[redhat-lspp] LSPP/RBACPP requirements v.005
George Wilson
ltcgcw at us.ibm.com
Tue Nov 1 19:52:04 UTC 2005
Please find this week's update to the tasks list attached. Tasks with
0% complete should be considered unowned. If you have updates, please
send me a note and I'll make them.
--
George Wilson
IBM Linux Technology Center
<ltcgcw at us.ibm.com>
-------------- next part --------------
01 Audit record augmentation
Description: Augment audit records with additional LSPP & RBACPP
attributes: subj and obj labels; roles, host identity,
event type, and access types where available.
Implementation: IBM posted a patch on linux-audit.
Status: Patch posted to audit list by IBM; issues being addressed.
Upstream: Red Hat, lkml
Owner: Kirkland, Dustin
Org: IBM
02 Audit of additional events
Description: Add additional instrumentation to kernel and userspace,
particularly for user data import/export; catchall for
issues not covered elsewhere. May include new audit record
types for: rlimit violations, sub, obj, anomolies,
responses.
Implementation: Red Hat and IBM have expressed interest on mailing lists.
Status: Ongoing
Upstream: Red Hat, lkml
Owner: Grubb, Steve
Org: Red Hat
03 Audit of network events
Description: Add hooks to IPsec implicit packet labeling. Needs to
include audit by network address.
Implementation: Should mostly be covered by existing AVC audit records. IBM
likely to be interested in this in conjunction with labeled
network packets. May need to document that network
configuration changes require reboot (per @sec). DHCP
should be disallowed.
Status: Trent Jaeger has base IPsec packet labeling posted on
netdev. 2 patches pending. Need getsockopt() of packet
labels.
Upstream: netdev, lkml
Owner: Zhang, Catherine
Org: IBM
04 Audit of print events
Description: Instrument CUPS.
Implementation: HP posted a patch and discussed extensively on this list.
Status: Patch needs to go upstream to CUPS list.
Upstream: CUPS mailing list
Owner: Anderson, Matt
Org: HP
05 Audit of other import/export events
Description: Device allocation; force labeling of devices.
Implementation: Open
Status: Open
Upstream: Individual dev mailing lists
Owner: Grubb, Steve
Org: Red Hat
06 Audit of user and role modifications
Description: Instrument tools that modify users and roles in flat file
implementation. Includes passwd. Utilities upon which
this depends covered in separate task.
Implementation: Red Hat will be writing the user and role tools. Presumably
audit will be covered either via kernel or instrumentation.
Status: Dan Walsh posted flat file documentation.
Upstream: mlsutils package
Owner: Walsh, Dan
Org: Red Hat
07 Audit instrumentation of trusted programs, including
SELinux tools
Description: Add hooks to trusted programs. At the moment, looks like only
newrole needs to be instrumented--others are audited by
kernel. CUPS client may also be a candidate.
Implementation: Instrument newrole for audit, make it suid, and drop
capabilities other than audit append.
Status: Determine if newrole is only utility that requires
instrumentation.
Upstream: SELinux list, kernel community
Owner: Grubb, Steve
Org: Red Hat
08 Audit-fs completion
Description: Completion of auditfs patch.
Implementation: Implementation in progress by HP and IBM.
Status: HP completing work.
Upstream: fsdevel, lkml
Owner: Griffis, Amy
Org: HP
09 Audit filtering in kernel or daemon with additional LSPP &
RBACPP attributes--Selective Audit
Description: Add kernel or daemon audit filtering to CAPP audit. Solution
must filter/suppress records based on all available LSPP &
RBACPP attributes: obj and subj labels, object identity,
role, hostname, event type, and access type.
Implementation: Red Hat has expressed interest on linux-audit.
Status: IBM posted operators patch. Red Hat, HP, and IBM discussing
design.
Upstream: lkml
Owner: Grubb, Steve
Org: Red Hat
10 Audit browse, sort, search (augrep) with additional LSPP &
RBACPP attributes--Audit Selection
Description: Create command line browse utility. Must include all
avaliable LSPP & RBACPP attributes: obj and subj labels,
object identity, role, hostname, event type, and access
type. Note there is no X-window System in certified
configuration.
Implementation: Red Hat has expressed interest on mailing lists. Needs API
and binary record format support.
Status: ASCII ausearch w/sub and obj labels implemented; API
proposed on list; binary record format being discussed.
Upstream: Red Hat
Owner: Grubb, Steve
Org: Red Hat
11 DAC policy and function
Description: Existing DAC mechanisms should cover; ensure all objects
are covered and ensure owner, perm bits, ACLs are
appropriate.
Implementation: Should already be covered.
Status: Needs to be analyzed to ensure complete coverage.
Upstream: What, if anything, is specific to the certification RPM?
Owner: Wilson, George
Org: IBM
12 MLS policy and function
Description: SELinux MLS function and base MLS policy provide
foundation; require a real MLS policy that correctly deals
with trusted processes, overrides, restrictions on
import/export, VFS polyinstantiation; plus extensive
testing.
Implementation: NSA, TCS, Tresys, Red Hat, and others have posted patches.
Status: Red Hat has incorporated "real" MLS policy into Rawhide.
Attempting move to reference policy.
Upstream: SELinux mailing list, Red Hat MLS policy RPM
Owner: Walsh, Dan
Org: Red Hat
13 IPsec labeled packets: Base patch
Description: Indirect packet labeling based on mapping IPsec SAs to
SELinux security contexts; AH-only with physical network
security reduces/eliminates FIPS crypto cert
requirements.
Implementation: Trent Jaeger / IBM posted patch to netdev. They plan to
continue working this item.
Status: Base patch on netdev; ipsec-tools and getsockopt() for
label need to be posted to maintainer lists once base patch is
accepted into kernel; also requires testing.
Upstream: netdev, lkml
Owner: Jaeger, Trent
Org: PSU
14 Labeled print
Description: TCS patch posted to redhat-lspp + mods by HP and others; also
need print tests.
Implementation: TCS posted patch. It has generated extensive comments. HP
posted an audit instrumentation patch for it.
Status: Patch looks good; requires testing. Waiting on CUPS release
to post to CUPS list.
Upstream: CUPS mailing list
Owner: Anderson, Matt
Org: HP
15 VFS polyinstantiation
Description: Namespaces unshare syscall patch and PAM exploitation of
it.
Implementation: NSA posted polyinstantiation patch. Red Hat been working on
namespaces extensively. IBM has posted unshare syscall
patch and PAM integration patches.
Status: Janak incorporated Chris Wright's comments. Worked
w/Chris to prove clone() won't suffice. Have PAM module
exploiter. Patches need to be accepted on lkml.
Upstream: lkml, pam-list
Owner: Desai, Janak
Org: IBM
16 Device allocation
Description: Device allocation patch posted by TCS + enhancements,
and/or forced relabeling upon device insertion; requires
testing. Functions: authorization, synchronization,
device node context assignment, eject/close.
Implementation: TCS posted framework patch. HP posted policy for it.
Status: License and update posted by TCS. HP enhancements also
posted
Upstream: TCS will create device allocator SF project.
Owner: Hanson, Chad
Org: TCS
17 Test and possibly restrict file archivers
Description: star already maintains xattrs; zip/unzip patched to
support xattrs. Need to restrict to the admin. Enhancements
to other archivers exceed LSPP reqs.
Implementation: IBM has added xattr support to zip/unzip. Policy
implications need to be examined.
Status: star needs comprehensive testing. IBM writing star and
zip/unzip tests. Need to investigate restrictions via
policy.
Upstream: archiver maintainers for modifications; selinux list for
policy
Owner: Velarde, Debora
Org: IBM
18 Device labeling via udev
Description: udev patch would force relabeling upon hotplug/mount. No
hotplug events shall label devices. It can only make sure
they are unlabeled. (L/FDP_ETC, FDP_ITC)
Implementation: Nolan @ Red Hat seemed to think this was a big deal.
Fundamentally breaks way folks designing udev intended
udev to be used. Need udev maintainer buy-in.
Status: Requires more analysis.
Upstream: udev maintainer? Unclear this can be upstreamed.
Owner: Grubb, Steve
Org: Red Hat
19 Label translation
Description: Translation of sensitivity labels into human-readable
form.
Implementation: libsetrans incorporated into SELinux.
Status: libsetrans is upstream; requires test.
Upstream: SELinux list
Owner: Walsh, Dan
Org: Red Hat
20 Mail
Description: User mail required for admin mail only, probably only cron.
Possible solutions: multi-level MTA, admin-only MTA,
direct procmail invocation; direct delivery by cron into
poly'd directories. Complete solution may be interesting
but is not a requirement.
Implementation: IBM is looking at this approach. Russell Coker recently
became interested in adding labels to messages.
Status: Requires analysis to determine which approach is
satisfactory.
Upstream: Certification RPM only?
Owner: Coker, Russell
Org: Red Hat
21 Multilevel xinetd
Description: Patch xinetd to obtain label from inbound connections and
spawn child daemons with correct context. WIll have to be
documented as trusted program.
Implementation: TCS has posted a patch. Requires IPsec labeled network
packets conext getsockopt().
Status: Simple patch exists; some debate over range bracketing.
Upstream: Steve Grubb, xinetd list
Owner: Hanson, Chad
Org: TCS
22 Multilevel sshd
Description: Patch sshd to spawn child processes with correct context.
Implementation: This may be possible by simply patching PAM module.
Status: Requires more analysis; would we favor this approach in lieu
of multilevel xinetd?
Upstream: openssh-unix-dev
Owner: Zhang, Catherine
Org: IBM
23 Multilevel cron
Description: TCS posted polyinstantiation-aware Vixie cron; TCS
approach useful, but useful only for MLS labels and
dependent on TCS polyinstantiation mechanism. Comments on
redhat-lspp suggest extending cron/crontab protocol to
support security context.
Implementation: TCS posted the patch; IBM is working to integrate with
namespaces-based polyinstantiation.
Status: High-level approach on extending cron/crontab protocol
being worked on by IBM.
Upstream: Vixie cron; unclear this will be upstreamable.
Owner: Desai, Janak
Org: IBM
24 Multilevel at
Description: Base at work on multilevel cron.
Implementation: Open; IBM and TCS are likely interested in this as they have
been working on cron.
Status: Requires investigation.
Upstream: at maintainer
Owner: Desai, Janak
Org: IBM
25 Multilevel tmpwatch
Description: Patch tmpwatch to handle polyinstantiation.
Implementation: Open
Status: Requires investigation.
Upstream: tmpwatch maintainer
Owner: Desai, Janak
Org: IBM
26 Multilevel slocate
Description: Slocate needs to be removed from evaluated configuration.
Implementation: Ensure removal from evaluated configuration package list.
Status: Concensus at last discussion is to remove from package list.
Upstream: Red Hat Certification RPM
Owner: Grubb, Steve
Org: Red Hat
27 Revocation of user and object attributes
Description: Killall with user and context matching and wrapper script to
lock account and kill all user processes. Similar approach
can be taken with fuser.
Implementation: IBM has psmisc patch to be posted. Needs to use loginuid and
document regex caveats as well.
Status: IBM has patch to killall and revocation script; to be posted
on selinux list and redhat-lspp.
Upstream: psmisc sf project
Owner: Wilson, George
Org: IBM
28 Useful role definitions
Description: Define a useful set of roles in the MLS policy. The admin roles
should be separated, and a super admin role composed from
them. Overrides also need to be tied to roles. Consider
including a crypto admin role.
Implementation: Red Hat added role separation to MLS policy with input from
TCS.
Status: Role separation already done in the existing MLS policy.
Expound on this work and document.
Upstream: selinux list
Owner: Wilson, George
Org: IBM
29 Management of users and roles in flat file
Description: Create command line tools to manage and audit users and roles
in flat file separated from base MLS policy. Actions need to
be audited, which is covered in a separate task.
Implementation: Red Hat has been working on flat file user and roles
implementation.
Status: Red Hat posted user and roles in flat files documentation.
Tools need to be created and instrumented with audit hooks.
Upstream: Red Hat mlsutils package
Owner: Walsh, Dan
Org: Red Hat
30 Self tests
Description: Define a subset of LTP tests that can be run periodically by an
administrator or cron job that demonstrates correct
operation DAC and MAC policies, and verifies integrity of
configuration files, including SELinux policy. Tests
shall produce audit records.
