Re: AUDIT_NETFILTER_PKT message format
On Tuesday, February 7, 2017 10:56:39 PM EST Paul Moore wrote:
On Tue, Feb 7, 2017 at 3:52 PM, Richard Guy Briggs
<rgb(a)redhat.com> wrote:
> So while I'm not advocating this is what should be done and I'm trying
> to establish bounds to the scope of this feature, but would it be
> reasonable to simply not log packets that were transiting this machine
> without a local endpoint?
I'm still waiting on more detailed requirements information from
Steve, but based on what we've heard so far, it seems that ignoring
forwarded traffic is a reasonable thing to do.
OK, I have done teh analysis to see where things stand on this. A long time
ago, there was no security requirements around virtualization except OSPP v2.0
from BSI which had a virtualization extended module. In it, it had the
following requirements:
FDP_IFF.1.2 The TSF shall permit an information flow between a controlled
subject and controlled information via a controlled operation if the following
rules hold: [assignment: for each operation, the security attribute-based
relationship that must hold between subject and information security
attributes, which must allow to define the security attribute-based
relationship between two subjects such that information flow
between the compartments is not permitted].
FDP_IFF.1.3 The TSF shall enforce the [assignment: additional information flow
control SFP rules].
FDP_IFF.1.4 The TSF shall explicitly authorise an information flow based on the
following rules: [assignment: rules, based on security attributes, that
explicitly authorise information flows].
FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the
following rules: [assignment: rules, based on security attributes, that
explicitly deny information flows].
So, whenever there was an allow or deny, then that needed to be auditable. The
audit target was added and it can be configured to closely mirrored the rules.
When auditing sufficient information needs to be recorded to make sense of why
the flow was allowed or denied. Ultimately you really want this connected to a
process and user if applicable.
However, in reviewing server virtualization protection profile v1.1 and
operating system protection profile v4.1, there is no FDP_IFF.1 requirement
which means that there are no more requirements to audit network packets. I
did not review the network device protection profile which may or may not levy
requirements for network auditing.
At this point, I would say there is no purpose for xt_AUDIT.c based on Common
Criteria. It looks like its built in response to the
CONFIG_NETFILTER_XT_TARGET_AUDIT config option. So, it can be cleanly
deprecated.
-Steve