From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <pmoore@redhat.com>
Cc: Richard Guy Briggs <rgb@redhat.com>,
Linux-Audit Mailing List <linux-audit@redhat.com>,
Netfilter Developer Mailing List
<netfilter-devel@vger.kernel.org>,
Thomas Graf <tgraf@infradead.org>
Subject: Re: AUDIT_NETFILTER_PKT message format
Date: Wed, 08 Feb 2017 11:30:04 -0500 [thread overview]
Message-ID: <5128842.c7Bb9yu5kt@x2> (raw)
In-Reply-To: <CAGH-KguuAriVuLEE+mb2HwQLcq6ePeDfVyZ=acoxmomnK5R09w@mail.gmail.com>
On Tuesday, February 7, 2017 10:56:39 PM EST Paul Moore wrote:
> On Tue, Feb 7, 2017 at 3:52 PM, Richard Guy Briggs <rgb@redhat.com> wrote:
> > So while I'm not advocating this is what should be done and I'm trying
> > to establish bounds to the scope of this feature, but would it be
> > reasonable to simply not log packets that were transiting this machine
> > without a local endpoint?
>
> I'm still waiting on more detailed requirements information from
> Steve, but based on what we've heard so far, it seems that ignoring
> forwarded traffic is a reasonable thing to do.
OK, I have done teh analysis to see where things stand on this. A long time
ago, there was no security requirements around virtualization except OSPP v2.0
from BSI which had a virtualization extended module. In it, it had the
following requirements:
FDP_IFF.1.2 The TSF shall permit an information flow between a controlled
subject and controlled information via a controlled operation if the following
rules hold: [assignment: for each operation, the security attribute-based
relationship that must hold between subject and information security
attributes, which must allow to define the security attribute-based
relationship between two subjects such that information flow
between the compartments is not permitted].
FDP_IFF.1.3 The TSF shall enforce the [assignment: additional information flow
control SFP rules].
FDP_IFF.1.4 The TSF shall explicitly authorise an information flow based on the
following rules: [assignment: rules, based on security attributes, that
explicitly authorise information flows].
FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the
following rules: [assignment: rules, based on security attributes, that
explicitly deny information flows].
So, whenever there was an allow or deny, then that needed to be auditable. The
audit target was added and it can be configured to closely mirrored the rules.
When auditing sufficient information needs to be recorded to make sense of why
the flow was allowed or denied. Ultimately you really want this connected to a
process and user if applicable.
However, in reviewing server virtualization protection profile v1.1 and
operating system protection profile v4.1, there is no FDP_IFF.1 requirement
which means that there are no more requirements to audit network packets. I
did not review the network device protection profile which may or may not levy
requirements for network auditing.
At this point, I would say there is no purpose for xt_AUDIT.c based on Common
Criteria. It looks like its built in response to the
CONFIG_NETFILTER_XT_TARGET_AUDIT config option. So, it can be cleanly
deprecated.
-Steve
next prev parent reply other threads:[~2017-02-08 16:30 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-17 5:25 AUDIT_NETFILTER_PKT message format Richard Guy Briggs
2017-01-17 13:55 ` Steve Grubb
2017-01-17 16:12 ` Richard Guy Briggs
2017-01-17 16:29 ` Richard Guy Briggs
2017-01-17 18:35 ` Steve Grubb
2017-01-17 20:17 ` Paul Moore
2017-01-18 2:34 ` Richard Guy Briggs
2017-01-18 5:39 ` Richard Guy Briggs
2017-01-18 12:32 ` Paul Moore
2017-01-18 14:52 ` Steve Grubb
2017-01-18 15:15 ` Richard Guy Briggs
2017-01-18 23:35 ` Paul Moore
2017-01-20 14:49 ` Steve Grubb
2017-01-20 20:37 ` Paul Moore
2017-01-21 11:27 ` Patrick PIGNOL
2017-01-21 17:37 ` Paul Moore
2017-01-21 19:12 ` Patrick PIGNOL
2017-01-23 4:49 ` Richard Guy Briggs
2017-02-07 20:52 ` Richard Guy Briggs
2017-02-08 3:56 ` Paul Moore
2017-02-08 16:30 ` Steve Grubb [this message]
2017-02-08 23:09 ` Paul Moore
2017-02-09 10:56 ` Pablo Neira Ayuso
2017-02-09 16:31 ` Paul Moore
2017-02-09 23:49 ` Richard Guy Briggs
2017-02-10 0:09 ` Steve Grubb
2017-02-10 1:12 ` Richard Guy Briggs
2017-02-10 22:39 ` Steve Grubb
2017-02-10 22:54 ` Richard Guy Briggs
2017-02-13 17:57 ` Steve Grubb
2017-02-13 20:50 ` Richard Guy Briggs
2017-02-13 23:50 ` Paul Moore
2017-02-14 0:24 ` Richard Guy Briggs
2017-02-14 21:06 ` Paul Moore
2017-02-16 22:41 ` Richard Guy Briggs
2017-02-16 0:32 ` Paul Moore
2017-02-16 22:36 ` Richard Guy Briggs
2017-02-17 1:57 ` Paul Moore
2017-02-17 2:24 ` Richard Guy Briggs
2017-02-17 23:04 ` Paul Moore
2017-02-26 19:09 ` Richard Guy Briggs
2017-02-14 21:31 ` Steve Grubb
2017-02-16 21:24 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5128842.c7Bb9yu5kt@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pmoore@redhat.com \
--cc=rgb@redhat.com \
--cc=tgraf@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.