@@ -690,9 +690,40 @@ Note: "account" refers to a user in the operating systems sense: a unique system
* CONF-1: foreseeable use allows operating system configuration changes only by skilled or trusted users, such as corporate IT support staff.
* CONF-2: foreseeable use of the operating system includes configuration changes by end-users.
#### 4.5.1.13 Administration
FIXME distinguish between user and admin
#### 4.5.1.14 Sophistication of purchaser
If the purchaser is an OEM or integrator then they are super sophisticated and you can tell them how to use the OS.
FIXME right risk factor?
#### 4.5.1.15 Trustworthiness of platform
* PLAT-0: The entire platform is assumed to be trustworthy.
* PLAT-1: The platform provides methods to check for corruption or malfunction in itself.
* PLAT-2: The platform provides methods to use a trusted part of the platform to authenticate and verify other parts of the platform and the software running on it.
* PLAT-3: The platform only trusts a subset of the platform and all other parts are considered actively hostile at all times.
#### 4.5.1.16 Trustworthiness of administrator
* ADMN-0: No administration is possible.
* ADMN-1: The administrator is assumed to be trustworthy and competent.
* ADMN-2: The administrator is assumed the trustworthy but not competent and the OS must protect against accidental misconfiguration.
* ADMN-3: The administrator is assumed to be actively hostile and the OS must protect against intentional misconfiguration.
#### 4.5.1.16 Trustworthiness of unprivileged user
* [A-PU-L-0]: No users.
* [A-PU-L-1]: The user is assumed to be trustworthy and competent
* [A-PU-L-2]: The user is assumed to be trustworthy but not competent and the OS must protect against accidental misconfiguration.
* [A-PU-L-3]: The user is assumed to be actively hostile and the OS must protect against intentional misconfiguration.
### 4.5.2 Mapping of Use Cases to Risk Factors
**NOTE:** The "TOTAL" field informs the Risk Tolerance assignments table in Section 6.3
**NOTE:** The "TOTAL" field is referenced by but does not define the Risk Tolerance assignments table in Section 6.3. It is primarily a consistency check to see if the risk factors sufficiently distinguish the differences in risk tolerance between use cases.
|Risk Factor | NUSR | CUSR | DATA | SENS | PHYS | LOSS | HWMD | SWMD | DVCS | TNET | FNET | CONF | _TOTAL_ |
@@ -724,7 +755,6 @@ Note: "account" refers to a user in the operating systems sense: a unique system
Potential additional risk factors:
* Professional or amateur administration
* Is audit/logging being watched?
* Web browsing or not
* Sensitivy of data collected or transferred
@@ -1944,37 +1974,7 @@ Anything can run with elevated privileges if root runs it... is there a mitigati
> List assumptions that are relevant to the risk analysis for these threats. Everything is hackable if you try hard enough. What kinds of threats are in and out of scope? What are you assuming is the sophistication of attack? Relate to use cases.
* Proper platform
***Rationale:** An operating system requires a trustworthy platform to perform its functions.
* [A-PP-L-1]: The platform is assumed to be trustworthy.
* [A-PP-L-2]: The platform provides methods to check for corruption or malfunction in itself.
* [A-PP-L-3]: The platform provides methods to use a trusted part of the platform to authenticate and verify other parts of the platform and the software running on it.
* Proper administrator
***Rationale:** An operating system requires effective administration to perform its functions.
* [A-PA-L-1]: The administrator is assumed to be trustworthy.
* [A-PA-L-2]: The administrator is limited to protect against accidental misconfiguration.
* [A-PA-L-3]: The administrator is severely limited to protect against intentional misconfiguration.
* Proper user
> FIXME where does trusted/untrusted hardware devices go? External/internal interfaces, what can the operating system protect against, what can be accessed with a limited time access by attacker?
- Not being attacked by a state actor
- Not using sophisticated or expensive hardware snooping techniques
- No secret hardware backdoors
From NIAP PP for OS:
A.PLATFORM: The OS relies upon a trustworthy computing platform for its execution. This underlying platform is out of scope of this PP.
A.PROPER USER: The user of the OS is not willfully negligent or hostile, and uses the software in compliance with the applied enterprise security policy. At the same time, malicious software could act as the user, so requirements which confine malicious subjects are still in scope.
A.PROPER ADMIN: The administrator of the OS is not careless, willfully negligent or hostile, and administers the OS within compliance of the applied enterprise security policy.
> FIXME list more assumptions
FIXME Do we have any assumptions that result in no difference in risk between different use cases? Or are they all just risk factors that vary by use case?