Implementation: Open; IBM has some ideas for this. Likely permission and
label checks via script, binary integrity validation via
rpm -V, and LTP subset.
Status: NSA SELinux tests are incorporated into LTP. Select a subset
of these, verify critical DAC permissions, and check
integrity of critical configuration files. Also, NSA
adding integrity verification and version tagging of
SELinux policy.
Upstream: Certification RPM only?
Owner: Wilson, George
Org: IBM
31 I&A
Description: All these requirements are similar to CAPP. Augment tests to
account for sensitivity labels.
Implementation: IBM plans to test this.
Status: This is test work to verify that I&A functionality. IBM plans
to perform this work.
Upstream: LTP?
Owner: Desai, Janak
Org: IBM
32 Test
Description: Create testcases and incorporate into LTP.
Implementation: Respective task owners should create unit and functional
tests.
Status: Ongoing
Upstream: LTP
Owner: Wilson, Kris
Org: IBM
33 Documentation
Description: Create documentation for each task.
Implementation: Respective task owners should create low-level design
documentation, manpages, and structured comments.
Status: Ongoing
Upstream: Respective upstream maintainers
Owner: Wilson, George
Org: IBM
34 Ensure all named objects are covered by DAC & MAC
Description: Objects shall include: files, named pipes (fifo), sockets,
devices, shared memory, message queue, semaphores. New
object: kernel keys - would need man pages, structured
comments, & test cases.
Implementation: IBM should ensure complete coverage.
Status: No development work; ensure coverage in ST.
Upstream: Red Hat Certification RPM
Owner: Wilson, George
Org: IBM
35 Provide minimal number of MAC levels and categories
Description: There shall at least 16 levels of hierachial labels and 64
compartments (L/FDP_IFF.2.7). However, we should have 256
compartments per customer requirement.
Implementation: IBM should ensure complete coverage.
Status: No development work; ensure coverage in ST; RH has customer
reqs beyond LSPP.
Upstream: SELinux mailing list
Owner: Wilson, George
Org: IBM
36 Audit record unique session/terminal ID
Description: Events shall contain unique session identifier and/or
terminal.
Implementation: Could be and ID a la loginuid; don't want to add a new one; only
required when available; incomplete coverage; add to audit
records where available.
Status: Expand coverage of terminal ID.
Upstream: lkml, linux-audit
Owner: Grubb, Steve
Org: Red Hat
37 Analyze removing DBUS
Description: DBUS must be either documented and tested, restricted, or
removed. Ideally it will be removed from the ST.
Implementation: Remove dbus and see what breaks; discuss with Russell.
Status: Open and high priority
Upstream: Red Hat Certification RPM
Owner: Grubb, Steve
Org: Red Hat
39 Restrict kernel keyring access
Description: There needs to be a way to restrict the use of the kernel
keyring to the authorized administrator.
Implementation: The restrictions should be defined in the MAC policy, and
DAC, too, if possible.
Status: Open
Upstream: Red Hat Certification RPM
Owner: Wilson, George
Org: IBM
40 Standard LSPP configuration
Description: Create standard LSPP configuration and rules to be shared
among contributors. This may be incorporated into
Configuration Guide.
Implementation: Write scripts and documentation for LSPP & RBACPP
configuration.
Status: Russell Coker looking at setting up wiki for collbaoration
on documentation.
Upstream: Red Hat Certification RPM, README for selinux-list,
Configuration Guide
Owner: Grubb, Steve
Org: Red Hat
41 Audit of SELinux booleans
Description: Changing policy booleans is auditable event.
Implementation: SELinux needs to generate audit records when policy
booleans are changed. Unclear to what extent this is already
covered.
Status: Requires analysis
Upstream: SELinux list
Owner: Grubb, Steve
Org: Red Hat
42 Audit of service discontinuity
Description: Service discontinuity is auditable event.
Implementation: Ensure that all service discontinuities are
audited--bootup, shutdown, SELinux enable, SELinux
disable.
Status: Should already be covered; need to ensure that is the case.
Upstream: SELinux list, linux-audit
Owner: Grubb, Steve
Org: Red Hat
43 Audit record subject labels for userspace records
Description: When user space message is relayed, add a subject message to
same event.
Implementation: The kernel needs to add the subject label for audit records
generated in userspace because the caller cannot be
trusted.
Status: Steve Grubb already planning to add.
Upstream: SELinux list, linux-audit
Owner: Grubb, Steve
Org: Red Hat
44 Fail to secure state
Description: When role data base is offline, corrupt, or unaccessable,
the system shall preserve a secure state.
Implementation: SELinux denies everything by default. So, if the SS, DB, or
policy is unavailable, the system should come to a stop.
Status: Should already be covered by SELinux; ensure that it is.
Upstream: SELinux list
Owner: Walsh, Dan
Org: Red Hat
45 Maintenance mode for secure recovery
Description: RBAC stipulates that after a failure or service
discontinuity, the machine shall enter a maintenance mode
whereby the machine can be restored to a secure state. Maybe
config param for rc.sysinit.
Implementation: Perhaps need to add a new init state for secure recovery.
Status: Requires analysis; may not require a new init state.
Upstream: Red Hat certification RPM
Owner: Walsh, Dan
Org: Red Hat
47 Utility to list SELinux roles?
Description: User shall have the ability to see list of authorized Roles.
This does not appear to be a strict requirement looking at
RBACPP FIA_ATD.1.
Implementation: This is not required by would be nice to have. Is there already
a way to do this? If not, need a utility for a user to list roles
that he/she can take on.
Status: Nice to have. Determine if this should be removed from
requirements list.
Upstream: SELinux list, Red Hat certification RPM
Owner: Wilson, George
Org: IBM
48 User role modification?
Description: User shall have the ability to change to any authorized
Roles. Unclear that this is required by reading RBACPP
FMT_SMR.2; TSF needs to associate, admins need to control.
Implementation: Mechanism already exists for TSF to associate users and
roles, and for admin roles to control them. Users must be
restricted.
Status: Determine if this should be removed. For Klaus: When a user
changes roles, is that an auditable event? We should amend
this item to include auditability of role change based on
Klaus' feelings. Otherwise strike from list as it's covered
by newrole.
Upstream: Red Hat certification RPM
Owner: Wilson, George
Org: IBM
49 MLS enablement of userspace
Description: All utilities that display contexts shall be updated to
display levels and catagories. They shall display the
translated name.
Implementation: Ensure all userspace utilities display levels and
catagoreies correcly. This should already be done. Unclear
that they should always display xlated names.
Status: Determine where xlations should be displayed. Should
alredy be done. Should be determined by ongoing test and use.
Upstream: SELinux list, Red Hat certification RPM
Owner: Grubb, Steve
Org: Red Hat
50 Utility to compute closure of sub access to objs?
Description: Given a file, the Admin shall be able to determine who can
access it. Request from military customers.
Implementation: Requires analysis of DAC permissions and SELinux policy.
Status: Nice to have. Determine if should be removed from
requirements list.
Upstream: Red Hat certification RPM
Owner: Grubb, Steve
Org: Red Hat
51 IPsec labeled packets: Userspace ipsec-tools patch
Description: This is the userspace ipsec-tools patch that accompanies
the kernel base patch.
Implementation: Joy Latten and Trent Jaeger modified ipsec-tools to handle
syntax modifications required by kernel base patch.
Status: Joy has forward ported the patch. It will be posted to the
ipsec-tools list when the base patch is upstream.
Upstream: ipsec-tools
Owner: Latten, Joy
Org: IBM
53 IPsec labeled packets: Analyzers
Description: Tcpdump and ethereal need to understand IPsec labels. This
is not an LSPP/RBACPP requirement.
Implementation: Augment tcpdump and ethereal. This would be AH-only, I
presume, unless the sniffers can decrypt ESP.
Status: Open; Likely a nice to have item.
Upstream: Tcpdump and ethereal maintainers
Owner: Grubb, Steve
Org: Red Hat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20051101/785c047e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lspptasks005.ps
Type: application/postscript
Size: 268428 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/redhat-lspp/attachments/20051101/785c047e/attachment.ps>
More information about the redhat-lspp
mailing list