PD 0131: Create Object Audit Event and CAPP Compliance

Subject: PD 0131: Create Object Audit Event and CAPP Compliance
From: "Observation Decisions Review Board" <faigin@aero.org>
Date: Thu, 22 Feb 2007 10:28:09 -0800
Content-description: Mail message body
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=US-ASCII
Priority: normal


At its February 2007 meeting, the ODRB issued the following PD:

PD 0131

TITLE
Create Object Audit Event and CAPP Compliance

ISSUE

Does CAPP Compliance require that object creation be an auditable event? The
CAPP is based on the TCSEC C2 requirements, and the C2 requirements
specified object creation as auditable event.

Note that the CAPP requires auditing of the following (excerpted from the
table in the CAPP):

* FDP_ACF.1. All requests to perform an operation on an object covered by the
  SFP.  
  
* FMT_MSA.1. All modifications of the values of security attributes. 

* FMT_MTD.1. All modifications to the values of TSF data.

An argument against requiring this audit is that the CAPP does not list
"Create Object" as an auditable event, or as an example of auditable
event. There is also no "object" until after the object is created and an
operation is performed on the object; thus there is no reason to audit object
creation as the operation is not being performed on an object (it does not yet
exist). It is also worth noting that the C2 requirements required the auditing
of the introduction of an object into a process's address space. It was also
noted that open, read, write, delete, close, etc. (in other words any other
operation) will be audited, so there is not a major security issue except when
covert channel related requirements are involved. There also appears to be
some past precedent where auditing the creation of an object was not required
for CAPP compliance.

The argument in favor of this audit relates to the words of the CAPP. An
object being created is something covered by the Discretionary Access Control
SFP, and creation is an operation on that object. Even if one takes the
position that the formal object does not yet exist, the act of creating of the
object makes changes in security attributes and values of TSF data, in
particular the TSF data contained in the directory that contains the newly
created object (which itself is the subject of an open and close).

RESOLUTION

The CAPP was the created as the CC version of the C2 requirements expressed in
the Orange Book (as the LSPP recasts B1), which requires object creation as
auditable event.

The CAPP covers "all operations" of controlled objects where there need to be
access rights. Object Creation is an operation that requires an access right
(because not everyone can create everywhere). Therefore, Creation is in the
set of "all operations" and should be audited.

RATIONALE

In general, the creation of an object alters TSF data (values or attributes)
and allocates resources, each action requiring an appropriate access right.
The CAPP, in attempting to audit "all operations" must then include with these
other audited operations, the actual instantiation of new objects.

Follow-Ups:
- RE: PD 0131: Create Object Audit Event and CAPP Compliance
  - From: "Arnold, James L. Jr." <JAMES.L.ARNOLD.JR@saic.com>

Prev by Date: PD 0132: Terminating Sessions in lieu of Locking Sessions
Next by Date: Re: Type Correction (PD-0112)
Prev by thread: Re: Type Correction (PD-0112)
Next by thread: RE: PD 0131: Create Object Audit Event and CAPP Compliance

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov