Hi!
My problem with the draft:
The labels are not "DAC" labels and "MAC" labels, but sensitivity and
integrity labels. Sensitivity labels could be mapped to priorities. Not
nice because the priority of a message is orthogonal to its security level,
so I am against it. Their only common attribute that they can be described
as elements of an ordered set.
Integrity labels cannot be mapped to facility tags, because an integrity label
is itself a set.
And I forgot again if the contents of the log messages are within
the scope of the draft?
Bazsi wrote:
>
> Though I'd like syslog-ng to support TLS, it's not yet implemented.
> Otherwise the draft looks ok to me at first sight. As I see you are using
> TCSEC requirements for event logging. Wouldn't it be better to use the terms
> defined and used in Common Criteria? CC is an international standard for
> evaluation computer security products, somewhat derived from TCSEC and
> ITSEC.
I have compiled a list of functional requirements which might have to be
addressed in the RFC. My great problem is that CC is "more lousy" in terms
of requirements; there is no requirement really defined in CC but in a
protection profile.
I guess we need to address the problem of information labeling. It can be
done from two standpoints: the more conservative one is to directly reference
the LSPP as the basis of functional requirements (this is more or less
corresponds to TCSEC class B), or we can insert some purple smoke like
this: "There is a need to transfer the security attributes of the objects
and subjects referenced in the log, as well to define the security
attributes of the log entry itself. The attributes in most access control
modells have a part which can be described as an element of an ordered set,
and a part which can be described with a subset of a set. So we have to transfer
it with the log messages as their label."
Which leads to the same decision: we need some mechanism to transfer labels
which maybe looks like this:
<S,I> where S is an element of an ordered set (integer), and I is a set.
If I is also an integer, and we interpret it as a bitmap, we might be as
compatible as possible if one wants them in the priority/facility thingie.
But I am still against it.
--
GNU GPL: csak tiszta forrásból
