From: Paul Moore <paul.moore@hp.com>
To: Joy Latten <latten@austin.ibm.com>
Cc: redhat-lspp@redhat.com, linux-audit@redhat.com
Subject: Re: [redhat-lspp] labeled ipsec auditing
Date: Thu, 05 Oct 2006 18:15:44 -0400 [thread overview]
Message-ID: <45258410.60302@hp.com> (raw)
In-Reply-To: <200610052123.k95LN0S9017784@faith.austin.ibm.com>
Joy Latten wrote:
> I am auditing when an ipsec policy is added and removed from the
> Security Policy Database. Should I also add audit when an SA is
> added and removed? SAs can quickly fill up log since there can be many of them
> and they also have a lifetime associated with them that can result in
> continuous renewal. I looked at how Paul implemented netlabel auditing,
> but was wondering is there any specific info I should audit for
> labeled ipsec?
Hmm, good question. I'm looking at 5.2.4.4 of the LSPP doc and I see this
paragraph at the end (in part "d"):
"An LSPP-conformant TOE must only use protocols to export data with security
attributes that provide unambiguous pairings of security attributes and the
information being exported. Further, the ST author must make it clear that the
mechanisms, or devices, used to export data with security attributes cannot be
used to export data without security attributes unless this change in state can
only be done manually and is audited. In addition, the security attributes must
be exported to the same mechanism or device as the information. Also, any change
in the security attributes settings of a device must be audited."
The sentence that concerns me the most is the following: "Also, any change in
the security attributes settings of a device must be audited". I guess it boils
down if we consider a SA a "device" ...
--
paul moore
linux security @ hp
next prev parent reply other threads:[~2006-10-05 22:15 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-05 21:23 labeled ipsec auditing Joy Latten
2006-10-05 22:04 ` Steve Grubb
2006-10-05 22:15 ` Paul Moore [this message]
2006-10-09 19:09 ` [redhat-lspp] " Klaus Weidner
2006-10-09 19:15 ` Paul Moore
2006-10-09 19:30 ` Klaus Weidner
2006-10-10 23:25 ` Joy Latten
2006-10-11 0:00 ` Klaus Weidner
2006-10-11 13:38 ` Serge E. Hallyn
2006-10-11 18:07 ` [redhat-lspp] " Joy Latten
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45258410.60302@hp.com \
--to=paul.moore@hp.com \
--cc=latten@austin.ibm.com \
--cc=linux-audit@redhat.com \
--cc=redhat-lspp@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox