[redhat-lspp] auditable events requirements
Daniel H. Jones
hotrats at us.ibm.com
Mon May 23 15:22:13 UTC 2005
Right now I'm just trying to identify all events that require auditing.
Exporting/importing data to/from removable media requires auditing (or
at least the ability to audit that event). Restrictions are besides the
point. That's a functional question for the security target.
Doc Shankar wrote:
> Removable media cannot be multi level. Even if it is confined to single
> level, there will be restrictions (Read only?, Mount conditions?,....)
>
> Thanks, Doc
>
> Inactive hide details for
> hotrats at us.ltcfwd.linux.ibm.comhotrats@us.ltcfwd.linux.ibm.com
>
>
> *hotrats at us.ltcfwd.linux.ibm.com*
> Sent by: redhat-lspp-bounces at redhat.com
>
> 05/20/2005 03:33 PM
>
>
>
> To
>
> redhat-lspp at redhat.com
>
> cc
>
>
> Subject
>
> [redhat-lspp] auditable events requirements
>
>
>
>
> Purpose: Identify what LSPP specific audit events are already covered so
> we can safely ignore those and focus only on the remaining work.
>
> Among the additional auditable events for LSPP are:
> - All attempts to export information
> - All attempts to import user data, including any security attributes
> - Overriding of human-readable output marking
> - All decisions on requests for information flow
>
> First thing to consider is all the ways to import/export information.
> export: network, print, mail, removable media, others?
> import: network, mail, removable media, others?
>
> I believe auditing export/import via the network is handled by SELinux
> with Trent Jaeger's LSM-IPSec Networking Hooks patch (posted to
> linux-netdev). The patch handles labeled and unlabeled data. That leaves
> print, mail, and removable media to consider. Are there other channels
> I'm committing?
>
> The requirement to audit "All decisions on requests for information
> flow" applies to the FDP_IFF.2 component, which is basically the
> requirement for mandatory access control. This too, I believe is already
> addressed by SELinux through the avc_audit call in avc_has_perm. No?
>
> What is left to consider is auditing of non-network import/export, and
> overriding of human-readable output marking. Is that about right?
>
>
> --
> Thanks,
> Dan Jones
> IBM Linux Technology Center, Security
> 512-838-1794 (T/L 678-1794)
> hotrats at us.ibm.com
>
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
>
>
> ------------------------------------------------------------------------
>
> --
> redhat-lspp mailing list
> redhat-lspp at redhat.com
> https://www.redhat.com/mailman/listinfo/redhat-lspp
--
Thanks,
Dan Jones
IBM Linux Technology Center, Security
512-838-1794 (T/L 678-1794)
hotrats at us.ibm.com
More information about the redhat-lspp
mailing list