[redhat-lspp] auditable events requirements
Daniel H. Jones
hotrats at us.ibm.com
Fri May 20 20:33:39 UTC 2005
Purpose: Identify what LSPP specific audit events are already covered so
we can safely ignore those and focus only on the remaining work.
Among the additional auditable events for LSPP are:
- All attempts to export information
- All attempts to import user data, including any security attributes
- Overriding of human-readable output marking
- All decisions on requests for information flow
First thing to consider is all the ways to import/export information.
export: network, print, mail, removable media, others?
import: network, mail, removable media, others?
I believe auditing export/import via the network is handled by SELinux
with Trent Jaeger's LSM-IPSec Networking Hooks patch (posted to
linux-netdev). The patch handles labeled and unlabeled data. That leaves
print, mail, and removable media to consider. Are there other channels
I'm committing?
The requirement to audit "All decisions on requests for information
flow" applies to the FDP_IFF.2 component, which is basically the
requirement for mandatory access control. This too, I believe is already
addressed by SELinux through the avc_audit call in avc_has_perm. No?
What is left to consider is auditing of non-network import/export, and
overriding of human-readable output marking. Is that about right?
--
Thanks,
Dan Jones
IBM Linux Technology Center, Security
512-838-1794 (T/L 678-1794)
hotrats at us.ibm.com
More information about the redhat-lspp
mailing list