Re: PD 0131: Create Object Audit Event and CAPP Compliance

Subject: Re: PD 0131: Create Object Audit Event and CAPP Compliance
From: Helmut Kurth <helmut@atsec.com>
Date: Fri, 23 Feb 2007 15:11:09 -0600
Content-Transfer-Encoding: 7bit
Content-Type: text/html; charset=us-ascii
In-Reply-To: <CD6BB6072E0DF243B7862BAC93CA291A04FF0503@0581-its-exmp01.us.saic.com>
References: <45DD7039.21748.D855D6@faigin.aero.org> <CD6BB6072E0DF243B7862BAC93CA291A04FF0503@0581-its-exmp01.us.saic.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041217

Title:

I agree with Jim Arnold. The TCSEC deliberately talks about the "introduction of objects into a user's address space (e. g. file open, program initiation)" as the events that are required to be audited. I think the use of this terminology was deliberate. Look also into section 5.3.2 of the Orange Book, which states for accountability:

The third requirement is for dependable audit capabilities. That
is, a trusted computer system must provide authorized personnel
with the ability to audit any action that can potentially cause
access to, generation of, or effect the release of classified or
sensitive information.

Auditing here is clearly restricted to actions that may provide unauthorized access to information. Whenever the creation of an object also implies that it is introduced into the user's address space and made accessible, I agree that this event needs to be auditable at the C2 level. However in systems where those are different events, I think the Orange Book at C2 only required the event of "introducing the object into the user's address space" to be audited, since this would allow to place information into the object and therefore requires to be controlled by the access control policy. There are systems where the two events are clearly separated and also subject to different policies. In some of those systems, object creation is not be restricted at all (i. e. is not an operation covered by the DAC policy as defined in the FDPACC.1 requirement in CAPP), but access to the object is, which may result in the situation where a newly created object is not accessible by the user that created it. In those systems - when looking at the C2 requirements - there is no potential access to, generation of or release of sensitive information associated with the generation of the object and the object is also not introduced into the creator's address space. My interpretation of the C2 requirements of the Orange Book is that in those systems the creation of objects does not need to be audited.

Arnold, James L. Jr. wrote:

RESOLUTION

The CAPP was the created as the CC version of the C2 
requirements expressed in the Orange Book (as the LSPP 
recasts B1), which requires object creation as auditable event.


I don't think the TCSEC actually identifies object creation as an
auditable event.

The CAPP covers "all operations" of controlled objects where 
there need to be access rights. Object Creation is an 
operation that requires an access right (because not everyone 
can create everywhere). Therefore, Creation is in the set of 
"all operations" and should be audited.


I don't think it is necessarily the case that object creation requires
an access right or that object creation is limited to specific users. I
can imagine many cases where objects can be freely created by subjects
and access decision are made only for subsequent attempts to open the
existing object. While there are certainly examples where object
creation is a controlled operation I don't think it is necessarily
always the case as suggested here.

RATIONALE

In general, the creation of an object alters TSF data (values 
or attributes) and allocates resources, each action requiring 
an appropriate access right.
The CAPP, in attempting to audit "all operations" must then 
include with these other audited operations, the actual 
instantiation of new objects.


I'm not sure about the altering TSF data statement. I suppose TSF data
somewhere would almost certainly be affected, but as indicated above, it
seems there could be cases where no security restrictions are imposed
for object creation.

It is not necessarily clear what the whole point is. The CAPP indicates
that users should be accountable for their actions. Presumably that is
limited to security related actions, perhaps meaning actions that are
otherwise restricted. Unfortunately I think audit is mistreated in
general since auditing subject actions may be distinct from auditing
user actions and, in deed, it may be hard to discern users actions from
even a long list of subject actions. I'm thinking that there may be
certain non-persistent objects where there creation isn't particularly
interesting from a security perspective and the simple creation thereof
really is not indicative of any security relevant user behavior.

-- 
Helmut Kurth, atsec information security
www.atsec.com

Follow-Ups:
- RE: PD 0131: Create Object Audit Event and CAPP Compliance
  - From: Nir Naaman <nir.naaman@metasec.com>

References:
- PD 0131: Create Object Audit Event and CAPP Compliance
  - From: "Observation Decisions Review Board" <faigin@aero.org>
- RE: PD 0131: Create Object Audit Event and CAPP Compliance
  - From: "Arnold, James L. Jr." <JAMES.L.ARNOLD.JR@saic.com>

Prev by Date: RE: PD 0133: Level of Detail in SFRs
Next by Date: RE: PD 0131: Create Object Audit Event and CAPP Compliance
Prev by thread: RE: PD 0131: Create Object Audit Event and CAPP Compliance
Next by thread: RE: PD 0131: Create Object Audit Event and CAPP Compliance

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov