Hello,
I've been doing an analysis of what all we need to do to get the audit system
up to par for LSPP. The actual work list for all of LSPP is bigger, I am
extracting just the ones that are aimed primarily at the audit system. This
is the essential requirements:
1. Basic
1.1 Objects shall include: files, named pipes (fifo), sockets, devices, shared
memory, message queue, semaphores. New object: kernel keys
2 Audit User Space
2.1 Events shall contain unique session identifier and/or terminal
2.2 The ability to search on subject and object labels
2.3 The ability to search based on type of access and role that enabled access
2.4 The ability to search based on subject and object role
2.5 There shall be a method to audit based on keys
2.6 There shall be a way to audit based on network address
3 Kernel - Audit related
3.1 Create new audit record types for: rlimit violations, lspp subject, lspp
object, crypto, anomolies, and response to anomolies.
3.2 All Subjects and Objects shall be labeled - Network and kernel keys needed
3.3 Subject & Object information must be labeled in events
3.4 Role must be identified in events
3.5 For access control actions, the role that made access possible has to be
recorded.
3.6 Audit events shall contain unique session identifier and/or terminal
3.7 Audit events can be filtered by Object or Subject labels
3.8 Audit events can be filtered by host identity, event type, users belonging
to certain role, and access types.
3.9 There shall be a method to audit based on keys
3.10 There shall be a way to audit based on network address
3.11 Loading MAC policy is auditable event
3.12 Changing policy booleans is auditable event
3.13 Service discontinuity is auditable event.
5 Kernel Export/Import of Data
5.1.6 Hard Copy
5.1.6.2 admin shall be able to specify label associated with the data.
Overrides are an auditable event.
5.2.3 devices used to import data without labels cannot do so if previously
allocated to importing data with labels without a manual state change that is
auditable
7 User Space SE Linux
7.6 newrole made into suid program so that it can send audit messages
9 Self Test
9.1 RBAC requires that a suite of tests be available that demonstrates that
the machine is correctly operating.
9.2 Authorized users shall also be able to verify the integrity of data and
executables called out in security target.
9.3 Tests shall produce audit records indicating that it was run and any
failures.
10.0 Postfix
10.1 Add loginuid code to set it when delivering local mail
11.0 Procmail
11.1 Add loginuid code to set it when delivering local mail
If I've missed anything, please let me know. Let's discuss...
-Steve