AUDIT_NETFILTER_PKT message format

Steve Grubb sgrubb at redhat.com
Wed Feb 8 16:30:04 UTC 2017 

On Tuesday, February 7, 2017 10:56:39 PM EST Paul Moore wrote:
> On Tue, Feb 7, 2017 at 3:52 PM, Richard Guy Briggs <rgb at redhat.com> wrote:
> > So while I'm not advocating this is what should be done and I'm trying
> > to establish bounds to the scope of this feature, but would it be
> > reasonable to simply not log packets that were transiting this machine
> > without a local endpoint?
> 
> I'm still waiting on more detailed requirements information from
> Steve, but based on what we've heard so far, it seems that ignoring
> forwarded traffic is a reasonable thing to do.

OK, I have done teh analysis to see where things stand on this. A long time 
ago, there was no security requirements around virtualization except OSPP v2.0 
from BSI which had a virtualization extended module. In it, it had the 
following requirements:

FDP_IFF.1.2 The TSF shall permit an information flow between a controlled 
subject and controlled information via a controlled operation if the following 
rules hold: [assignment: for each operation, the security attribute-based
relationship that must hold between subject and information security
attributes, which must allow to define the security attribute-based
relationship between two subjects such that information flow
between the compartments is not permitted].
FDP_IFF.1.3 The TSF shall enforce the [assignment: additional information flow 
control SFP rules].
FDP_IFF.1.4 The TSF shall explicitly authorise an information flow based on the
following rules: [assignment: rules, based on security attributes, that
explicitly authorise information flows].
FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the 
following rules: [assignment: rules, based on security attributes, that 
explicitly deny information flows].

So, whenever there was an allow or deny, then that needed to be auditable. The 
audit target was added and it can be configured to closely mirrored the rules. 
When auditing sufficient information needs to be recorded to make sense of why 
the flow was allowed or denied. Ultimately you really want this connected to a 
process and user if applicable.

However, in reviewing server virtualization protection profile v1.1 and 
operating system protection profile v4.1, there is no FDP_IFF.1 requirement 
which means that there are no more requirements to audit network packets. I 
did not review the network device protection profile which may or may not levy 
requirements for network auditing.

At this point, I would say there is no purpose for xt_AUDIT.c based on Common 
Criteria. It looks like its built in response to the 
CONFIG_NETFILTER_XT_TARGET_AUDIT config option. So, it can be cleanly 
deprecated.

-Steve

More information about the Linux-audit mailing list