LSPP Requirement Specifically for Auditing

Steve Grubb sgrubb at redhat.com
Thu Oct 6 19:19:27 UTC 2005 

On Thursday 06 October 2005 11:33, Amy Griffis wrote:
> For the things that aren't mentioned in the specs, could you explain
> in more detail why you think they are needed?

To round out the system. If there's questions about anyone in particular, 
please ask about it.

> > 1. Basic
> > 1.1 Objects shall include: files, named pipes (fifo), sockets,
> > devices, shared memory, message queue, semaphores. New object:
> > kernel keys
>
> What is a kernel key?

Its part of the keying infrastructure. Each key is a block of memory take is 
presumably stuffed with a key.

> Could you explain why it's needed? 

Because its something that programs perform operations on, therefore its an 
object. In another thread last week, I demonstrated that you can stuff the 
whole passwd file into a key. This means that there is a need to control 
access to it and possibly audit its use since it could become a covert 
channel.

> > 2.5 There shall be a method to audit based on keys
> > 2.6 There shall be a way to audit based on network address
>
> Which requirement are these derived from?

Based on current audit useage. With keys, we may need to audit based on it. 
Not sure yet how that will look or if syscall auditing alone will handle it. 
As for networking, we have labled networking. We may need to track machines 
regardless of what dhcp does to them. This has to be investigated and if we 
are completely sure its not needed, we can discard it. I'd rather have it on 
the list and cross it off than completely overlook it.

> > 3 Kernel - Audit related
> > 3.1 Create new audit record types for: rlimit violations, lspp
> > subject, lspp object, crypto, anomolies, and response to anomolies.
>
> Other than lspp subject/object, I'm not sure which requirements these
> items are tied to.  Could you explain that?

All audit messages have a record type so that they can be searched for. This 
is basically saying that we need to allocate blocks of numbers for these 
types of messages.

> (Nit) Creating a new record type is an implementation detail and
> shouldn't be listed as a requirement.

This is something someone has to do. Until its done, I need to track it.

> > 7 User Space SE Linux
> > 7.6 newrole made into suid program so that it can send audit messages
>
> Isn't this also an issue for trusted printing?

Looking at my system, cupsd is running as root. It therefore has the 
capability needed to send audit messages.

> > 13.0 initscripts
> > 13.1 Shutdown needs hwclock call moved to before killing the audit daemon
>
> Are these changes necessary for LSPP, or just fixes that need to be
> made to the current functionality?

Both. All changes to system time must be recorded.

-Steve

More information about the Linux-audit mailing list