RE: PD 0131: Create Object Audit Event and CAPP Compliance

Subject: RE: PD 0131: Create Object Audit Event and CAPP Compliance
From: "Arnold, James L. Jr." <JAMES.L.ARNOLD.JR@saic.com>
Date: Fri, 23 Feb 2007 15:04:43 -0500
Content-class: urn:content-classes:message
Content-Transfer-Encoding: 8bit
Content-Type: text/plain; charset="us-ascii"
in-reply-to: <45DD7039.21748.D855D6@faigin.aero.org>
References: <45DD7039.21748.D855D6@faigin.aero.org>
Thread-Index: AcdWsRr/iQn+yu7zSN66cieW992SMAABe8BA
Thread-Topic: PD 0131: Create Object Audit Event and CAPP Compliance


 
> RESOLUTION
> 
> The CAPP was the created as the CC version of the C2 
> requirements expressed in the Orange Book (as the LSPP 
> recasts B1), which requires object creation as auditable event.

I don't think the TCSEC actually identifies object creation as an
auditable event.

> The CAPP covers "all operations" of controlled objects where 
> there need to be access rights. Object Creation is an 
> operation that requires an access right (because not everyone 
> can create everywhere). Therefore, Creation is in the set of 
> "all operations" and should be audited.

I don't think it is necessarily the case that object creation requires
an access right or that object creation is limited to specific users. I
can imagine many cases where objects can be freely created by subjects
and access decision are made only for subsequent attempts to open the
existing object. While there are certainly examples where object
creation is a controlled operation I don't think it is necessarily
always the case as suggested here.

> RATIONALE
> 
> In general, the creation of an object alters TSF data (values 
> or attributes) and allocates resources, each action requiring 
> an appropriate access right.
> The CAPP, in attempting to audit "all operations" must then 
> include with these other audited operations, the actual 
> instantiation of new objects.

I'm not sure about the altering TSF data statement. I suppose TSF data
somewhere would almost certainly be affected, but as indicated above, it
seems there could be cases where no security restrictions are imposed
for object creation.

It is not necessarily clear what the whole point is. The CAPP indicates
that users should be accountable for their actions. Presumably that is
limited to security related actions, perhaps meaning actions that are
otherwise restricted. Unfortunately I think audit is mistreated in
general since auditing subject actions may be distinct from auditing
user actions and, in deed, it may be hard to discern users actions from
even a long list of subject actions. I'm thinking that there may be
certain non-persistent objects where there creation isn't particularly
interesting from a security perspective and the simple creation thereof
really is not indicative of any security relevant user behavior.

Follow-Ups:
- Re: PD 0131: Create Object Audit Event and CAPP Compliance
  - From: Helmut Kurth <helmut@atsec.com>

References:
- PD 0131: Create Object Audit Event and CAPP Compliance
  - From: "Observation Decisions Review Board" <faigin@aero.org>

Prev by Date: PD 0133: Level of Detail in SFRs
Next by Date: RE: PD 0133: Level of Detail in SFRs
Prev by thread: PD 0131: Create Object Audit Event and CAPP Compliance
Next by thread: Re: PD 0131: Create Object Audit Event and CAPP Compliance

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov