5:03 p.m.
Hello,
I've looked through the LSPP spec for audit requirements and the list
below is what I've found. Some of the requirements around devices may
be optional depending on what is in a security target. If anyone has
more info on that, please share.
If anyone else wants to take a look at the spec and see if I've missed
something, I'd appreciate it.
I think the next steps should be:
* Determine each audit record field in our current set of possible
records that requires a sensitivity label (marked TODO below).
* List where requirements necessitate changes to kernel, audit
tools, or applications.
Additionally, user attributes will now include the SELinux user
identity and SELinux role. Is there ever a need to include that
information in audit records generated by the audit subsystem? Or
will all events requiring that information be logged by SELinux?
Here is the list. I've included the relevant section of the LSPP spec
in parentheses.
Audit LSPP Requirements
-----------------------
1. Each audit record must have sensitivity labels of subjects,
objects, or the information involved. (5.1.1.2)
<< TODO: determine each audit record field that requires a
sensitivity label. >>
2. An administrator must be able to search or sort the audit log data
based on subject and object sensitivity labels. (5.1.5)
3. An administrator must be able to include or exclude events from the
set of audited events, based on subject and object sensitivity
labels. (5.1.6)
4. If a device is used to export both labeled and unlabeled data, the
change in device state must be auditable. (5.2.3, 5.2.4)
5. If a device is used to export labeled data, any change in the
security attribute settings of the device must be audited. (5.2.4)
6. Any overriding of printed labels must be audited. (5.2.4)
7. If a device is used to import both labeled and unlabeled data, the
change in device state must be auditable. (5.2.7, 5.2.8)
8. If a device is used to import labeled or unlabeled data, any change
in the security attribute settings of the device must be audited.
(5.2.8)
Your comments welcome!
Amy
12:23 a.m.
* Amy Griffis (amy.griffis(a)hp.com) wrote:
I think the next steps should be:
* Determine each audit record field in our current set of possible
records that requires a sensitivity label (marked TODO below).
I'd expect this simply expanding the notion of process (currenlty auid, uid,
gid, etc.) to include label. Hmm, I'd imagine this should include
capabilities as well. Similarly for inode, socket, ipc...
* List where requirements necessitate changes to kernel, audit
tools, or applications.
Additionally, user attributes will now include the SELinux user
identity and SELinux role. Is there ever a need to include that
information in audit records generated by the audit subsystem? Or
will all events requiring that information be logged by SELinux?
All current audit records (i.e. CAPP style) which require logging
subject/object, now simply have expanded notion of subject/object
(i.e. relevant labels). Certainly, this includes those generated from the
audit subsystem, which simply needs to query security module to get label.
I suppose one question is what format? Standard security_getprocattr
type hook to just get text is simplest.
thanks,
-chris
9:57 a.m.
--- Chris Wright <chrisw(a)osdl.org> wrote:
* Amy Griffis (amy.griffis(a)hp.com) wrote:
... Hmm, I'd imagine this
should include
capabilities as well. Similarly for inode, socket,
ipc...
The rule of thumb that seems to make evaluators
happy is that you should include sufficent
information that the reasons for a failure or
a success can be determined from the record.
Thus, if the operation succeeded only because
you had a capability the capabilities need to
be included. If you failed an operation due to
mod bits, you need the process' uid, group set,
and capabilities, and the file's mode and acl.
Ideally you should include a list of the
capabilities that you checked for, but didn't
have, in the case here CAP_DAC_READ.
> Additionally, user attributes will now include the
SELinux user
> identity and SELinux role. Is there ever a need
to include that
> information in audit records generated by the
audit subsystem? Or
> will all events requiring that information be
logged by SELinux?
All current audit records (i.e. CAPP style) which
require logging
subject/object, now simply have expanded notion of
subject/object
(i.e. relevant labels). Certainly, this includes
those generated from the
audit subsystem, which simply needs to query
security module to get label.
I suppose one question is what format? Standard
security_getprocattr
type hook to just get text is simplest.
thanks,
-chris
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
Casey Schaufler
casey(a)schaufler-ca.com
____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs
7085
days inactive
7086
days old
linux-audit@lists.linux-audit.osci.io
2 comments
3 participants
participants (3)
-
Amy Griffis -
Casey Schaufler -
Chris Wright