LSPP Requirements -- first pass

Amy Griffis amy.griffis at hp.com
Thu Jul 28 22:03:02 UTC 2005 

Hello,

I've looked through the LSPP spec for audit requirements and the list
below is what I've found.  Some of the requirements around devices may
be optional depending on what is in a security target.  If anyone has
more info on that, please share.

If anyone else wants to take a look at the spec and see if I've missed
something, I'd appreciate it.

I think the next steps should be:

    * Determine each audit record field in our current set of possible
      records that requires a sensitivity label (marked TODO below).

    * List where requirements necessitate changes to kernel, audit
      tools, or applications.

Additionally, user attributes will now include the SELinux user
identity and SELinux role.  Is there ever a need to include that
information in audit records generated by the audit subsystem?  Or
will all events requiring that information be logged by SELinux?

Here is the list.  I've included the relevant section of the LSPP spec
in parentheses.

Audit LSPP Requirements
-----------------------
1. Each audit record must have sensitivity labels of subjects,
   objects, or the information involved. (5.1.1.2)

   << TODO: determine each audit record field that requires a
   sensitivity label. >>

2. An administrator must be able to search or sort the audit log data
   based on subject and object sensitivity labels. (5.1.5)

3. An administrator must be able to include or exclude events from the
   set of audited events, based on subject and object sensitivity
   labels. (5.1.6)

4. If a device is used to export both labeled and unlabeled data, the
   change in device state must be auditable. (5.2.3, 5.2.4)

5. If a device is used to export labeled data, any change in the
   security attribute settings of the device must be audited. (5.2.4)

6. Any overriding of printed labels must be audited. (5.2.4)

7. If a device is used to import both labeled and unlabeled data, the
   change in device state must be auditable. (5.2.7, 5.2.8)

8. If a device is used to import labeled or unlabeled data, any change
   in the security attribute settings of the device must be audited.
   (5.2.8)

Your comments welcome!

Amy

More information about the Linux-audit mailing list