HOME   Cart(0)   Quotation   About-Us Tax PDFs Standard-List Powered by Google www.ChineseStandard.net Database: 189759 (29 Sep 2024)

GB/T 20273-2019 PDF in English


GB/T 20273-2019 (GB/T20273-2019, GBT 20273-2019, GBT20273-2019)
Standard IDContents [version]USDSTEP2[PDF] delivered inName of Chinese StandardStatus
GB/T 20273-2019English610 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Security technical requirements for database management system Valid
GB/T 20273-2006English150 Add to Cart 0-9 seconds. Auto-delivery. Information security technology -- Security techniques requirement for database management system Obsolete
Standards related to (historical): GB/T 20273-2019
PDF Preview

GB/T 20273-2019: PDF in English (GBT 20273-2019)

GB/T 20273-2019 NATIONAL STANDARD OF THE PEOPLE’S REPUBLIC OF CHINA ICS 35.040 L 80 Replacing GB/T 20273-2006 Information Security Technology - Security Technical Requirements for Database Management System ISSUED ON: AUGUST 30, 2019 IMPLEMENTED ON: MARCH 1, 2020 Issued by: State Administration for Market Regulation; Standardization Administration of the People’s Republic of China. Table of Contents Foreword ... 3  1 Scope ... 5  2 Normative References ... 5  3 Terms, Definitions and Abbreviations ... 6  3.1 Terms and Definitions ... 6  3.2 Abbreviations ... 6  4 Description of Evaluation Target ... 7  4.1 An Overview of Evaluation Target ... 7  4.2 Security Features of Evaluation Target ... 8  4.3 Evaluation Target Deployment Mode ... 9  5 Definition of Security Issues ... 10  5.1 Data Assets ... 10  5.2 Threats ... 10  5.3 Organization Security Policy ... 13  5.4 Hypotheses ... 15  6 Security Objectives ... 18  6.1 TOE Security Objectives ... 18  6.2 Environment Security Objectives ... 22  7 Security Requirements ... 25  7.1 Extension Component Definition ... 25  7.2 Requirements of Security Function ... 27  7.3 Requirements of Security Assurance ... 46  8 Fundamental Principle ... 69  8.1 Fundamental Principle of Security Objectives ... 69  8.2 Fundamental Principle of Security Requirements ... 83  8.3 Component Dependency ... 93  Appendix A (informative) Instruction of Standard Amendment and Application ... 96  Bibliography ... 101  Information Security Technology - Security Technical Requirements for Database Management System 1 Scope This Standard stipulates the description of database management system evaluation target; the definition, security objectives and requirements of security issues of different evaluation assurance levels of database management system; the fundamental principles between the definition of security issues and security objectives, and between security objectives and security requirements. This Standard is applicable to the test, evaluation and procurement of database management system. It may also be applied to the guidance of the research and development of database management system. NOTE: Level-EAL2, Level-EAL3 and Level-EAL4 security requirements stipulated in this Standard are applicable to not only the security evaluation of database management system based on GB/T 18336.1-2015, GB/T 18336.2-2015 and GB/T 18336.3-2015, but also GB/T 17859-1999-based database security evaluation of second-level database system audit protection, third-level security label protection, fourth-level structural protection. Please refer to A.1 in Appendix A for relevant correspondences. 2 Normative References The following documents are indispensable to the application of this document. In terms of references with a specified date, only versions with a specified date are applicable to this document. In terms of references without a specified date, the latest version (including all the modifications) is applicable to this document. GB/T 18336.1-2015 Information Technology - Security Techniques - Evaluation Criteria for IT Security - Part 1: Introduction and General Model GB/T 18336.2-2015 Information Technology - Security Techniques - Evaluation Criteria for IT Security - Part 2: Security Functional Components GB/T 18336.3-2015 Information Technology - Security Techniques - Evaluation Criteria for IT Security - Part 3: Security Assurance Components GB/T 25069-2010 Information Security Technology - Glossary GB/T 28821-2012 Technical Requirements of Relational Database Management System 4 Description of Evaluation Target 4.1 An Overview of Evaluation Target In this Standard, target of evaluation (TOE) refers to management software and database object that it manages included in the database management system (DBMS). Management software included in DBMS shall provide database language, which defines, operates and manages database object; provide database control language and maintain data integrity of DBMS operation through data model semantic constraints; provide database backup, restore and recovery mechanism, guarantee the availability of database when there are breakdowns in DBMS operation. Relational database management system (RDBMS) shall provide transaction management mechanism, guarantee the atomicity, consistency, isolation and durability (ACID) of transactions in multi-user database concurrent operations. DBMS mainly includes the following constituent parts: a) Database: constituted of physical files, such as: data file that stores user data and TOE security functionality (TSF) data; log file that stores database transaction processing process; control file that maintains the integrity of DBMS operations, etc. The database object being stored includes: model object, non-model object, database dictionary object, etc. b) Database instance: include components like query engine, transaction manager, data storage manager, etc. Implement basic functions: the definition, management, query, update and control of database object. c) Database language and its access interface: provide database language and database development interface specifications, such as: structured query language (SQL), open database connectivity (ODBC), JAVA database connectivity (JDBC), etc.; allow authorized users to define database structure through database development interface, access and modify database object data, demonstrate relevant configuration parameters of DBMS operation, and execute various maintenance operations on user data and relevant data of DBMS operation. d) DBMS operation maintenance auxiliary means: provide DBMS operation maintenance auxiliary means or interfaces, such as: initiation and shutdown of database instance; online, offline, opening and closing of database or data file; database checkpoint control; database log archiving; external data import, etc. user/authorized administrator’s functions like parallel sessions. NOTE: DBMS software and the security of its management data assets are not isolated. Under the production environment, the IT environment of DBMS operation (operating system, network system and hardware, etc.), together with DBMS, establish a security system of TOE. In the description of TOE, security target (ST) author clearly indicates and identifies the correlation between the architecture of DBMS evaluation, and the various components of IT environment. 4.3 Evaluation Target Deployment Mode If any internal and external entity of DBMS needs to obtain data assets of TOE management, firstly, it shall satisfy corresponding security policies of TOE and the operating environment. TOE operating environment target might include multiple security control components, which involve multiple security policies, such as: equipment’s physical security, environmental physical security, system’s physical security and personnel security management, etc. These operating environment security policies prevent DBMS software and the database that it manages from security threats in the operating environment of DBMS. This Standard may be adopted to evaluate DBMS security of multiple deployment structures, which include, but are not limited to the following architectures: a) Centralized architecture: DBMS software and database application program are installed and operated on a host; user can only send out database access requests or administrative commands through the application terminal, which is transmitted to the host through communication lines; after database’s instance response and processing on the host, the processing result is returned to the user terminal through the communication lines. b) Client/server system structure: client-side database application and server- side database instance implement communication through network connections; client-side sends database access requests or administrative commands, demonstrates the returned data by database instance; server- side securely executes user’s database access requests and administrative commands. Front-end application may be implemented on the basis of browser; through remote Web server or application server, implement connections with database server; the remote server takes charge of the interaction with the database server. c) Distributed database architecture: database nodes are respectively stored on multiple site database servers, which are physically mutually independent. The database servers among these sites, which are connected through the network, collaboratively provide distributed database data access service. User may execute certain database access requests or administrative operation data, which leads to failure of TSF security control mechanism. 5.2.3 Audit mechanism’s failure (T.AUDIT_FAILURE) Malicious user or process might modify security audit strategy, which would lead to disabled or invalidated database audit function, audit record loss or tampered audit record. Or, through the invalidated audit data storage, the storage of the subsequent audit record would be prevented, which would wipe out user’s database operation. 5.2.4 Cryptographic attack (T.CRYPTO_COMPROMISE) Malicious user or process might lead to improper browse, modification or deletion of executable codes of database storage and communication encryption function-related key, data or ciphertext service components, which would undermine the database encryption mechanism and leak the data protected by the encryption mechanism. 5.2.5 Data transmission eavesdropping (T.EAVESDROP) Malicious user or process might observe or modify user data or TSF data transmitted among TOE physically isolated components (including user requests and responses between the client-side and the server, data transmission among different nodes of distributed database, etc.). 5.2.6 Flawed design (T.FLAWED_DESIGN) Unintentional logic errors in TOE demand specifications or design might lead to design weaknesses or flaws. Malicious user might take advantage of these flaws to initiate security attack against TOE. 5.2.7 Flawed implementation (T.FLAWED_IMPLEMENTATION) Unintentional errors during the development of TOE might lead to weaknesses or flaws in TOE implementation. Malicious user might take advantage of these unknown loopholes to attack TOE. 5.2.8 Label data out-of-control (T.LBAC) Malicious user or process might illegally browse, modify or delete label strategy data, controlled subject classification label data and controlled object bond label data of TOE. Authorized administrator’s illegal access to label management-based data assets of controlled subject. 5.2.9 Masqueraded authorized user (T.MASQUERADE) Malicious user or process might masquerade as authorized administrator or authorized user to access database dictionary, system security configuration parameters or data assets protected by DBMS. It is assumed that there will be one or multiple authorized administrators with appointed role permissions in TOE, and their roles are divided in accordance with security principles like minimum privileges, separation of duties and in-depth defense (ST author needs to explain the specific meaning of “security role” in accordance with the system permissions supported by DBMS and the solutions to specific application that DBMS targets at). 5.4.5 Multi-tier application accountability (A.MIDTIER) In multi-tier application environment, in order to guarantee the security accountability of TOE, the TOE operating environment component service of any middle tier shall send the original authorized user identification to TSF (ST author shall explain the specific meaning of “multi-tier application accountability” in accordance with the solutions to specific application that DBMS targets at). 5.4.6 Administrator hypothesis (A.NO_HARM) Authorized user and authorized administrator that use the database are equipped with fundamental database security protection knowledge and good habits of using the database. They are well-trained; they could comply with TOE administrator guidance and use the database through secure modes. 5.4.7 Exclusive for server (A.NO_GENERAL_PURPOSE) On the host where DBMS is operated, other programs or services that obtain universal computation or storage capability (for example, compiler, editor or application program) are not installed. 5.4.8 Physical security (A.PHYSICAL) DBMS operating environment shall provide physical security that is consistent with the data value under its management. For example, store and manage TOE-related data (such as: configuration parameters and archived logs, etc.) that is stored outside the database through a secure mode. 5.4.9 Communication security (A.SECURE_COMMS) It is assumed that communication channels among different nodes in the distributed database between data server and application terminal are safe and reliable (for example, satisfied confidentiality and integrity). The implementation mode may be through shared key, public/private key pair, or, the generation of session key through other keys being stored. management of DBMS products. TOE shall provide authorized user with user operation manual documents related with database object establishment and application (ST author shall base on TOE security mechanism to explain pre- configurated database administrator role, so as to implement authorized management of separated duties). 6.1.5 Administrator role separation (O.ADMIN_ROLE) TOE shall provide authorized administrator role, which is consistent with different database management operations, so as to provide role management functions, such as: the separation of duties and role constraints, etc. In addition, these management functions may implement security management through local or remote mode (ST author shall base on TOE security mechanism to explain pre-configurated database administrator role, so as to implement authorized management of separated duties). 6.1.6 Audit data generation (O.AUDIT_GENERATION) TOE shall provide the capability of detecting and establishing user-related security events, such as: database audit policy definition, audit function start-stop management, database management operations and user database object operations, etc. (ST author shall base on the composition and storage mechanism of TOE audit record to explain the mode of audit data storage (inside and outside database), and audit data security management mechanism). 6.1.7 Audit data protection (O.AUDIT_PROTECTION) TOE shall have the capability of securely storing audit data and protecting audit events being stored. 6.1.8 Available database service (O.AVAIL) TOE shall provide data recovery mechanism for affairs, database instance and storage medium failures; provide the capability of self-maintenance of database storage structure in DBMS updates; guarantee the restorability of TOE management data assets. TOE shall provide primary and secondary server TSF control transfer and database instance failover mechanism, so as to support distributed component deployment of distributed database service for the management demand of availability. 6.1.9 Configuration identification (O.CONFIG) TOE shall identify product component configuration and evaluation configuration items of its documents, so as to provide methods of correcting and tracing them when DBMS is re-distributed and correction errors are corrected. NOTE: generally speaking, configuration identification refers to issuance baseline that is TOE operating environment shall be equipped with database administrator group or role; provide necessary functions and facilities for the management and configuration of DBMS operation security; prevent these functions and facilities from unauthorized usage. 6.2.5 Directory access control protection (OE.DIR_CONTROL) DBMS operating environment that supports directory service (for example, LDAP server) shall provide mechanisms like user identification, identity authentication and access control, so as to prevent illegal user from accessing TSF data stored under the directory service. The access control mechanism of directory service shall provide security protection measures of TSF control data import/export. 6.2.6 IT domain separation (OE.DOMAIN_SEPARATION) TOE operating environment under distributed deployment shall provide TOE operation nodes with one separable security execution domain. Communication among different DBMS nodes shall be conducted through a secure mode. 6.2.7 Administrator Integrity (OE.NO_HARM) Organization that adopts TOE shall guarantee that authorized administrator is trustworthy, well-trained, and can comply with organization security policy and relevant database administrator guidance. 6.2.8 Exclusive for database server (OE.NO_GENERAL_PURPOSE) Apart from providing necessary service components for TOE operation, management and support, database server shall not have computation or storage functional components (for example, compiler, editor or application program) that are irrelevant with database instance operation. 6.2.9 Consistency of physical security (OE.PHYSICAL) TOE operating environment shall provide physical security that is consistent with DBMS and the value of its management data assets. 6.2.10 Communication security environment (OE.SECURE_COMMS) TOE operating environment shall provide secure communication lines between remote user/program and database server. 6.2.11 IT environment self-protection (OE.SELF_PROTECTION) TOE operating environment shall maintain one execution domain which prevents DBMS and its operating environment from external interference, damage or unauthorized leakage. FMT_MSA_EXT.1.2 TSF shall implement [option: label access control-based security policy, [assignment: information flow control policy with appointed mechanism by ST author]]; merely through [option: LBAC authorized user, [assignment: authorized administrator appointed by ST author]], implement [[assignment: security attribute] to [assignment: security label]]. NOTE: this requirement is applicable to EAL-3 evaluation assurance level. 7.1.3.2 Security attribute management [FMT_MSA_EXT.1(2)] FMT_MSA_EXT.1.1 TSF shall implement [option: user control policy-based, role control policy-based and user group control policy-based, [assignment: compulsory access control defined by ST author]]; merely through [option: authorized administrator, authorized user] to conduct [option: alteration of default value, query, modification, deletion, [assignment: other operations]] on security attribute [option: database object access permission, security role]. FMT_MSA_EXT.1.2 TSF shall implement [option: label access control-based security policy, [assignment: information flow control policy with appointed mechanism by ST author]]; merely through [option: LBAC authorized user, [assignment: authorized administrator appointed by ST author]], implement [[assignment: security attribute] to [assignment: security label]]. NOTE: this requirement is applicable to EAL-4 evaluation assurance level. 7.1.3.3 Static attribute initialization [FMT_MSA_EXT.3] FMT_MSA_EXT.3.1 TSF shall implement [option: user control policy-based, role control policy-based and user group control policy-based, [assignment: self- access control defined by ST author]], so as to provide default value to the execution of SFP security attribute [option: select one of them: restricted, permitted, [assignment: other properties]]. 7.2 Requirements of Security Function 7.2.1 Overview Table 7 lists TOE security functional components of evaluation assurance level (EAL) of DBMS: EAL2, EAL3 and EAL4. In the description of security functional component elements, in square brackets [], bold font signifies already completed operations; bold italics signifies assignment and options that still need to be determined by ST author in the security objectives. 7.2.2.3 Security audit review (FAU_SAR.1) FAU_SAR.1.1 TSF shall provide [assignment: authorized administrator] with the authority to read the audit record and acquire the audit information listed below: a) User, user group or role identification; b) Type of audit events; c) Database object identification; d) [option: subject identification, host identification, null]; e) [option: successful auditable security event, failed auditable security event, and [option: [assignment: list of selective audit events based on other selection conditions], without any additional condition]]; f) Database permission [option: system permission, instance permission, database permission, mode object permission, fine-grained data permission]. FAU_SAR.1.2 TSF shall provide audit record in a mode that can be understood by authorized user. 7.2.2.4 Restriction of audit review (FAU_SAR.2) FAU_SAR.2.1 authorizes specific permission of reading and accessing audit data to authorized administrator. Apart from this, TSF shall prohibit all the authorized users from reading or accessing audit record. 7.2.2.5 Optional audit review (FAU_SAR.3) FAU_SAR.3.1 TSF shall provide the capability of [searching and sequencing] reviewed audit data in accordance with [searching and classification conditions of the value in audit data field]. 7.2.2.6 Selective audit (FAU_SEL.1) FAU_SEL.1.1 TSF shall be able to select auditable events from a set of auditable events in accordance with the following attributes: a) User identity [option: object identity, user identity, group identity, subject identity, host identity]; b) Operation type [option: definition statement, query statement, update statement, control statement]; c) Permission level [option: system permission, instance permission, database permission, mode object level audit, fine-grained data organization in accordance with the specific condition of cryptographic algorithm. 7.2.3.2 Key destruction (FCS_CKM.4) FCS_CKM.4.1 TSF shall destruct keys in accordance with a specific key destruction method [assignment: key destruction method] that complies with the following standard [assignment: cryptographic management-related standards or specifications requested by the state or the industry]. 7.2.3.3 Cryptographic operation (FCS_COP.1) FCS_COP.1.1 TSF shall execute [assignment: cryptographic operation list] in accordance with a specific cryptographic algorithm [assignment: cryptographic algorithm] that complies with the following standard [assignment: cryptographic management-related standards or specifications requested by the state or the industry]and key length [assignment: key length]. 7.2.4 User data protection (Type-FDP) 7.2.4.1 Subset access control (FDP_ACC.1) FDP_ACC.1.1 TSF shall execute the following access control policy [option: user control policy-based, role control policy-based, user group control policy-based, [assignment: self-access control policy defined by ST author]] defined by subject (system and user) on authorized database object operation list. 7.2.4.2 Security attribute-based access control (FDP_ACF.1) FDP_ACF.1.1 TSF shall execute access control on the operation of database object in accordance with [option: user control policy-based, role control policy-based, user group control policy-based, [assignment: self-access control defined by ST author]], which shall include the following: a) Subject-related authorized user identity and/or role and/or group member relationship; b) Executable access operation and/or role/group permission of controlled database object; c) Controlled database object identification; d) Execute [option: user control policy-based, role control policy-based, user group control policy-based, [assignment: self-access control policy defined by ST author]] on database object. FDP_ACF.1.2 TSF shall execute [assignment: between controlled subject and controlled database object, manage access rules by adopting controlled operation on controlled database object], so as to determine whether an operation a) There is an ordered function which can determine whether two valid security attributes being provided are equivalent, whether one security attribute is larger than the other, or, whether they are incomparable; b) A “minimum upper bound” exists in the security attribute set. In terms of two valid security attributes being provided, there is a valid security attribute that is larger than, or, equals to the two security attributes; c) A “maximum lower bound” exists in the security attribute set. In terms of two valid security attributes being provided, there is a valid security attribute that is not larger than the two attributes. 7.2.4.5 User data output with security attribute (FDP_ETC.2) Under SFP control, when FDP_ETC.2.1 outputs user data to beyond TOE, TSF shall execute [assignment: access control SFP and/or information flow control SFP]. FDP_ETC.2.2 TSF shall output user data and user data-associated security attribute. FDP_ETC.2.3 TSF shall ensure that when security attribute is output to beyond TOE, it is exactly associated with the output user data. FDP_ETC.2.4 when user data is output from TOE, TSF shall execute the following rule [assignment: additional output control rule]. 7.2.4.6 User data input without security attribute (FDP_ITC.1) Under SFP control, when FDP_ITC.1.1 inputs user data from beyond TOE, TSF shall execute [assignment: access control SFP and/or information flow control SFP]. When FDP_ITC.1.2 inputs user data from beyond TOE, TSF shall neglect any security attribute associated with user data. Under SPF control, when FDP_ITC.1.3 inputs user data from beyond TOE, TSF shall execute the following rule: [assignment: additional input control rule]. 7.2.4.7 Basic internal transmission protection (FDP_ITT.1) When FDP_ITT.1.1 transmits user data among physically divided parts on TOE, TSF shall execute [assignment: access control SFP and/or information flow control SFP] to prevent [option: leakage, tampering, loss of availability] of user data. 7.2.4.8 Subset residual information protection (FDP_RIP.1) FDP_RIP.1.1 TSF shall ensure that any prior information content of server resources (such as: database server shared cache and storage space) is no longer available after the release of the resources, or, after the resources are re-allocated to other model objects. d) Server resource restriction; e) Database object access permission; f) Database management permission; g) [assignment: any additional security attribute of authorized administrator]. 7.2.5.3 Verification of secrets (FIA_SOS.1) FIA_SOS.1.1 TSF shall provide a mechanism to verify that secrets can satisfy [assignment: an established quality measurement]. For example, the verification of user commands shall sati...... ......
 
Source: Above contents are excerpted from the PDF -- translated/reviewed by: www.chinesestandard.net / Wayne Zheng et al.