Joy Latten wrote: > I am auditing when an ipsec policy is added and removed from the > Security Policy Database. Should I also add audit when an SA is > added and removed? SAs can quickly fill up log since there can be many of them > and they also have a lifetime associated with them that can result in > continuous renewal. I looked at how Paul implemented netlabel auditing, > but was wondering is there any specific info I should audit for > labeled ipsec?
Hmm, good question. I'm looking at 5.2.4.4 of the LSPP doc and I see this paragraph at the end (in part "d"): "An LSPP-conformant TOE must only use protocols to export data with security attributes that provide unambiguous pairings of security attributes and the information being exported. Further, the ST author must make it clear that the mechanisms, or devices, used to export data with security attributes cannot be used to export data without security attributes unless this change in state can only be done manually and is audited. In addition, the security attributes must be exported to the same mechanism or device as the information. Also, any change in the security attributes settings of a device must be audited." The sentence that concerns me the most is the following: "Also, any change in the security attributes settings of a device must be audited". I guess it boils down if we consider a SA a "device" ... -- paul moore linux security @ hp -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
