LSPP Requirements -- first pass
Hello,
I've looked through the LSPP spec for audit requirements and the list
below is what I've found. Some of the requirements around devices may
be optional depending on what is in a security target. If anyone has
more info on that, please share.
If anyone else wants to take a look at the spec and see if I've missed
something, I'd appreciate it.
I think the next steps should be:
* Determine each audit record field in our current set of possible
records that requires a sensitivity label (marked TODO below).
* List where requirements necessitate changes to kernel, audit
tools, or applications.
Additionally, user attributes will now include the SELinux user
identity and SELinux role. Is there ever a need to include that
information in audit records generated by the audit subsystem? Or
will all events requiring that information be logged by SELinux?
Here is the list. I've included the relevant section of the LSPP spec
in parentheses.
Audit LSPP Requirements
-----------------------
1. Each audit record must have sensitivity labels of subjects,
objects, or the information involved. (5.1.1.2)
<< TODO: determine each audit record field that requires a
sensitivity label. >>
2. An administrator must be able to search or sort the audit log data
based on subject and object sensitivity labels. (5.1.5)
3. An administrator must be able to include or exclude events from the
set of audited events, based on subject and object sensitivity
labels. (5.1.6)
4. If a device is used to export both labeled and unlabeled data, the
change in device state must be auditable. (5.2.3, 5.2.4)
5. If a device is used to export labeled data, any change in the
security attribute settings of the device must be audited. (5.2.4)
6. Any overriding of printed labels must be audited. (5.2.4)
7. If a device is used to import both labeled and unlabeled data, the
change in device state must be auditable. (5.2.7, 5.2.8)
8. If a device is used to import labeled or unlabeled data, any change
in the security attribute settings of the device must be audited.
(5.2.8)
Your comments welcome!
Amy