@@ -155,21 +155,22 @@ Many products contain multiple operating systems which can affect the security f
Some of the operating systems may not always be readily available as separate products and are included as components of another product. Where there may be other specifications that target that product category, it may be more relevant to review the operating system as part of that larger system rather than independently via this standard.
### 1.2.2 Elements of operating systems that are in scope
### 1.2.2 Components of operating systems that are in scope
The scope is limited to the security-relevant parts of the operating system. This includes any element capable of modifying elements that control the security of the system, as well as elements that provide security functionality.
The scope is of this document is limited to the security-relevant parts of the operating system, including components that provide or are capable of modifying or controlling essential security functions of the operating system.
Security-relevant parts of the operating system include but are not limited to:
The following non-exhaustive list of types of components are common to many operating systems and, when present, are considered security-relevant:
* the operating system's kernel
* device drivers, if supplied with the operating system
* libraries used to provide security-relevant services
* core authentication services required for operating system functionality
* operating system processes running with elevated privileges
* software installation and update system, if supplied with the operating system
* logging and monitoring, if performed by the operating system
* configuration of security-relevant operating system functions
* provisioning of a secure default configuration for the operating system, based on its configured use
-**Kernel:** The central component responsible for managing hardware resources and enforcing access controls.
-**Device Drivers:** Software components supplied with the operating system that interact directly with hardware devices.
-**Security Libraries:** Libraries used to provide critical security services, such as encryption, authentication, and authorization.
-**Authentication Services:** Core authentication mechanisms required for operating system functionality.
-**Privileged Processes:** Operating system processes running with elevated privileges or access to sensitive resources.
-**Software Update Mechanisms:** Systems responsible for installing and updating software components supplied with the operating system.
-**Logging and Monitoring:** Functions performed by the operating system that record security-relevant events or monitor system behavior.
-**Configuration Management:** Management of the configuration of security-relevant operating system settings, including provisioning of secure-by-default configuration as appropriate to the product context.
Other components of operating systems often contribute to the essential security of a product and should be given equal consideration, as appropriate for each product's context.
