[redhat-lspp] LSPP/RBACPP requirements v.006
George C. Wilson
ltcgcw at us.ibm.com
Wed Jan 25 01:34:10 UTC 2006
Please find the latest tasks list attached. It contains updates prior to the
last meeting. It has been a while since I last produced one of these. If you
see gaps, inaccuracies, etc., please send me a note and I will make the changes.
I am also planning to post this list to Russell's wiki.
--
George Wilson <ltcgcw at us.ibm.com>
IBM Linux Technology Center
-------------- next part --------------
01 Audit record augmentation
Description: Augment audit records with additional LSPP & RBACPP
attributes: subj and obj labels; roles, host identity,
event type, and access types where available.
Implementation: Add additional SELinux fields to audit records.
Status: Several patches posted to audit list by IBM. Record should be
fairly complete at this point.
Upstream: Red Hat, lkml
Owner: Kirkland, Dustin
Org: IBM
02 Audit of additional events
Description: Add additional instrumentation to kernel and userspace,
particularly for user data import/export; catchall for
issues not covered elsewhere. May include new audit record
types for: rlimit violations, sub, obj, anomalies,
responses.
Implementation: Additional events haven been added where necessary.
Status: Need to identify remaining gaps.
Upstream: Red Hat, lkml
Owner: Grubb, Steve
Org: Red Hat
03 Audit of network events
Description: Add hooks to IPsec implicit packet labeling. Needs to
include audit by network address.
Implementation: Should mostly be covered by existing AVC audit records. May
need to document that network configuration changes
require reboot (per @sec). DHCP should be disallowed.
Status: Need to identify remaining gaps.
Upstream: netdev, lkml
Owner: Kirkland, Dustin
Org: IBM
04 Audit of print events
Description: Instrument CUPS.
Implementation: HP posted a patch and discussed extensively on this list.
Status: Patch needs to go upstream to CUPS list; depends on print
patch.
Upstream: CUPS mailing list
Owner: Anderson, Matt
Org: HP
05 Audit of other import/export events
Description: Device allocation; forced labeling of devices.
Implementation: Add audit hooks for device allocator and other relevant
device-related events.
Status: Device allocator has a home; it needs to be analyzed for
audit; remaining gaps need to be identified.
Upstream: Device allocator project; Individual dev mailing lists
Owner: Grubb, Steve
Org: Red Hat
06 Audit of user and role modifications
Description: Must audit tools that modify users and roles in flat file
implementation. Includes passwd. Utilities upon which
this depends covered in separate task.
Implementation: Red Hat will be writing the user and role tools. Ensure that
audit records are generated.
Status: Tools have been written; analyze for audit coverage.
Upstream: mlsutils package
Owner: Walsh, Dan
Org: Red Hat
07 Audit instrumentation of trusted programs, including
SELinux tools
Description: Add hooks to trusted programs. At the moment, looks like only
init and newrole need to be instrumented--others are
audited by kernel. CUPS client may also be a candidate.
Implementation: Instrument newrole for audit, make it suid, and drop
capabilities other than audit append.
Status: Newrole has been made a trusted program; identify any
remaining gaps.
Upstream: SELinux list, kernel community
Owner: Grubb, Steve
Org: Red Hat
08 Audit-fs completion
Description: Completion of auditfs patch.
Implementation: Implementation in progress by HP and IBM.
Status: Patch posted by HP.
Upstream: fsdevel, lkml
Owner: Griffis, Amy
Org: HP
09 Audit filtering in kernel or daemon with additional LSPP &
RBACPP attributes--Selective Audit
Description: Add kernel or daemon audit filtering to CAPP audit. Solution
must filter/suppress records based on all available LSPP &
RBACPP attributes: obj and subj labels, object identity,
role, hostname, event type, and access type.
Implementation: Red Hat, IBM, and HP have posted patches that allow filtering
on various criteria.
Status: Audit by role is main outstanding piece, which depends on
kernel string i/o from audifs. IBM working.
Upstream: lkml
Owner: Grubb, Steve
Org: Red Hat
10 Audit browse, sort, search (augrep) with additional LSPP &
RBACPP attributes--Audit Selection
Description: Create command line browse utility. Must include all
available LSPP & RBACPP attributes: obj and subj labels,
object identity, role, hostname, event type, and access
type. Note there is no X-window System in certified
configuration.
Implementation: An ASCII version exists. Needs API and binary record format
support.
Status: ASCII ausearch w/sub and obj labels implemented; API
proposed on list; binary record format being discussed.
