[redhat-lspp] labeled ipsec auditing
Klaus Weidner
klaus at atsec.com
Mon Oct 9 19:09:49 UTC 2006
On Thu, Oct 05, 2006 at 06:15:44PM -0400, Paul Moore wrote:
> Hmm, good question. I'm looking at 5.2.4.4 of the LSPP doc and I see this
> paragraph at the end (in part "d"):
>
> "An LSPP-conformant TOE must only use protocols to export data with security
> attributes that provide unambiguous pairings of security attributes and the
> information being exported. Further, the ST author must make it clear that the
> mechanisms, or devices, used to export data with security attributes cannot be
> used to export data without security attributes unless this change in state can
> only be done manually and is audited. In addition, the security attributes must
> be exported to the same mechanism or device as the information. Also, any change
> in the security attributes settings of a device must be audited."
>
> The sentence that concerns me the most is the following: "Also, any change in
> the security attributes settings of a device must be audited". I guess it boils
> down if we consider a SA a "device" ...
I don't think that there a need to treat all SAs as devices. The
requirement is to have audit capability for all changes of device state
that affect MLS import/export, for example establishing or deleting an SA
with an associated MLS label, or modifying the MLS label of an SA (if
that's supported). Any operations on SAs that do not involve an MLS label
are out of scope for the "Export of Labeled User Data (FDP_ETC.2)" SFR
whose application note you are quoting.
-Klaus
More information about the Linux-audit
mailing list