発行日: 2019/08/06 Copyright CANON INC. 2019 1 Canon imageRUNNER ADVANCE C475 III Series 2600 model Security Target Version 1.01 2019/08/06 キヤノン株式会社 Significant portions of this document were excerpted from IEEE Std 2600.1 and 2600.2, -2009 - copyright IEEE 2009 and reproduced with permission from IEEE. , All rights reserved. An use beyond what is permitted, please contact mailto:[email protected].
66
Embed
Canon imageRUNNER ADVANCE C475 III Series …...– 2600.2-SMI, SFR Package for Hardcopy Device Shared-medium Interface Functions, Operational Environment B 1.4 略語・用語...
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
発行日: 2019/08/06
Copyright CANON INC. 2019
1
Canon imageRUNNER ADVANCE
C475 III Series 2600 model
Security Target
Version 1.01
2019/08/06
キヤノン株式会社
Significant portions of this document were excerpted from IEEE Std 2600.1 and 2600.2,
-2009 - copyright IEEE 2009 and reproduced with permission from IEEE. , All rights
reserved. An use beyond what is permitted, please contact mailto:[email protected].
自身で読み込んだ電子文書を I ファクス送信や電子メール送信したり、I ファクスを受信したりするために
1 想定設置環境では、監査ログ用ファイルサーバーは Windows Server 2012 R2 Standard Edition とする。 2 想定設置環境では、Syslog サーバーは Windows Server 2012 R2 Standard Edition 上で動作させた psyslog v1.04 とす
以上により、この ST は PP に比較して、TOE に同等以上の制限を課し、TOE の運用環境に同等以下の
制限を課している。
従って、この ST は PP を論証適合している。
発行日: 2019/08/06
Copyright CANON INC. 2019
22
3 Security Problem Definition
3.1 Notational conventions
a) Defined terms in full form are set in title case (for example, “Document Storage and Retrieval”).
b) Defined terms in abbreviated form are set in all caps (for example, “DSR”).
c) In tables that describe Security Objectives rationale, a checkmark (“”) place at the intersection of
a row and column indicates that the threat identified in that row is wholly or partially mitigated by
the objective in that column.
d) In tables that describe completeness of security requirements, a bold typeface letter “P” placed at
the intersection of a row and column indicates that the requirement identified in that row performs
a principal fulfillment of the objective indicated in that column. A letter “S” in such an intersection
indicates that it performs a supporting fulfillment.
e) In tables that describe the sufficiency of security requirements, a bold typeface requirement name
and purpose indicates that the requirement performs a principal fulfillment of the objective in the
same row. Requirement names and purposes set in normal typeface indicate that those
requirements perform supporting fulfillments.
f) In specifications of Security Functional Requirements (SFRs):
1) Bold typeface indicates the portion of an SFR that has been completed or refined in this
Protection Profile, relative to the original SFR definition in Common Criteria Part 2 or an
Extended Component Definition.
2) Italic typeface indicates the portion of an SFR that must be completed by the ST Author in a
conforming Security Target.
3) Bold italic typeface indicates the portion of an SFR that has been partially completed or
refined in this Protection Profile, relative to the original SFR definition in Common Criteria
Part 2 or an Extended Component Definition, but which also must be completed by the ST
Author in a conforming Security Target.
g) The following prefixes in Table 10 are used to indicate different entity types:
Table 10 — Notational prefix conventions
Prefix Type of entity
U. User
D. Data
F. Function
T. Threat
P. Policy
A. Assumption
O. Objective
OE. Environmental objective
+ Security attribute
3.2 Threats agents
This security problem definition addresses threats posed by four categories of threat agents:
a) Persons who are not permitted to use the TOE who may attempt to use the TOE.
b) Persons who are authorized to use the TOE who may attempt to use TOE functions for which they are
not authorized.
c) Persons who are authorized to use the TOE who may attempt to access data in ways for which they
not authorized.
発行日: 2019/08/06
Copyright CANON INC. 2019
23
d) Persons who unintentionally cause a software malfunction that may expose the TOE to unanticipated
threats.
The threats and policies defined in this Protection Profile address the threats posed by these threat agents.
3.3 Threats to TOE Assets
This section describes threats to assets described in clause 1.8.
Table 11 — Threats to User Data for the TOE
Threat Affected asset Description
T.DOC.DIS D.DOC User Document Data may be disclosed to unauthorized persons T.DOC.ALT D.DOC User Document Data may be altered by unauthorized persons T.FUNC.ALT D.FUNC User Function Data may be altered by unauthorized persons
Table 12 — Threats to TSF Data for the TOE
Threat Affected asset Description
T.PROT.ALT D.PROT TSF Protected Data may be altered by unauthorized persons
T.CONF.DIS D.CONF TSF Confidential Data may be disclosed to unauthorized persons
T.CONF.ALT D.CONF TSF Confidential Data may be altered by unauthorized persons
3.4 Organizational Security Policies for the TOE
This section describes the Organizational Security Policies (OSPs) that apply to the TOE. OSPs are used to provide
a basis for Security Objectives that are commonly desired by TOE Owners in this operational environment but for
which it is not practical to universally define the assets being protected or the threats to those assets.
Table 13 — Organizational Security Policies for the TOE
Name Definition
P.USER.AUTHORIZATION To preserve operational accountability and security, Users will be
authorized to use the TOE only as permitted by the TOE Owner.
P.SOFTWARE.VERIFICATION To detect corruption of the executable code in the TSF, procedures
will exist to self-verify executable code in the TSF.
P.AUDIT.LOGGING To preserve operational accountability and security, records that
provide an audit trail of TOE use and security-relevant events will
be created, maintained, and protected from unauthorized
disclosure or alteration, and will be reviewed by authorized
personnel.
P.INTERFACE.MANAGEMENT To prevent unauthorized use of the external interfaces of the TOE,
operation of those interfaces will be controlled by the TOE and its
IT environment.
P.STORAGE.CRYPT*) TOEのHDDに記録するデータは、暗号化されていなければ
ならない。
*) MFP に HDD 暗号化機能を持つことをポリシーに持つ顧客を想定した
3.5 Assumptions
The Security Objectives and Security Functional Requirements defined in subsequent sections of this Protection
Profile are based on the condition that all of the assumptions described in this section are satisfied.
発行日: 2019/08/06
Copyright CANON INC. 2019
24
Table 14 — Assumptions
Assumption Definition
A.ACCESS.MANAGED The TOE is located in a restricted or monitored environment that provides
protection from unmanaged access to the physical components and data
interfaces of the TOE.
A.USER.TRAINING TOE Users are aware of the security policies and procedures of their
organization, and are trained and competent to follow those policies and
procedures.
A.ADMIN.TRAINING Administrators are aware of the security policies and procedures of their
organization, are trained and competent to follow the manufacturer’s
guidance and documentation, and correctly configure and operate the TOE
in accordance with those policies and procedures.
A.ADMIN.TRUST Administrators do not use their privileged access rights for malicious purposes.
発行日: 2019/08/06
Copyright CANON INC. 2019
25
4 Security Objectives
4.1 Security Objectives for the TOE
本節では、TOE が達成しなければならないセキュリティ対策方針を記述する。
Table 15 — Security Objectives for the TOE
Objective Definition
O.DOC.NO_DIS The TOE shall protect User Document Data from unauthorized
disclosure.
O.DOC.NO_ALT The TOE shall protect User Document Data from unauthorized
alteration.
O.FUNC.NO_ALT The TOE shall protect User Function Data from unauthorized
alteration.
O.PROT.NO_ALT The TOE shall protect TSF Protected Data from unauthorized
alteration.
O.CONF.NO_DIS The TOE shall protect TSF Confidential Data from unauthorized
disclosure.
O.CONF.NO_ALT The TOE shall protect TSF Confidential Data from unauthorized
alteration.
O.USER.AUTHORIZED The TOE shall require identification and authentication of Users,
and shall ensure that Users are authorized in accordance with
security policies before allowing them to use the TOE
O.INTERFACE.MANAGED The TOE shall manage the operation of external interfaces in
accordance with security policies.
O.SOFTWARE.VERIFIED The TOE shall provide procedures to self-verify executable code
in the TSF.
O.AUDIT.LOGGED The TOE shall create and maintain a log of TOE use and
security-relevant events and prevent its unauthorized disclosure
or alteration.
O.STORAGE.CRYPTED TOEは、HDDにデータを書き込む際に暗号化しなければな
らない。
4.2 Security Objectives for the IT environment
この章では、IT 環境のセキュリティ対策方針に関して記述する。
Table 16 — Security Objectives for the IT environment
Objective Definition
OE.AUDIT_STORAGE.PROTECTED If audit records are exported from the TOE to another trusted IT
product, the TOE Owner shall ensure that those records are
protected from unauthorized access, deletion and modifications.
OE.AUDIT_ACCESS.AUTHORIZED If audit records generated by the TOE are exported
from the TOE to another trusted IT product, the TOE Owner
shall ensure that those records can be accessed in order to detect
potential security violations, and only by authorized persons.
OE.INTERFACE.MANAGED The IT environment shall provide protection from unmanaged
access to TOE external interfaces.
4.3 Security Objectives for the non-IT environment
この章では、非 IT 環境のセキュリティ対策方針に関して記述する。
発行日: 2019/08/06
Copyright CANON INC. 2019
26
Table 17 — Security Objectives for the non-IT environment
Objective Definition
OE.PHYSICAL.MANAGED The TOE shall be placed in a secure or monitored area that
provides protection from unmanaged physical access to the TOE.
OE.USER.AUTHORIZED The TOE Owner shall grant permission to Users to be authorized
to use the TOE according to the security policies and procedures
of their organization.
OE.USER.TRAINED The TOE Owner shall ensure that Users are aware of the security
policies and procedures of their organization and have the
training and competence to follow those policies and procedures.
OE.ADMIN.TRAINED The TOE Owner shall ensure that TOE Administrators are aware
of the security policies and procedures of their organization; have
the training, competence, and time to follow the manufacturer’s
guidance and documentation; and correctly configure and operate
the TOE in accordance with those policies and procedures.
OE.ADMIN.TRUSTED The TOE Owner shall establish trust that TOE Administrators
will not use their privileged access rights for malicious purposes.
OE.AUDIT.REVIEWED The TOE Owner shall ensure that audit logs are reviewed at
appropriate intervals for security violations or unusual patterns of
FIA_AFL.1.1 The TSF shall detect when [selection: [assignment: positive integer number], an administrator configurable positive integer within[assignment: range of acceptable values]] unsuccessful authentication attempts occur related to [assignment: list of authentication events].
[selection: [assignment: positive integer number], an administrator configurable positive integer within[assignment: range of acceptable values]] an administrator configurable positive integer within 1 to 10
[assignment: list of authentication events]
操作パネルもしくはリモート UI を使ったログイン試行
FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been
[selection: met, surpassed], the TSF shall [assignment: list of actions].
[selection: met, surpassed] met
[assignment: list of actions]
ロックアウト
FIA_ATD.1 User attribute definition
Hierarchical to: No other components
Dependencies: No dependencies
FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to
individual users: [assignment: list of security attributes].
[assignment: list of security attributes].
ユーザー名、ロール
発行日: 2019/08/06
Copyright CANON INC. 2019
33
FIA_UAU.1 Timing of authentication
Hierarchical to: No other components
Dependencies: FIA_UID.1 Timing of identification
FIA_UAU.1.1 The TSF shall allow [assignment: list of TSF-mediated actions that do not conflict with access-controlled Functions of the TOE] on behalf of the user to be performed
before the user is authenticated.
[assignment: list of TSF-mediated actions that do not conflict with access-controlled Functions of the TOE]
プリントジョブ、ファクスジョブ、Iファクスジョブの投入
FIA_UAU.1.2 The TSF shall require each user to be successfully authenticated before allowing
any other TSF-mediated actions on behalf of that user.
FIA_UAU.7 Protected authentication feedback
Hierarchical to: No other components.
Dependencies: FIA_UAU.1 Timing of authentication
FIA_UAU .7.1 The TSF shall provide only [assignment: list of feedback] to the user while the
authentication is in progress.
[assignment: list of feedback] *
FIA_UID.1 Timing of identification
Hierarchical to: No other components
Dependencies: No dependencies
FIA_UID.1.1 The TSF shall allow [assignment: list of TSF-mediated actions that do not conflict with access-controlled Functions of the TOE] on behalf of the user to be performed
before the user is identified.
[assignment: list of TSF-mediated actions that do not conflict with access-controlled Functions of the TOE]
プリントジョブ、ファクスジョブ、Iファクスジョブの投入
FIA_UID.1.2 The TSF shall require each user to be successfully identified before allowing any
other TSF-mediated actions on behalf of that user.
発行日: 2019/08/06
Copyright CANON INC. 2019
34
FIA_USB.1 User-subject binding
Hierarchical to: No other components
Dependencies: FIA_ATD.1 User attribute definition
FIA_USB.1.1 The TSF shall associate the following user security attributes with subjects acting
on the behalf of that user: [assignment: list of user security attributes].
[assignment: list of user security attributes].
ユーザー名、ロール
FIA_USB.1.2 The TSF shall enforce the following rules on the initial association of user security
attributes with the subjects acting on behalf of users: [assignment: rules for the initial association of attributes].
[assignment: rules for the initial association of attributes].
なし
FIA_USB.1.3 The TSF shall enforce the following rules governing changes to the user security
attributes with the subjects acting on behalf of users: [assignment: rules for the changing of attributes].
[assignment: rules for the changing of attributes]
なし
FTA_SSL.3(lui) TSF-initiated termination
Hierarchical to: No other components
Dependencies: No dependencies
FTA_SSL.3.1(lui) The TSF shall terminate an interactive session after a [assignment: time interval of userinactivity].
[assignment: time interval of userinactivity].
操作パネルを操作しない状態が、設定時間経過
FTA_SSL.3(rui) TSF-initiated termination
Hierarchical to: No other components
Dependencies: No dependencies
FTA_SSL.3.1(rui) The TSF shall terminate an interactive session after a [assignment: time interval of userinactivity].
[assignment: time interval of userinactivity].
リモート UI を操作しない状態が、15 分間経過
発行日: 2019/08/06
Copyright CANON INC. 2019
35
6.1.2 ジョブ実行アクセス制御機能
FMT_MSA.1(exec-job) Management of security attributes
Hierarchical to: No other components
Dependencies: [FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MSA.1.1(exec-job) The TSF shall enforce the TOE Function Access Control SFP,
[assignment: access control SFP(s), information flow control SFP(s)] to restrict the
ability to [selection: change_default, query, modify, delete, [assignment: other operations]] the security attributes [assignment: list of security attributes] to
[assignment: the authorised identified roles].
[assignment: access control SFP(s), information flow control SFP(s)] なし
Dependencies: FMT_MSA.1 Management of security attributes
FMT_SMR.1 Security roles
FMT_MSA.3.1(exec-job) The TSF shall enforce the TOE Function Access Control Policy, [assignment: access control SFP, information flow control SFP] to provide [selection,
choose one of: restrictive, permissive, [assignment: other property]] default
values for security attributes that are used to enforce the SFP.
[assignment: access control SFP, information flow control SFP]
なし
[selection, choose one of: restrictive, permissive, [assignment: other property]] Restrictive
[refinement]
TOE Function Access Control Policy → TOE Function Access Control SFP
FMT_MSA.3.2(exec-job) The TSF shall allow the [assignment: the authorized identified roles] to
specify alternative initial values to override the default values when an object or
information is created.
[assignment: the authorized identified roles] Nobody
発行日: 2019/08/06
Copyright CANON INC. 2019
36
FDP_ACC.1(exec-job) Subset access control
Hierarchical to: No other components
Dependencies: FDP_ACF.1 Security attribute based access control
FDP_ACC.1.1(exec-job) The TSF shall enforce the TOE Function Access Control SFP on users
as subjects, TOE functions as objects, and the right to use the functions as
operations.
FDP_ACF.1(exec-job) Security attribute based access control
Hierarchical to: No other components
Dependencies: FDP_ACC.1 Subset access control
FMT_MSA.3 Static attribute initialisation
FDP_ACF.1.1(exec-job) The TSF shall enforce the TOE Function Access Control SFP to objects
based on the following: users and [assignment: list of TOE functions and the security attribute(s) used to determine the TOE Function Access Control SFP].
[assignment: list of TOE functions and the security attribute(s) used to determine the TOE Function Access Control SFP]
objects controlled under the TOE Function Access Control SFP in Table 20,
and for each, the indicated security attributes in Table 20
FDP_ACF.1.2(exec-job) The TSF shall enforce the following rules to determine if an operation
among controlled subjects and controlled objects is allowed: [selection: the user is explicitly authorized by U.ADMINISTATOR to use a function, a user that is authorized to use the TOE is automatically authorized to use the functions [assignment: list of functions], [assignment: other conditions]].
[selection: the user is explicitly authorized by U.ADMINISTATOR to use a function, a user that is authorized to use the TOE is automatically authorized to use the functions [assignment: list of functions], [assignment: other conditions]] [assignment: other conditions]
[assignment: other conditions] rules specified in the TOE Function Access Control SFP in Table 20 governing access
among controlled users as subjects and controlled objects using controlled operations
on controlled objects.
FDP_ACF.1.3(exec-job) The TSF shall explicitly authorise access of subjects to objects based on
the following additional rules: the user acts in the role U.ADMINISTRATOR,
[assignment: other rules, based on security attributes, that explicitly authorise access of subjects to objects].
[assignment: other rules, based on security attributes, that explicitly authorise access of subjects to objects]
なし
FDP_ACF.1.4(exec-job) The TSF shall explicitly deny access of subjects to objects based on the
[assignment: rules, based on security attributes, that explicitly deny access of subjects to objects].
発行日: 2019/08/06
Copyright CANON INC. 2019
37
[assignment: rules, based on security attributes, that explicitly deny access of subjects to objects]
なし
Table 20 — TOE Function Access Control SFP
Object Attribute Operation(s) Subject Attribute Access control rule
「プリント」 +PRT
Object の
Pointer を利用
したジョブ実
行。
U.USER ロール
Object の属性に対して Subject
のロールが Operation を許可され
たロールである。
「コピー」 +CPY
+DSR
Object の
Pointer を利用
したジョブ実
行。
U.USER ロール
Object の属性に対して Subject
のロールが Operation を許可され
たロールである。
「スキャン」 +SCN
+DSR
Object の
Pointer を利用
したジョブ実
行。
U.USER ロール
Object の属性に対して Subject
のロールが Operation を許可され
たロールである。
「ファクス」 +FAXOUT
Object の
Pointer を利用
したジョブ実
行。
U.USER ロール
Object の属性に対して Subject
のロールが Operation を許可され
たロールである。
「受信トレイ」 +FAXIN
Object の
Pointer を利用
したジョブ実
行。
U.USER ロール
Object の属性に対して Subject
のロールが Operation を許可され
たロールである。
「保存ファイルの利
用」 +DSR
Object の
Pointer を利用
したジョブ実
行。
U.USER ロール
Object の属性に対して Subject
のロールが Operation を許可され
たロールである。
リモート UI 上の「受
信 /保存ファイルの
利用」
+DSR
+FAXIN
Object の
Pointer を利用
したジョブ実
行。
U.USER ロール Subject のロールが Administrator
であれば Operation が可能。
6.1.3 投入ジョブアクセス制御機能
6.1.3.1 ジョブ削除機能
FMT_MSA.1(delete-job) Management of security attributes
Hierarchical to: No other components
Dependencies: [FDP_ACC.1 Subset access control, or
FDP_IFC.1 Subset information flow control]
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
FMT_MSA.1.1(delete-job) The TSF shall enforce the Common Access Control SFP in Table 22, [assignment: access control SFP(s), information flow control SFP(s)] to restrict the
ability to [selection: change_default, query, modify, delete, [assignment: other
発行日: 2019/08/06
Copyright CANON INC. 2019
38
operations]] the security attributes [assignment: list of security attributes] to
[assignment: the authorised identified roles].
[assignment: access control SFP(s), information flow control SFP(s)] In The JOB Access Control SFP in Table 23
Dependencies: FMT_MSA.1 Management of security attributes
FMT_SMR.1 Security roles
FMT_MSA.3.1(delete-job) The TSF shall enforce the Common Access Control SFP in Table 22, [assignment: access control SFP, information flow control SFP] to provide [selection,
choose one of: restrictive, permissive, [assignment: other property]] default values
for security attributes that are used to enforce the SFP.
[assignment: access control SFP, information flow control SFP] Common Access Control SFP in Table 22
In The JOB Access Control SFP in Table 23
[selection, choose one of: restrictive, permissive, [assignment: other property]] restrictive
FMT_MSA.3.2(delete-job) The TSF shall allow the [assignment: the authorized identified roles] to
specify alternative initial values to override the default values when an object or information is
created.
[assignment: the authorized identified roles] Nobody
発行日: 2019/08/06
Copyright CANON INC. 2019
39
FDP_ACC.1(delete-job) Subset access control
Hierarchical to: No other components
Dependencies: FDP_ACF.1 Security attribute based access control
FDP_ACC.1.1(delete-job) The TSF shall enforce the Common Access Control SFP in Table 22 on
the list of users as subjects, objects, and operations among subjects and objects
covered by the Common Access Control SFP in Table 22.
FDP_ACF.1(delete-job) Security attribute based access control
Hierarchical to: No other components
Dependencies: FDP_ACC.1 Subset access control
FMT_MSA.3 Static attribute initialisation
FDP_ACF.1.1(delete-job) The TSF shall enforce the Common Access Control SFP in Table 22 to
objects based on the following: the list of users as subjects and objects controlled
under the Common Access Control SFP in Table 22, and for each, the indicated
security attributes in Table 22.
FDP_ACF.1.2(delete-job) The TSF shall enforce the following rules to determine if an operation
among controlled subjects and controlled objects is allowed: rules specified in the
Common Access Control SFP in Table 22 governing access among controlled users
as subjects and controlled objects using controlled operations on controlled objects.
FDP_ACF.1.3(delete-job) The TSF shall explicitly authorise access of subjects to objects based on
the following additional rules: [assignment: rules, based on security attributes, that explicitly authorise access of subjects to objects].
[assignment: rules, based on security attributes, that explicitly authorise access of subjects to objects]
FDP_ACF.1.4(delete-job) The TSF shall explicitly deny access of subjects to objects based on the
[assignment: rules, based on security attributes, that explicitly deny access of subjects to objects].
[assignment: rules, based on security attributes, that explicitly deny access of subjects to objects]
なし
Table 22 —Common Access Control SFP
Object Attribute Operation(s) Subject Access control rule
D.DOC +PRT,+SCN,+CPY,
+FAXOUT,
+DSR
Delete U.NORMAL Denied, except for his/her own
documents
D.DOC +FAXIN Delete U.NORMAL Denied
発行日: 2019/08/06
Copyright CANON INC. 2019
40
Object Attribute Operation(s) Subject Access control rule
D.FUNC +PRT,+SCN,+CPY,
+FAXOUT,
+DSR
Modify;
Delete
U.NORMAL Denied, except for his/her own
function data
D.FUNC +FAXIN Modify U.USER Denied
D.FUNC +FAXIN Delete U.NORMAL Denied
6.1.3.2 ジョブ中アクセス制御機能
FDP_ACC.1(in-job) Subset access control
Hierarchical to: No other components
Dependencies: FDP_ACF.1 Security attribute based access control
FDP_ACC.1.1(in-job) The TSF shall enforce the In The JOB Access Control SFP in Table 23
on the list of subjects, objects, and operations among subjects and objects covered
by the In The JOB Access Control SFP in Table 23..
FDP_ACF.1(in-job) Security attribute based access control
Hierarchical to: No other components
Dependencies: FDP_ACC.1 Subset access control
FMT_MSA.3 Static attribute initialisation
FDP_ACF.1.1(in-job) The TSF shall enforce the In The JOB Access Control SFP in Table 23
to objects based on the following: the list of subjects and objects controlled under
the In The JOB Access Control SFP in Table 23, and for each, the indicated security
attributes in Table 23.
FDP_ACF.1.2(in-job) The TSF shall enforce the following rules to determine if an operation
among controlled subjects and controlled objects is allowed: rules specified in the
In The JOB Access Control SFP in Table 23 governing access among Users and
controlled objects using controlled operations on controlled objects.
FDP_ACF.1.3(in-job) The TSF shall explicitly authorise access of subjects to objects based on
the following additional rules: [assignment: rules, based on security attributes, that explicitly authorise access of subjects to objects].
[assignment: rules, based on security attributes, that explicitly authorise access of subjects to objects]
U.ADMINISTRATOR は、+FAXIN/+DSR の D.DOC の read が可能
FDP_ACF.1.4(in-job) The TSF shall explicitly deny access of subjects to objects based on the
[assignment: rules, based on security attributes, that explicitly deny access of subjects to objects].
[assignment: rules, based on security attributes, that explicitly deny access of subjects to objects]
なし
発行日: 2019/08/06
Copyright CANON INC. 2019
41
Table 23 — In The JOB Access Control SFP
Object Attribute(s) Operation Subject Access control rule
D.DOC +PRT Read U.USER Denied, except for his/her own documents
D.DOC +SCN Read U.USER Denied, except for his/her own documents
D.DOC +CPY Read U.USER Denied
D.DOC +FAXIN Read U.NORMAL Denied
D.DOC +FAXOUT Read U.USER Denied, except for his/her own documents
D.DOC +DSR Read U.NORMAL Denied, except for his/her own documents
6.1.4 受信ジョブ転送機能
FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces
Hierarchical to: No other components
Dependencies: FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security roles
FPT_FDI_EXP.1.1 The TSF shall provide the capability to restrict data received on any external Interface from being forwarded without further processing by the TSF to
any Shared-medium Interface.
6.1.5 HDDデータ完全消去機能
FDP_RIP.1 Subset residual information protection
Hierarchical to: No other components
Dependencies:: No dependencies
FDP_RIP.1.1 The TSF shall ensure that any previous information content of a resource is made unavailable
upon the [selection: allocation of the resource to, deallocation of the resource from] the
following objects: D.DOC, [assignment: list of objects].
[selection: allocation of the resource to, deallocation of the resource from] deallocation of the resource from
[assignment: list of objects].
なし
6.1.6 HDD 暗号化機能
6.1.6.1 暗号化/復号機能
FCS_COP.1(h) Cryptographic operation
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes,
or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
発行日: 2019/08/06
Copyright CANON INC. 2019
42
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1.1(h) The TSF shall perform [assignment: list of cryptographic operations] in
accordance with a specified cryptographic algorithm [assignment: cryptographic algorithm] and cryptographic key sizes [assignment: cryptographic key sizes] that
meet the following: [assignment: list of standards].
[assignment: list of cryptographic operations]
HDD へ書き込まれるデータの暗号化操作
HDD から読み出されるデータの復号操作
[assignment: cryptographic algorithm] AES
[assignment: cryptographic key sizes] 256 bit
[assignment: list of standards] FIPS PUB 197
6.1.7 LANデータ保護機能
6.1.7.1 IP パケット暗号化機能
FCS_COP.1(n) Cryptographic operation
Hierarchical to: No other components.
Dependencies: [FDP_ITC.1 Import of user data without security attributes,
or
FDP_ITC.2 Import of user data with security attributes, or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FCS_COP.1.1(n) The TSF shall perform [assignment: list of cryptographic operations] in
accordance with a specified cryptographic algorithm [assignment: cryptographic algorithm] and cryptographic key sizes [assignment: cryptographic key sizes] that
meet the following: [assignment: list of standards].
[assignment: list of cryptographic operations]
LAN へ送信する IP パケットの暗号化操作
LAN から受信する IP パケットの復号操作
[assignment: cryptographic algorithm]
Table 24 の「cryptographic algorithm」の項
[assignment: cryptographic key sizes]
Table 24 の「cryptographic key sizes」の項
[assignment: list of standards]
Table 24 の「list of standards」の項
発行日: 2019/08/06
Copyright CANON INC. 2019
43
Table 24 — IPSec cryptographic algorithm,key sizes and standards
cryptographic algorithm cryptographic key sizes list of standards
AES-CBC 256 bit FIPS PUB 197
AES-GCM 256 bit SP800-38D
FTP_ITC.1 Inter-TSF trusted channel
Hierarchical to: No other components
Dependencies: No dependencies
FTP_ITC.1.1 The TSF shall provide a communication channel between itself and another trusted
IT product that is logically distinct from other communication channels and
provides assured identification of its end points and protection of the communicated
data from modification or disclosure.
FTP_ITC.1.2 The TSF shall permit the TSF, another trusted IT product to initiate
communication via the trusted channel.
FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for communication
of D.DOC, D.FUNC, D.PROT, and D.CONF over any Shared-medium Interface.
6.1.8 自己テスト機能
FPT_TST.1 TSF testing
Hierarchical to: No other components
Dependencies: No dependencies
FPT_TST.1.1 The TSF shall run a suite of self tests [selection: during initial start-up, periodically
during normal operation, at the request of the authorised user, at the conditions [assignment: conditions under which self test should occur]] to demonstrate the
correct operation of [selection: [assignment: parts of TSF], the TSF].
[selection: during initial start-up, periodically during normal operation, at the request of the authorised user, at the conditions [assignment: conditions under which self test should occur]] during initial start-up
[selection: [assignment: parts of TSF], the TSF]
LAN データ保護機能で利用する暗号アルゴリズム(AES)
FPT_TST.1.2 The TSF shall provide authorised users with the capability to verify the integrity
of [selection: [assignment: parts of TSF], TSF Data].
[selection: [assignment: parts of TSF], TSF Data] [assignment: parts of TSF]
[assignment: parts of TSF]
監査ログ
FPT_TST.1.3 The TSF shall provide authorised users with the capability to verify the integrity
of stored TSF executable code.
発行日: 2019/08/06
Copyright CANON INC. 2019
44
6.1.9 監査ログ機能
FAU_GEN.1 Audit data generation
Hierarchical to: No other components
Dependencies: FPT_STM.1 Reliable time stamps
FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events:
a) Start-up and shutdown of the audit functions;
b) All auditable events for the [selection, choose one of: minimum, basic, detailed, not
specified] level of audit; and
c) All Auditable Events as each is defined for its Audit Level (if one is specified) for the
Relevant SFR in Table 25 ; [assignment: other specifically defined auditable events].
[selection, choose one of: minimum, basic, detailed, not specified] not specified
[assignment: other specifically defined auditable events]
なし
FAU_GEN.1.2 The TSF shall record within each audit record at least the following information:
a) Date and time of the event, type of event, subject identity (if applicable), and the outcome
(success or failure) of the event; and
b) For each audit event type, based on the auditable event definitions of the functional
components included in the PP/ST, for each Relevant SFR listed in Table 25: (1)
information as defined by its Audit Level (if one is specified), and (2) all Additional
Information (if any is required); [assignment: other audit relevant information].
FAU_STG.4.1 The TSF shall [selection, choose one of: “ignore audited events”, “prevent audited events, except those taken by the authorised user with special rights”, “overwrite the oldest stored audit records”] and [assignment: other actions to be taken in case of audit storage failure] if the audit trail is full.
[selection, choose one of: “ignore audited events”, “prevent audited events, except those taken by the authorised user with special rights”, “overwrite the oldest stored audit records”]
“overwrite the oldest stored audit records”
[assignment: other actions to be taken in case of audit storage failure]
なし
6.1.10 管理機能
6.1.10.1 ユーザー管理機能
FIA_SOS.1 Verification of secrets
Hierarchical to: No other components.
Dependencies: No dependencies
FIA_SOS.1.1 The TSF shall provide a mechanism to verify that secrets meet [assignment: a defined quality metric].
FMT_MTD.1.1 (user-mgt) The TSF shall restrict the ability to [selection: change_default, query, modify, delete, clear, [assignment: other operations]] the [assignment: list of TSF Data associated with a U.NORMAL or TSF Data associated with documents or jobs owned by a U.NORMAL] to [selection, choose one of: Nobody, [selection:
U.ADMINISTRATOR, the U.NORMAL to whom such TSF Data are associated]].
[selection: change_default, query, modify, delete, clear, [assignment: other operations]]
Table 26 の「操作」の項
[assignment: list of TSF Data associated with a U.NORMAL or TSF Data associated with documents or jobs owned by a U.NORMAL]
Table 26 の「TSF data」の項
[selection, choose one of: Nobody, [selection: U.ADMINISTRATOR, the U.NORMAL to whom such TSF Data are associated]]
Table 26 の「ロール」の項
Table 26 —ユーザー情報管理
TSF data ロール 操作
ユーザー名 U.ADMINISTRATOR delete, create, query
ロール U.ADMINISTRATOR modify, delete, create, query
パスワード U.ADMINISTRATOR modify, delete, create
自身のパスワード U.NORMAL modify
FMT_SMR.1 Security roles
Hierarchical to: No other components.
Dependencies: FIA_UID.1 Timing of identification
FMT_SMR.1.1 The TSF shall maintain the roles U.ADMINISTRATOR, U.NORMAL, [selection:
Nobody, [assignment: the authorised identified roles]].
[selection: Nobody, [assignment: the authorised identified roles]] Nobody
FMT_SMR.1.2 The TSF shall be able to associate users with roles, except for the role “Nobody” to which no
user shall be associated.
発行日: 2019/08/06
Copyright CANON INC. 2019
48
6.1.10.2 暗号鍵管理機能
FCS_CKM.1(h) Cryptographic key generation
Hierarchical to: No other components.
Dependencies: [FCS_CKM.2 Cryptographic key distribution, or
FCS_COP.1 Cryptographic operation]
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.1.1(h) The TSF shall generate cryptographic keys in accordance with a specified
cryptographic key generation algorithm [assignment: cryptographic key generation algorithm] and specified cryptographic key sizes [assignment: cryptographic key sizes] that meet the following: [assignment: list of standards].
Dependencies: FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions
FMT_MTD.1.1(device-mgt) The TSF shall restrict the ability to [selection: change_default, query, modify, delete, clear, [assignment: other operations]] the [assignment: list of TSF data] to [selection, choose one of: Nobody, [selection: U.ADMINISTRATOR,
[assignment: the authorized identified roles except U.NORMAL]]]