Upstream: Red Hat
Owner: Grubb, Steve
Org: Red Hat
11 DAC policy and function
Description: Existing DAC mechanisms should cover; ensure all objects
are covered and ensure owner, perm bits, ACLs are
appropriate.
Implementation: Should already be covered.
Status: Needs to be analyzed to ensure complete coverage.
Upstream: What, if anything, is specific to the certification RPM?
Owner: Wilson, George
Org: IBM
12 MLS policy and function
Description: SELinux MLS function and base MLS policy provide
foundation; ensure the MLS policy correctly deals with
trusted processes, overrides, restrictions on
import/export, VFS polyinstantiation; requires
extensive testing.
Implementation: NSA, TCS, Tresys, Red Hat, and others have posted patches.
Status: Red Hat has incorporated MLS policy into Rawhide and ported
it to reference policy. There are still kinks to work out.
Upstream: SELinux mailing list, Red Hat MLS policy RPM
Owner: Walsh, Dan
Org: Red Hat
13 IPsec labeled packets: Base patch
Description: Indirect packet labeling based on mapping IPsec SAs to
SELinux security contexts; AH-only with physical network
security reduces/eliminates FIPS crypto cert
requirements.
Implementation: Trent Jaeger / IBM posted patch to netdev. They plan to
continue working this item.
Status: Base patch accepted into kernel; presently has a security
issue; requires additional testing.
Upstream: netdev, lkml
Owner: Jaeger, Trent
Org: PSU
14 Labeled print
Description: MLS labels required on banner pages, headers, and footers.
Implementation: There have been a couple of iterations on this. Current
thinking is to use untrusted CUPS server to feed a trusted
CUPS server as scaled image.
Status: Patch being reworked.
Upstream: CUPS mailing list
Owner: Anderson, Matt
Org: HP
15 VFS polyinstantiation
Description: Namespaces unshare() syscall patch and PAM exploitation of
it.
Implementation: NSA posted polyinstantiation patch. Red Hat been working on
namespaces extensively. IBM has posted unshare syscall
patch and PAM integration patches.
Status: Patches incorporated into -mm tree; Red Hat provided
comments on PAM modules; PAM module should be usable once
unshare() is incorporated.
Upstream: lkml, pam-list
Owner: Desai, Janak
Org: IBM
16 Device allocation
Description: Device allocation patch posted by TCS + enhancements,
and/or forced relabeling upon device insertion; requires
testing. Functions: authorization, synchronization,
device node context assignment, eject/close.
Implementation: TCS posted framework patch. HP posted policy for it.
Status: Current version on SF; needs test and enhancement.
Upstream: Device allocator SF project.
Owner: Hanson, Chad
Org: TCS
17 Test and possibly restrict file archivers
Description: star already maintains xattrs; zip/unzip patched to
support xattrs. Need to restrict to the admin. Enhancements
to other archivers exceed LSPP reqs.
Implementation: IBM has added xattr support to zip/unzip. IBM also producing
star and zip tests. Policy implications need to be examined.
Status: zip/unzip posted to covert list and being discussed
w/maintainers. Tests have been written for zip/unzip. IBM
writing star tests. Ensure archivers are correctly
restricted via policy.
Upstream: archiver maintainers for modifications; selinux list for
policy
Owner: Velarde, Debora
Org: IBM
18 Disable udev & hotplug after boot (was Device labeling via
udev)
Description: Current thinking is to disable udev & hotplug after boot.
(L/FDP_ETC, FDP_ITC) See also item 37--Disable DBUS after
boot.
Implementation: Disable hotplug after boot for the evaluated config. This
involves investigation and modifications to init scripts
for evaluated configuration.
Status: Debora volunteered to try this. Need to document the
results, and modify init scripts for certification RPM.
Upstream: Red Hat Certification RPM
Owner: Velarde, Debora
Org: IBM
19 Label translation
Description: Translation of sensitivity labels into human-readable
form.
Implementation: libsetrans incorporated into SELinux.
Status: libsetrans is upstream; requires test.
Upstream: SELinux list
Owner: Walsh, Dan
Org: Red Hat
20 Mail
Description: User mail required for admin mail only, probably only cron.
Possible solutions: multi-level MTA, admin-only MTA,
direct procmail invocation; direct delivery by cron into
poly'd directories. Complete solution may be interesting
but is not a requirement.
Implementation: Modify cron to accept new mailer; use modified mailer to
deliver cron output.
Status: Cron has been modified to pass in a mailer; cannot use mailx as
is; need to determine delivery mechanism (wrappered mailx
or procmail).
Upstream: No central cron maintainer; Red Hat will carry cron patch;
need cron configuration for certification RPM.
Owner: Desai, Janak
Org: IBM
21 Multilevel xinetd
Description: Patch xinetd to obtain label from inbound connections and
spawn child daemons with correct context. Will have to be
documented as trusted program.
Implementation: TCS has posted a patch. Trent also has a student working on an
implementation.
Status: Simple patch exists; have not seen student implementation;
some debate over range bracketing.
Upstream: Steve Grubb, xinetd list
Owner: Hanson, Chad
Org: TCS
22 Multilevel sshd
Description: Patch sshd to spawn child processes with correct context.
Implementation: This may be possible by simply patching PAM module.
Status: Looks like we will not need this with xinetd approach;
composition with xinetd requires test.
Upstream: openssh-unix-dev
Owner: Zhang, Catherine
Org: IBM
23 Multilevel cron
Description: TCS posted polyinstantiation-aware Vixie cron; TCS
approach useful, but useful only for MLS labels and
dependent on TCS polyinstantiation mechanism. Comments on
redhat-lspp suggest extending cron/crontab protocol to
support security context.
Implementation: TCS posted the patch; IBM is working to integrate with
namespaces-based polyinstantiation.
Status: Janak has posted an updated patch that changes the cron
protocol per his writeup; needs test.
Upstream: No central cron maintainer; Red Hat will carry patch for
evaluated configuration.
Owner: Desai, Janak
Org: IBM
24 Multilevel at
Description: Base at work on multilevel cron.
Implementation: Open; IBM and TCS are likely interested in this as they have
been working on cron.
Status: Red Hat has stated that at and anacron will both be folded into
cron. So, we may get this with little of nor work. Requires
investigation.
Upstream: Red Hat will carry patch for evaluated configuration.
Owner: Desai, Janak
Org: IBM
25 Multilevel tmpwatch
Description: Patch tmpwatch to handle polyinstantiation.
Implementation: Open
Status: Requires investigation to determine if needed.
Upstream: Likely that Red Hat will carry patch for evaluated
configuration.
Owner: Desai, Janak
Org: IBM
26 Multilevel slocate
Description: Slocate needs to be removed from evaluated configuration.
Implementation: Ensure removal from evaluated configuration package list.
Status: Consensus at last discussion is to remove from package list.
Upstream: Remove in Red Hat Certification RPM.
Owner: Grubb, Steve
Org: Red Hat
27 Revocation of user and object attributes
Description: Killall with user and context matching and wrapper script to
lock account and kill all user processes. Similar approach
can be taken with fuser.
Implementation: IBM has psmisc patch to be posted. Needs to use loginuid and
document regex caveats as well.
Status: IBM has loginuid killall and revocation script which needs
to be posted on selinux list and redhat-lspp.
Upstream: psmisc sf project, Red Hat certification RPM
Owner: Wilson, George
Org: IBM
28 Useful role definitions
Description: Define a useful set of roles in the MLS policy. The admin roles
should be separated, and a super admin role composed from
them. Overrides also need to be tied to roles. Consider
including a crypto admin role.
Implementation: Red Hat added role separation to MLS policy with input from
TCS. However, because the policy must be static in the
evaluated config, the user admin tool will be used to assign
roles to users.
Status: Role separation already done in the existing MLS policy.
Need to provide role assignment tool and document
procedure.
Upstream: selinux list
Owner: Wilson, George
Org: IBM
29 Management of users and roles in flat file
Description: Create command line tools to manage and audit users and roles
in flat file separated from base MLS policy. Actions need to
be audited, which is covered in a separate task.
Implementation: Red Hat has been working on flat file user and roles
implementation.
Status: Red Hat posted user and roles in flat files documentation.
Tools need to be created and instrumented with audit hooks.
Upstream: Red Hat mlsutils package
Owner: Walsh, Dan
Org: Red Hat
30 Self tests
Description: Define a subset of LTP tests that can be run periodically by an
administrator or cron job that demonstrates correct
operation DAC and MAC policies, and verifies integrity of
configuration files, including SELinux policy. Tests
shall produce audit records.
Implementation: Modified Tripwire may be easiest to implement. Also
consider permission and label checks via script, binary
integrity validation via rpm -V, and LTP subset.
