LSPP Requirement Specifically for Auditing

Steve Grubb sgrubb at redhat.com
Mon Oct 3 13:17:15 UTC 2005 

Hello,

I've been doing an analysis of what all we need to do to get the audit system 
up to par for LSPP. The actual work list for all of LSPP is bigger, I am 
extracting just the ones that are aimed primarily at the audit system. This 
is the essential requirements:

1. Basic
1.1 Objects shall include: files, named pipes (fifo), sockets, devices, shared 
memory, message queue, semaphores. New object: kernel keys

2 Audit User Space
2.1 Events shall contain unique session identifier and/or terminal
2.2 The ability to search on subject and object labels
2.3 The ability to search based on type of access and role that enabled access
2.4 The ability to search based on subject and object role
2.5 There shall be a method to audit based on keys
2.6 There shall be a way to audit based on network address

3 Kernel - Audit related
3.1 Create new audit record types for: rlimit violations, lspp subject, lspp 
object, crypto, anomolies, and response to anomolies.
3.2 All Subjects and Objects shall be labeled - Network and kernel keys needed
3.3 Subject & Object information must be labeled in events
3.4 Role must be identified in events
3.5 For access control actions, the role that made access possible has to be
recorded.
3.6 Audit events shall contain unique session identifier and/or terminal
3.7 Audit events can be filtered by Object or Subject labels
3.8 Audit events can be filtered by host identity, event type, users belonging 
to certain role, and access types.
3.9 There shall be a method to audit based on keys
3.10 There shall be a way to audit based on network address
3.11 Loading MAC policy is auditable event
3.12 Changing policy booleans is auditable event
3.13 Service discontinuity is auditable event.

5 Kernel Export/Import of Data
5.1.6 Hard Copy
5.1.6.2 admin shall be able to specify label associated with the data.
Overrides are an auditable event.
5.2.3 devices used to import data without labels cannot do so if previously 
allocated to importing data with labels without a manual state change that is 
auditable

7 User Space SE Linux
7.6 newrole made into suid program so that it can send audit messages

9 Self Test
9.1 RBAC requires that a suite of tests be available that demonstrates that 
the machine is correctly operating.
9.2 Authorized users shall also be able to verify the integrity of data and 
executables called out in security target.
9.3 Tests shall produce audit records indicating that it was run and any 
failures.

10.0 Postfix
10.1 Add loginuid code to set it when delivering local mail

11.0 Procmail
11.1 Add loginuid code to set it when delivering local mail


If I've missed anything, please let me know. Let's discuss...

-Steve

More information about the Linux-audit mailing list