SC-03 Security Function Isolation --> Any documentation or pointers
We have to provide documentation per an audit on how RedHat or Gnu/Linux implements the following:
SC-03 Security Function Isolation
Control: The information system isolates security functions from nonsecurity functions.
Supplemental Guidance: The information system isolates security functions from nonsecurity functions by means of partitions, domains, etc., including control of access to and integrity of, the hardware, software, and firmware that perform those security functions. The information system maintains a separate execution domain (e.g., address space) for each executing process. Control Enhancements: (1) The information system employs underlying hardware separation mechanisms to facilitate security function isolation. (2) The information system isolates critical security functions (i.e., functions enforcing access and information flow control) from both nonsecurity functions and from other security functions. (3) The information system minimizes the number of nonsecurity functions included within the isolation boundary containing security functions. (4) The information system security functions are implemented as largely independent modules that avoid unnecessary interactions between modules. (5) The information system security functions are implemented as a layered structure minimizing interactions between layers of the design and avoiding any dependence by lower layers on the functionality or correctness of higher layers.
It obviously sounds a lot like kernel memory control groups, or SELinux, or *nix use of users/groups ... but I was wondering if anyone has had to answer-the-mail so to speak on a security audit for this particular NIST 800-53 requirement?
Responses