Status: Need to investigate Tripwire. NSA SELinux tests
incorporated into LTP. Perhaps select a subset of these,
verify critical DAC permissions, and check integrity of
critical configuration files. NSA considering policy
integrity verification and versioning.
Upstream: Red Hat Certification RPM or self-test RPM
Owner: Grubb, Steve
Org: Red Hat
31 I&A
Description: All these requirements are similar to CAPP. Augment tests to
account for sensitivity labels.
Implementation: IBM plans to test this.
Status: This is test work to verify that I&A functionality. IBM plans
to perform this work.
Upstream: LTP?
Owner: Desai, Janak
Org: IBM
32 Test
Description: Create testcases and incorporate into LTP.
Implementation: Respective task owners should create unit and functional
tests.
Status: Ongoing
Upstream: LTP
Owner: Wilson, Kris
Org: IBM
33 Documentation
Description: Create documentation for each task.
Implementation: Respective task owners should create low-level design
documentation, manpages, and structured comments.
Status: Ongoing
Upstream: Respective upstream maintainers
Owner: Wilson, George
Org: IBM
34 Ensure all named objects are covered by DAC & MAC
Description: Objects shall include: files, named pipes (fifo), sockets,
devices, shared memory, message queue, semaphores. New
object: kernel keys - would need man pages, structured
comments, & test cases.
Implementation: IBM should ensure complete coverage.
Status: No development work; ensure coverage in ST.
Upstream: Red Hat Certification RPM
Owner: Wilson, George
Org: IBM
35 Provide minimal number of MAC levels and categories
Description: There shall at least 16 levels of hierarchical labels and 64
compartments (L/FDP_IFF.2.7). However, we should have 256
compartments per customer requirement.
Implementation: IBM should ensure complete coverage.
Status: No development work; ensure coverage in ST; RH has customer
reqs beyond LSPP.
Upstream: SELinux mailing list
Owner: Wilson, George
Org: IBM
36 Audit record unique session/terminal ID
Description: Events shall contain unique session identifier and/or
terminal.
Implementation: Could be and ID a la loginuid; don't want to add a new one; only
required when available; incomplete coverage; add to audit
records where available.
Status: Determine if coverage of session & terminal ID is complete.
Upstream: lkml, linux-audit
Owner: Grubb, Steve
Org: Red Hat
37 Disable DBUS after boot (was Analyze removing DBUS)
Description: DBUS must be either documented and tested, restricted, or
removed. Ideally it will be removed from the ST. See also item
18--Disable udev & hotplug after boot.
Implementation: Remove dbus and see what breaks; discuss with Russell.
Status: Debora volunteered to try this. Need to document the
results, and modify init scripts for certification RPM.
Upstream: Red Hat Certification RPM
Owner: Velarde, Debora
Org: IBM
39 Restrict kernel keyring access
Description: There needs to be a way to restrict the use of the kernel
keyring to the authorized administrator.
Implementation: The restrictions should be defined in the MLS policy, and
DAC, too, if possible.
Status: MLS policy now available; ensure restriction for
certification.
Upstream: Red Hat Certification RPM
Owner: Walsh, Dan
Org: Red Hat
40 Standard LSPP configuration
Description: Create standard LSPP configuration and rules to be shared
among contributors. This may be incorporated into
Configuration Guide.
Implementation: Write scripts and documentation for LSPP & RBACPP
configuration.
Status: All should update on Russell's wiki. Configuration of MLS
policy now standard; must still pull in audit mods, unshare,
device allocator.
Upstream: Red Hat Certification RPM, README for selinux-list,
Configuration Guide
Owner: Coker, Russell
Org: Red Hat
41 Audit of SELinux booleans
Description: Changing policy booleans is auditable event.
Implementation: SELinux needs to generate audit records when policy
booleans are changed. Unclear to what extent this is already
covered.
Status: Requires analysis
Upstream: SELinux list
Owner: Grubb, Steve
Org: Red Hat
42 Audit of service discontinuity and fs relabeling (was Audit
of service discontinuity)
Description: Service discontinuity and fs relabeling are auditable
events.
Implementation: Ensure service discontinuities an fs relabels are
audited--bootup, shutdown, SELinux enable, SELinux
disable.
Status: Discontinuity should already be covered; need fs relabel
record.
Upstream: SELinux list, linux-audit
Owner: Grubb, Steve
Org: Red Hat
43 Audit record subject labels for userspace records
Description: When user space message is relayed, add a subject message to
same event.
Implementation: The kernel needs to add the subject label for audit records
generated in userspace because the caller cannot be
trusted.
Status: Tim produced patch, which was rejected. Reworking patch.
Upstream: SELinux list, linux-audit
Owner: Chavez, Timothy
Org: IBM
44 Fail to secure state
Description: When role data base is offline, corrupt, or inaccessible,
the system shall preserve a secure state.
Implementation: SELinux denies everything by default. So, if the SS, DB, or
policy is unavailable, the system should come to a stop.
Status: Should already be covered by SELinux; ensure that it is.
Upstream: SELinux list
Owner: Walsh, Dan
Org: Red Hat
45 Maintenance mode for secure recovery
Description: RBAC stipulates that after a failure or service
discontinuity, the machine shall enter a maintenance mode
whereby the machine can be restored to a secure state. Maybe
config param for rc.sysinit.
Implementation: Need to boot into single user mode for maintenance after
SELinux or audit failure.
Status: Init already panics when policy load fails. A configurable
option to drop into single user mode would be nice. Also want
something similar for audit.
Upstream: Red Hat certification RPM
Owner: Walsh, Dan
Org: Red Hat
47 Utility to list SELinux roles?
Description: User shall have the ability to see list of authorized Roles.
This does not appear to be a strict requirement looking at
RBACPP FIA_ATD.1.
Implementation: This is not required by would be nice to have. Is there already
a way to do this? If not, need a utility for a user to list roles
that he/she can take on.
Status: Nice to have. Determine if this should be removed from
requirements list.
Upstream: SELinux list, Red Hat certification RPM
Owner: Walsh, Dan
Org: Red Hat
48 User role modification?
Description: User shall have the ability to change to any authorized
Roles. Unclear that this is required by reading RBACPP
FMT_SMR.2; TSF needs to associate, admins need to control.
Implementation: Mechanism already exists for TSF to associate users and
roles, and for admin roles to control them. Users must be
restricted.
Status: Determine if this should be removed. For Klaus: When a user
changes roles, is that an auditable event? We should amend
this item to include auditability of role change based on
Klaus' feelings. Otherwise strike from list as it's covered
by newrole.
Upstream: Red Hat certification RPM
Owner: Walsh, Dan
Org: Red Hat
49 MLS enablement of userspace
Description: All utilities that display contexts shall be updated to
display levels and categories. They shall display the
translated name.
Implementation: Ensure all userspace utilities display levels and
categories correctly. This should already be done. Unclear
that they should always display xlated names.
Status: Should already be covered.
Upstream: SELinux list, Red Hat certification RPM
Owner: Walsh, Dan
Org: Red Hat
50 Utility to compute closure of sub access to objs?
Description: Given a file, the Admin shall be able to determine who can
access it. Request from military customers.
Implementation: Requires analysis of DAC permissions and SELinux policy.
Status: Nice to have. Determine if should be removed from
requirements list.
Upstream: Red Hat certification RPM
Owner: Grubb, Steve
Org: Red Hat
51 IPsec labeled packets: Userspace ipsec-tools patch
Description: This is the userspace ipsec-tools patch that accompanies
the kernel base patch. Also want Venkat's MLS changes to
racoon.
Implementation: Joy Latten and Trent Jaeger modified ipsec-tools to handle
syntax modifications required by kernel base patch.
Status: Joy has forward ported and posted the patch. Still requires
incorporation of Venkat's MLS enhancements.
Upstream: ipsec-tools
Owner: Latten, Joy
Org: IBM
52 IPsec labeled packets: Packet context getsockopt() patch
Description: Patch that adds a socket-level getsockopt() to obtain
packets' SELinux contexts.
Implementation: Patch exists to get TCP connection peer security context.
This is insufficient for UDP. Patch rework will be required
to add a peek option.
Status: Sec peer patch exists. TCS posted sample peek code.
Catherine posted design proposal.
Upstream: netdev, lkml
Owner: Zhang, Catherine
Org: IBM
53 IPsec labeled packets: Analyzers
Description: Tcpdump and ethereal need to understand IPsec labels. This
is not an LSPP/RBACPP requirement.
Implementation: Augment tcpdump and ethereal. This would be AH-only, I
presume, unless the sniffers can decrypt ESP.
Status: Determine if we really want to do something with this.
Upstream: Tcpdump and ethereal maintainers
Owner: Grubb, Steve
Org: Red Hat
51 rows in set
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20060124/87356458/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lspptasks006.ps
Type: application/postscript
Size: 297859 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20060124/87356458/attachment.ps>
More information about the redhat-lspp
mailing list