSF
shall execute [assignment: access control SFP and/or information flow control
SFP] to prevent [option: leakage, tampering, loss of availability] of user data.
7.2.4.8 Subset residual information protection (FDP_RIP.1)
FDP_RIP.1.1 TSF shall ensure that any prior information content of server resources
(such as: database server shared cache and storage space) is no longer available
after the release of the resources, or, after the resources are re-allocated to other
model objects.
d) Server resource restriction;
e) Database object access permission;
f) Database management permission;
g) [assignment: any additional security attribute of authorized
administrator].
7.2.5.3 Verification of secrets (FIA_SOS.1)
FIA_SOS.1.1 TSF shall provide a mechanism to verify that secrets can satisfy
[assignment: an established quality measurement]. For example, the verification of
user commands shall sati......
...... Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.
|