[Bug 624] Simple enhancement for Common Criteria conformity

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Aug 12 18:37:40 EST 2003


http://bugzilla.mindrot.org/show_bug.cgi?id=624





------- Additional Comments From mag at lme.linux.hu  2003-08-12 18:37 -------
Logging read(2) and write(2) is the responsibility of the kernel.
The kernel enhancements concerned with security (RSBAC, TrustedBSD et al)
do that.

I define Target of Evaluation (TOE) something like "the hardware,
firmware, and software of a host, including some well-defined
I/O devices: hard disk, chipcard reader, CD reader. The boundaries
of TOE consist of its externel I/O interfaces such as network
interface, printer port, chipcard reader, keyboard, display, mouse,
USB interface to devices not defined as the part of the TOE,
CD reader, etc.

The proposed feature would log the exports/imports on the boundaries
of the system, in our case export/imports on the network interface.
Low (packet) level logging is also the responsibility of the kernel
(packet filter code does that),
so what remains is the import and export of files, with the file
name, security attributes of the file (unix permissions) identity of the
user, claimed identity of the user of the remote system if exists,
and time (syslog takes care of the latter).

An extra feature would be defining a generic interface returning the
text representation of the security attributes of a file, and using that
(if exists) to log the security attributes. (I mention it only for the sake
of the record, first there should be some agreement on such an interface
between the various security module developers.)

int get_file_security_attributes_as_text(const char *fname, char *buffer, int
buflen);




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list