[Security_sig] CGL....

Mary Edie Meredith maryedie at osdl.org
Thu Oct 13 15:37:13 PDT 2005

OK, I've taken a look at the CGL security document at
Per our discussion today, as possible DCL capabilities, I've listed the
CGL list below.

However, there is nothing yet in the CGL doc that states 
what maturity we currently face with these, so I assume
many do not represent gaps (e.g. SEC1.1 looks like 
LSM to me).  If you want a more detailed description, 
please see the above URL, Section "5 Security
Requirements" beginning on page 6.

Please flag anything here that represents a concern and a 
gap for DCL based on the DCL concerns I outlined in 
September in this note:

SEC.1  Access Control (those beyond mechanisms commonly supported
on POSIX/SUSv2/SUSv3 compliant systems.

SEC.1.1 Dynamic Kernel Security Module Mechanism.

SEC 1.2 Process Containment using File System Restrictions

SEC 1.3 Process containment Using MAC-based mechanism

SEC 1.3.1  MAC-based Policy Administration Tools

SEC 1.4 Buffer Overflow Protection

SEC 1.5 Access Control List Support for File Systems

SEC 2  Authentication

SEC 2.1 Generic Authentication Modules

SEC 2.2 Password Integrity Checking

SEC 3  Auditing

SEC 3.1  Log integrity and Origin Authentication

SEC 3.2. Secure Transport of Log Information

SEC 3.3  Periodic Automated Log Analysis

SEC 3.4  Real-Time Automated Log Analysis

SEC 4  Network Confidentiality and Integrity

SEC 4.1 IPsec for IPv4 and IPv6

SEC 4.2 Support for IKE for IPv4 and IPv6

SEC 4.3 PF_Key Support

SEC 5.0 File Integrity checking

SEC 6  PKI and SSL/TLS Support

SEC 6.1 PKI Support for Applications

SEC 6.2 SSL/TLS Support for Applications

SEC 6.3 PKI Certificate Authority(CA)

SEC 7  Resource Management

SEC 7.1  Memory Limits

SEC 7.2  File System Quotas

SEC 7.3  Process Quotas

SEC 7.4  Execution Quotas

SEC 8  Trusted Platform Module (TPM) support.

Mary Edie Meredith
Initiative Manager
Open Source Development Labs
maryedie at osdl.org

More information about the security_sig mailing list