SUSE Linux Enterprise Server 9
CAPP EAL4+

Configuration Management

Version 1.2

IBM is a registered trademark of International Business Machines Corporation in the United States, other countries, or both.
SUSE and its logo are registered trademarks of SUSE AG.
Linux is a trademark of Linux Torvalds.
Other company, product, and service names may be trademarks or service marks of others.
Copyright ©2004 by IBM Corporation or its wholly owned subsidiaries.

Table of Contents

  1. 1 Document Control
  2. 2 Overview
  3. 3 Version Control System
  4. 4 Access Control
  5. 5 Data Protection
  6. 6 Documentation
  7. 7 Testing

1 Document Control

Version Date Authors Reviewers Summary of Changes
1.0 2004/05/02 Dustin Kirkland Daniel Jones Initial draft
1.1 2004/05/14 Dustin Kirkland
Kimberly Simon
Daniel Jones Test results section added
Modified Version Control System and Results sections
to include the locations of the security target, high level design, 
low level design, functional specification, and testcase results. 
1.2 2004/08/30 Kimberly Simon Daniel Jones Reformatted document to more general structure instead of test-specific structure:
  1. Changed Test Configuration Management title to Configuration Management.
  2. Moved Change Log section to Document Control.
  3. Modified headings of all document sections.
  4. Created Overview section.  Added Document Organization section.
  5. Changed references of SuSE to SUSE.
  6. Created Documentation section.
  7. Created Testing section.  Move all test related information to this section.


2 Overview


2.1 Purpose

The purpose of this document is to identify and describe the overall methods for Configuration Management (CM) to be used for CAPP EAL4+ certification of SUSE Linux Enterprise Server (SLES) 9 at IBM's Linux Technology Center (LTC).  This document is stored and maintained in IBM Internal Open Source Bazaar (IIOSB) under the exltp project (/exltp/documents/EAL4).

2.2 Document Organization

In addition to this chapter and the Document Control chapter above, this document has been organized as follows:

2.3 Document Conventions

The following notation conventions are used in this document:
 
Constant Width Shows the contents of code files or output from commands; also indications source-code keywords that appear in code.
Italic Used for file and directory names, program and command names, command-line options, and for emphasizing new terms.

2.4 Terminology

The following technical terms, abbreviations, and acronymns are used in this document:
 
CVS Concurrent Versions System
IIOSB IBM Internal Open Source Bazaar
LTC Linux Technology Center
SLES SUSE Linux Enterprise Server
SSL Secure Socket Layer


3 Version Control System

The Concurrent Versions System (CVS) is the system used as the central repository for the tests and related documents. CVS provides file version control and keeps logs of the changes that occur to the files. CVS lets multiple persons collaborate on the development of the same file or group of files (i.e. projects). The who, when and why are automatically tracked by the system. CVS manages the releases and controls the simultaneous editing of the files.

For more information about CVS, please refer to the man pages and info pages of Linux. On the command line type: man cvs or info cvs. www.cvshome.org and www.tortoisecvs.org are good websites for further details about CVS.

The IBM Internal Open Source Bazaar (IIOSB) is a free service that promotes open source development inside IBM. IIOSB offers easy access to CVS, as well as, mailing lists, bug tracking, message forums, task management, site hosting, permanent file archival, full backups, and total web-based administration. This service is provided by the IBM LTC, based on the SourceForge Enterprise Edition from VA software. IIOSB is available within the IBM intranet at w3.opensource.ibm.com.  Data protection, access control, secure data communication and backup are provided by CVS and/or IIOSB as described below.


4 Access Control

4.1 IDs and Roles

Anonymous read-only access is available to anyone within the IBM intranet to any data stored in IIOSB, in the spirit of open source software development. Access beyond read-only must be authenticated.

In order to use the IBM Internal Open Source Bazaar beyond read-only access, a user has to register an account. The IBM intranet ID and password are used for the registration. The functions that a user can perform on a particular project, depend on the role that is assigned to him/her by the project administrator. Modification of data in CVS, is limited to developers, as defined and maintained by the project administrator. Developers can only be added to the IIOSB project by the project administrator(s).

4.2 Web Access

Web access to IIOSB functionality occurs over an secure encrypted connection (via SSL) and sessions are password authenticated. Site logins to the IIOSB are via SSL and site passwords are never stored nor communicated in plaintext to ensure security.

4.3 Client Access

CVS access occurs through the CVS client application over an SSH secure encrypted connection. Each session is authenticated with a username and a password.

5 Data Protection

5.1 Secure Communication

IIOSB is continuously monitored for bugs and security holes. Encryption is available and enforced on various parts of the IIOSB. Site logins are via SSL and site passwords are never stored nor communicated in plaintext.

5.2 Disaster Recovery

IIOSB performs a full backup of all site and project data once a week, then incremental backups daily to a tape library.  To learn more about the disaster recovery process, please visit https://w3.opensource.ibm.com/projects/sourceforge/document/IIOSB_Site_FAQ/#whyhost-backup and https://ltc.linux/plan/iiosb_overview.htm.


6 Documentation

The following documents are relevant to the SLES 9 EAL4 certification and are related to this document.  The location and description of each document is also provided below. Each document is stored and maintained under an IIOSB project.
 
 
Document Name
CVS Location/Branch
Description
SLES 9 EAL4 Security Target ealdoc project (EAL Documentation Project) under /ealdoc/EAL4SecurityTarget  Defines security characteristics for the EAL4 evaluation of SLES 9 and the certification-sles-eal4.rpm package.
SLES 9 High Level Design (HLD) ealdoc project under /ealdoc/SlesEAL4HighLevelDesign Summarizes the high-level design and Target of Evaluation functions of the SLES 9 and used within the EAL4 evaluation of SLES 9.
SLES 9 Low Level Design (LLD) ealdoc project under /ealdoc/SlesEAL4LowLevelDesign Summarizes the low-level design and Target of Evaluation functions of the SLES 9 and used within the EAL4 evaluation of SLES 9.
SLES 9 Function Specification (FSP) ealdoc project under /ealdoc/SlesEAL4-FunctionalSpecification Provides functional descriptions of the Target of Evaluation for the SLES 9 EAL4 evaluation.
SLES 9 EAL4 Test Plan exltp project (Extending LTP Project) under /exltp/documents/EAL4 Describes how System Verification Test is conducted to demonstrate the correct operation of the security functions identified by the SLES 9 Security Target for the EAL4 evaluation. 


7 Testing

7.1 Certification Testcases

For each Target of Evaluation, the certification test cases for SLES 9 EAL4 are maintained by the IIOSB as a separate CVS project called exltp.  Each testcase satisfies a specific security requirement for the SLES 9 EAL4 evaluation and will be mapped to the corresponding security requirement in the SLES 9 FSP (see section 6 EAL4 Documentation).  The testcases are stored as indicated below.  See the SLES 9 EAL4 Test Plan for more information about the testcases (see section 6 EAL4 Documentation).
 
Testcase Name
CVS Location/Branch
LAuS Tests exltp project under /exltp/laus_test
LTP Tests exltp project under /exltp/LTP
Miscellaneous Tests exltp project under /exltp/misc_test

7.2 Testcase Results


The test results for SLES 9 EAL4 are stored in the exltp IIOSB project under the .  Should the individual conducting the tests wish to communicate the results of the tests, that person may do so in one of ways:

7.2.1 Emailing Results to a Mailing List

The IIOSB also provides an interface for creating, operating, and maintaining mailing lists. Another part of the exltp project is the mailing list: exltp-test-runs@opensource.ibm.com. Test developers, or other curious parties may join the mailing list where test results can be published, distributed, and discussed. The mailing lists are stored and archived on the IIOSB internal IBM servers at https://w3.opensource.ibm.com/mail/mail.php?list_id=236.

7.2.2 Committing Results to CVS

Some results, such as those required for certification, are stored in CVS under the IIOSB exltp project. This maintains a persistent, tagged, and versioned copy of these results in a convenient location.

The build process that compiles the test suites also contains support for several additional targets: "make run" and "make report". In addition to compiling the test suites, these targets also run the tests in a consistent manner (as described by the Test Plan document) and create consistent and portable result logs.

The "make report" target will bundle the results into a single compressed archive file containing the following components:

Testers should use the build target to generate results in this manner such that they can be compared to other runs and other platforms at any time. Results checked into CVS should be in this format.