Re: LSPP Requirement Specifically for Auditing
On Thursday 06 October 2005 11:33, Amy Griffis wrote:
For the things that aren't mentioned in the specs, could you
explain
in more detail why you think they are needed?
To round out the system. If there's questions about anyone in particular,
please ask about it.
> 1. Basic
> 1.1 Objects shall include: files, named pipes (fifo), sockets,
> devices, shared memory, message queue, semaphores. New object:
> kernel keys
What is a kernel key?
Its part of the keying infrastructure. Each key is a block of memory take is
presumably stuffed with a key.
Could you explain why it's needed?
Because its something that programs perform operations on, therefore its an
object. In another thread last week, I demonstrated that you can stuff the
whole passwd file into a key. This means that there is a need to control
access to it and possibly audit its use since it could become a covert
channel.
> 2.5 There shall be a method to audit based on keys
> 2.6 There shall be a way to audit based on network address
Which requirement are these derived from?
Based on current audit useage. With keys, we may need to audit based on it.
Not sure yet how that will look or if syscall auditing alone will handle it.
As for networking, we have labled networking. We may need to track machines
regardless of what dhcp does to them. This has to be investigated and if we
are completely sure its not needed, we can discard it. I'd rather have it on
the list and cross it off than completely overlook it.
> 3 Kernel - Audit related
> 3.1 Create new audit record types for: rlimit violations, lspp
> subject, lspp object, crypto, anomolies, and response to anomolies.
Other than lspp subject/object, I'm not sure which requirements these
items are tied to. Could you explain that?
All audit messages have a record type so that they can be searched for. This
is basically saying that we need to allocate blocks of numbers for these
types of messages.
(Nit) Creating a new record type is an implementation detail and
shouldn't be listed as a requirement.
This is something someone has to do. Until its done, I need to track it.
> 7 User Space SE Linux
> 7.6 newrole made into suid program so that it can send audit messages
Isn't this also an issue for trusted printing?
Looking at my system, cupsd is running as root. It therefore has the
capability needed to send audit messages.
> 13.0 initscripts
> 13.1 Shutdown needs hwclock call moved to before killing the audit daemon
Are these changes necessary for LSPP, or just fixes that need to be
made to the current functionality?
Both. All changes to system time must be recorded.
-Steve