NetLabel audit messages

NetLabel audit messages

[Paul Moore]

In order to meet certain certification requirements, the NetLabel kernel
subsystem needs to write a small number of audit messages.  From what I
can tell this is going to require a new message type as well as
agreement on the content and formatting of the messages themselves.  Am
I missing anything?

For the new message type, I would like to propose the following:

 #define AUDIT_NLBL 1480


For the messages themselves, here is what I was thinking:

 "netlabel: <protocol> op=<operation> pid=<pid> tty=<tty> comm=<name>
            exe=<path> uid=<uid> auid=<auid> euid=<euid> suid=<suid>
            fsuid=<fsuid> gid=<gid> egid=<euid> sgid=<suid>
            fsgid=<fsuid> [<cipsov4 extras>|<managment extras>]"

 <protocol>         => cipsov4 | unlabeled | management

 <operation>        => (for protocol == cipsov4) add | del
                       (for protocol == unlabeled) accept | deny
                       (for protocol == management) map_add | map_delete

 <cipsov4 extras>   => doi=<DOI #> type=<DOI type>
  <DOI #>    => (CIPSO DOI value, i.e. unsigned 32-bit value)
  <DOI type> => std | pass

 <mangement extras> => domain=<domain> protocol=<protocol> [doi=<DOI #>]
  <domain>   => "(domain string, i.e. foo_t)" | default

Comments and suggestions are welcome.

-- 
paul moore
linux security @ hp

Re: NetLabel audit messages

[Steve Grubb]

On Friday 22 September 2006 13:38, Paul Moore wrote:
> In order to meet certain certification requirements, the NetLabel kernel
> subsystem needs to write a small number of audit messages. 

What are the requirements you are addressing? (I have a feeling that its 
similar to what we have to do to file systems.)

> For the messages themselves, here is what I was thinking:
>
>  "netlabel: <protocol> op=<operation> pid=<pid> tty=<tty> comm=<name>
>             exe=<path> uid=<uid> auid=<auid> euid=<euid> suid=<suid>
>             fsuid=<fsuid> gid=<gid> egid=<euid> sgid=<suid>
>             fsgid=<fsuid> [<cipsov4 extras>|<managment extras>]"

This look very much like a syscall record...would it make sense to do this as 
an aux record?

-Steve

Re: NetLabel audit messages

[Paul Moore]

Steve Grubb wrote:
> On Friday 22 September 2006 13:38, Paul Moore wrote:
>>In order to meet certain certification requirements, the NetLabel kernel
>>subsystem needs to write a small number of audit messages. 
> 
> What are the requirements you are addressing? (I have a feeling that its 
> similar to what we have to do to file systems.)

This is for LSPP certification, directly from our evaluator.  If it is
important that you know the exact requirement in CC terms I can dig that
up.  The basic motivation is that we need to generate an audit record
whenever there is a security relevant configuration change.

>>For the messages themselves, here is what I was thinking:
>>
>> "netlabel: <protocol> op=<operation> pid=<pid> tty=<tty> comm=<name>
>>            exe=<path> uid=<uid> auid=<auid> euid=<euid> suid=<suid>
>>            fsuid=<fsuid> gid=<gid> egid=<euid> sgid=<suid>
>>            fsgid=<fsuid> [<cipsov4 extras>|<managment extras>]"
> 
> This look very much like a syscall record...would it make sense to do this as 
> an aux record?

It looks like this is going to be discussed on irc.

-- 
paul moore
linux security @ hp