On 7/6/12 2:58 PM, Willy Santos wrote:
CCI-001428 requires the display of security attributes in human readable form
on objects output to outpud devices. This mapping is a request for
input/discussion.
Signed-off-by: Willy Santos <[email protected]>
---
rhel6/src/input/auxiliary/srg_support.xml | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/rhel6/src/input/auxiliary/srg_support.xml
b/rhel6/src/input/auxiliary/srg_support.xml
index 4087652..cb28b19 100644
--- a/rhel6/src/input/auxiliary/srg_support.xml
+++ b/rhel6/src/input/auxiliary/srg_support.xml
@@ -38,7 +38,7 @@ The requirement is impractical or out of scope.
<description>
It is unclear how to satisfy this requirement.
</description>
-<ref disa="20,31,218,219,224,1097,1158,1291,1294,1295,1395," />
+<ref disa="20,31,218,219,224,1097,1158,1291,1294,1295,1395,1428" />
</Group> <!-- end requirement_unclear -->
<Group id="new_rule_needed">
SRG-OS-000247 CCI-001428 The operating system must display security
attributes in human-readable form on each object output from the system
to system output devices to identify an organization-identified set of
special dissemination, handling, or distribution instructions using
organization-identified human readable, standard naming conventions.
Security attributes are abstractions representing the basic properties
or characteristics of an entity (e.g., subjects, objects) with respect
to safeguarding information. These attributes are typically associated
with internal data structures (e.g., records, buffers, files, registry
keys) within the information system and are used to enable the
implementation of access control and flow control policies, reflect
special dissemination, handling or distribution instructions, or support
other aspects of the information security policy. The term security
label is often used to associate a set of security attributes with a
specific information object as part of the data structure for that
object (e.g., user access privileges, nationality, affiliation as
contractor). A security label is defined as the means used to associate
a set of security attributes with a specific information object as part
of the data structure for the object. Security attributes need to be
displayed in human readable form in order to determine how the data
should be disseminated, handled, and what distribution instructions
apply to the data. When applications generate or output data, the
associated security attributes need to be displayed.
I'm stuck on this. One one hand I want to say the MAC and DAC attributes
are always accessible to the user (ala "ls -Z" etc) and therefore
met_inherently. The SELinux label, specifically the sensitivity and
categories, could indicate the dissemination, handling, distribution and
such other restrictions. Ultimately everything in Linux is a file, so we
can say this extends to everything on the system assuming proper labeling.
... but then I get stuck on how we don't present this information
whenever its "output to system output devices." If I vim a file then the
OS is supposed to throw a banner about handling restrictions?
impractical_product.
Need someone to be the tiebreaker on this one.
_______________________________________________
scap-security-guide mailing list
[email protected]
https://fedorahosted.org/mailman/listinfo/scap-security-guide
