[redhat-lspp] auditable events requirements

Daniel H. Jones hotrats at us.ibm.com
Mon May 23 15:22:13 UTC 2005 

Right now I'm just trying to identify all events that require auditing. 
Exporting/importing data to/from removable media requires auditing (or 
at least the ability to audit that event). Restrictions are besides the 
point. That's a functional question for the security target.

Doc Shankar wrote:
> Removable media cannot be multi level. Even if it is confined to single 
> level, there will be restrictions (Read only?, Mount conditions?,....)
> 
> Thanks, Doc
> 
> Inactive hide details for 
> hotrats at us.ltcfwd.linux.ibm.comhotrats@us.ltcfwd.linux.ibm.com
> 
> 
>                         *hotrats at us.ltcfwd.linux.ibm.com*
>                         Sent by: redhat-lspp-bounces at redhat.com
> 
>                         05/20/2005 03:33 PM
> 
> 	
> 
> To
> 	
> redhat-lspp at redhat.com
> 
> cc
> 	
> 
> Subject
> 	
> [redhat-lspp] auditable events requirements
> 
> 	
> 
> 
> Purpose: Identify what LSPP specific audit events are already covered so
> we can safely ignore those and focus only on the remaining work.
> 
> Among the additional auditable events for LSPP are:
> - All attempts to export information
> - All attempts to import user data, including any security attributes
> - Overriding of human-readable output marking
> - All decisions on requests for information flow
> 
> First thing to consider is all the ways to import/export information.
> export: network, print, mail, removable media, others?
> import: network, mail, removable media, others?
> 
> I believe auditing export/import via the network is handled by SELinux
> with Trent Jaeger's LSM-IPSec Networking Hooks patch (posted to
> linux-netdev). The patch handles labeled and unlabeled data. That leaves
> print, mail, and removable media to consider. Are there other channels
> I'm committing?
> 
> The requirement to audit "All decisions on requests for information
> flow" applies to the FDP_IFF.2 component, which is basically the
> requirement for mandatory access control. This too, I believe is already
> addressed by SELinux through the avc_audit call in avc_has_perm. No?
> 
> What is left to consider is auditing of non-network import/export, and
> overriding of human-readable output marking. Is that about right?
> 
> 
> -- 
> Thanks,
> Dan Jones
> IBM Linux Technology Center, Security
> 512-838-1794 (T/L 678-1794)
> hotrats at us.ibm.com
> 
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
> 
> 
> ------------------------------------------------------------------------
> 
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp


-- 
Thanks,
Dan Jones
IBM Linux Technology Center, Security
512-838-1794 (T/L 678-1794)
hotrats at us.ibm.com

More information about the redhat-lspp mailing list