[redhat-lspp] LSPP work items

Steve Grubb sgrubb at redhat.com
Tue Oct 4 21:46:52 UTC 2005 

Hello,

I have finished reviewing specs and have pulled together a sheet that has a 
number of work items in it. The list still needs vetting. 

I have labeled the items to show where they come from. I put R for RBAC and L 
for LSPP and then the section it came from. Some things are not in the specs, 
like 3.1, 3.11, or 3.12. But I think these are items that we want  coverage 
on to make sure the system is solid. If there are no parenthesis, I did not 
find it in the specs. An example of this would be file system 
polyinstantiation.

Please let me know if something is missing or doesn't look right.

-Steve

================

1. Basic
1.1 Objects shall include: files, named pipes (fifo), sockets, devices, shared 
memory, message queue, semaphores. New object: kernel keys
1.2 There shall at least 16 levels of hierachial labels and 64 
compartments(L/FDP_IFF.2.7) however, we should have 256 compartments
1.3 RBAC access control is modeled on DAC (need clarification?). Users shall 
have right to set restrictions on their Objects (R/FMT_SMR.2)

2 Audit User Space
2.1 Events shall contain unique session identifier and/or terminal 
(R/FAU_SAR.1)
2.2 The ability to search on subject and object labels (L/FAU_SEL.1)
2.3 The ability to search based on type of access and role that enabled access
(R/FAU_SAR.3)
2.4 The ability to search based on subject and object role (R/FAU_SAR.1)
2.5 There shall be a method to audit based on keys
2.6 There shall be a way to audit based on network address

3 Kernel - Audit related
3.1 Create new audit record types for: rlimit violations, lspp subject, lspp 
object, crypto, anomolies, and response to anomolies.
3.2 All Subjects and Objects shall be labeled - Network and kernel keys
needed (L/FAU_GEN.1)
3.3 Subject & Object information must be labeled in events (L/FAU_SAR.3)
3.4 Role must be identified in events (R/FAU_GEN.1)
3.5 For access control actions, the role that made access possible has to be
recorded. (R/FAU_GEN.1)
3.6 Audit events shall contain unique session identifier and/or 
terminal(R/FAU_SAR.1)
3.7 Audit events can be filtered by Object or Subject labels (L/FAU_SEL.1)
3.8 Audit events can be filtered by host identity, event type, users belonging 
to certain role, and access types. (R/FAU_SEL.1)
3.9 There shall be a method to audit based on keys
3.10 There shall be a way to audit based on network address
3.11 Loading MAC policy is auditable event
3.12 Changing policy booleans is auditable event
3.13 Service discontinuity is auditable event. (R/FPT_RCV.1)
3.14 When user space message is relayed, add a subject message to same 
event(L/FAU_GEN.1)

4 Kernel - MAC related
4.1 MAC policy shall allow what's specified by LSPP
4.2 All actions performed by MAC policy can be audited - grant or denied
4.3 When role data base is offline, corrupt, or unaccessable, the system shall 
preserve a secure state (R/FPT_FLS.1)
4.4 RBAC stipulates that after a failure or service discontinuity, the machine 
shall enter a maintenance mode whereby the machine can be restored to a 
secure state. Maybe config param for rc.sysinit (R/FPT_RCV.1)

5 Kernel Export/Import of Data
5.1 Export of Data (FDP_ETC)
5.1.1 Export is controlled by MAC policy
5.1.2 unlabeled data stays unlabeled
5.1.3 labeled data stays labeled
5.1.4 unlabeled devices cannot be used to export data unless a change of state 
is performed manually and it is audited
5.1.5 security mechanisms must be provided to the data that are exported by 
devices to media that do not have labels with the actual data
5.1.6 Hard Copy
5.1.6.1 hard copy data must be labeled on every page (FDP_ETC)
5.1.6.2 admin shall be able to specify label associated with the
data. Overrides are an auditable event. (FDP_ETC)
5.1.6.3 each print job will have label on header page representing the "least 
upper bound" of the whole print job
5.1.6.4 each page will have the label representing the "least upper bound" of 
all data exported
5.2 Import of data (FDP_ITC)
5.2.1 Import is controlled by MAC policy
5.2.2 shall ignore security attributes associated with unlabled user data
5.2.3 devices used to import data without labels cannot do so if previously 
allocated to importing data with labels without a manual state change that is 
auditable
5.2.4 system must provide protection mechanism for data imported from 
unlabeled sources.
5.2.5 attributes from the user data will be retained when labeled

6 File System Poly-instantiation
6.1 We need to have this to make life easier

7 User RBAC utilities
7.1 User shall have the ability to see list of authorized Roles (R/FIA_ATD.1)
7.2 User shall have the ability to see any user attribute related to Roles
(R/FIA_ATD.1)
7.3 User shall have the ability to change to any authorized Roles 
(R/FMT_SMR.2)
7.4 Access granting functions shall fail when policy or role database is 
inaccessable. (R/FPT_RCV.4)

8 User Space SE Linux
8.1 Admin shall be able to customize compartment names
8.2 All utilities that display contexts shall be updated to display
compartments. They shall display the custom name.
8.3 Admin shall be able to assign roles to users (R/FMT_MSA.1)
8.4 Given a file, the Admin shall be able to determine who can access it
8.5 Standard MAC policy needs creating
8.6 newrole made into suid program so that it can send audit messages
8.7 assignment of user to role/se linux user is auditable. (R/FAU_GEN.1)

9 Device Allocator
9.1 Handles authorization of access to the device,
9.2 Handles synchronization of access to the device,
9.3 Determines the context to assign to the device node dynamically based on 
the allocating process,
9.4 Handles related operations like eject/close as part of the 
allocation/unallocation so that the relabeling is synchronized with the 
insertion of particular media.

10 Self Test
10.1 RBAC requires that a suite of tests be available that demonstrates that 
the machine is correctly operating. (R/FPT_TST.1)
10.2 Authorized users shall also be able to verify the integrity of data and 
executables called out in security target. (R/FPT_TST.1)
10.3 Tests shall produce audit records indicating that it was run and any 
failures. (R/FPT_TST.1)

11.0 Postfix
11.1 Add loginuid code to set it when delivering local mail (L/FIA_USB.1)

12.0 Procmail
12.1 Add loginuid code to set it when delivering local mail (L/FIA_USB.1)

13.0 Udev
13.1 No hotplug events shall label devices. It can only make sure they are
unlabeled. (L/FDP_ETC, FDP_ITC)

14.0 initscripts
14.1 Shutdown needs hwclock call moved to before killing the audit daemon 
(L/FPT_STM.1)

15 cron
15.1 Multi-level cron

16 xinetd
16.1 Multi-level inetd is needed

17 Shadow-utils
17.1 update shadow-utils to insert object information in the
messages (L/FAU_GEN.1)

18 util-linux
18.1 hwclock needs update for contexts (L/FAU_GEN.1)
18.2 login needs contexts update (L/FAU_GEN.1)

19 pam
19.1 various updates for labels

20 passwd
20.1 update to insert object information in the messages (L/FAU_GEN.1)

21 Turing Complete Programs
21.1 Review all Turing complete programs to see if they need augmentation: 
sed, awk, rpm, bash, tcsh, perl, python, postscript, m4, cpp

More information about the redhat-lspp mailing list