The Official Unofficial Zorp project
 
Overview| Examples| Bugs| FAQ | White papers | Download | Help wanted | SourceForge Project page | Filltable utility  
 
 
SourceForge.net: SF.net Project News: Zorp unofficial
  • zorp 2.0.9-6 has been released
  • iptables-utils zorp-unoff version has been released
  • New whitepaper, even more FAQs
  • Zorp whitepapers released, new FAQs
  • New tproxy versions
  • New Zorp version: get the DN
  • The best bughunter
  • Bughunting contest extended
  • Valentine day bughunting contest!
  • Site updates: FAQ, design
    		•
    SourceForge.net: Project File Releases: Zorp unofficial
  • zorp 2.0.9-6 released (Mon, 01 Nov 2004 21:49:58 GMT)
  • zorp 2.0.9-6 released (Mon, 01 Nov 2004 21:40:56 GMT)
  • iptables-utils 1.21-1 released (Mon, 01 Nov 2004 21:19:42 GMT)
  • zorp 2.0.9-1 released (Sat, 12 Jun 2004 00:00:00 GMT)
  • zorplibll 2.0.26.24-1 released (Sat, 12 Jun 2004 00:00:00 GMT)
  • zorp zorp_2.0.8-1 released (Thu, 11 Dec 2003 00:00:00 GMT)
  • zorp zorp_2.0.7-2 released (Wed, 03 Dec 2003 00:00:00 GMT)
  • zorp zorp_2.0.7-1 released (Tue, 11 Nov 2003 00:00:00 GMT)
  • zorplibll zorplibll_2.0.26.23-1 released (Mon, 10 Nov 2003 00:00:00 GMT)
    		•
    		Next Previous Contents

    2. TOE description

    2.1 Product description

    The filltable utility is a python script to allow relatively untrusted (junior) GNU/Linux system adinistrators to modify specific parts of the linux netfilter configuration with the help of a trusted (senior) system administrator, thus allows separation of roles regarding the management of netfilter configuration (which is a trusted security function of the underlying operating system).

    The TOE is designed to run on GNU/Linux, and written in python. The TOE itself is distribution independent, though its delivery method and packaging utilises standards, tools and wisdom of the Debian GNU/Linux distribution.

    The filltable script is a Trusted Procedure in the sense of the Clark-Wilson access control modell, its input domain being the domain where the junior system administrator edits the filltable configuration file, thus the part of the netfilter configuration designated to her, its output domain being the syntax space of iptables dump as made by iptables-save. Its execution domain is a domain controlled by the senior system administrator.

    This Security Target do not tell anything about the nature or separation of these domains; they can be either standard chrooted environments, domains and types in the sense of the SELinux or the RSBAC RC implementation, or even domains controlled by different uids, or any mix thereof. The only assumption is that the execution domain of the TOE is able to read the object domain of its input file, and use its standard output to emanate the iptables dump.

    2.2 Security Services

    The TOE provides the following security services:

    • Separation of management roles
    • Integrity
    • Audit trail generation
    • Management of trusted security functions of the underlying Operating System

    Separation of management roles

    The TOE have the notion of junior system administrator, who is responsible for a subset of the netfilter configuration, and describes it through the means of the TOE's input file, and the senior system administrator, who is responsible for the system in overall. The junior system administrator is the user of the TOE in the sense of AGD_USR part3 requirement, and the senior system administrator is the system administrator in the sense of the AGD_ADM part3 requirement. The TOE is actually run by the senior system administrator, either directly or as a mechanism of the operating system itself.

    Integrity

    The TOE acts as a Trusted Procedure in the Clark-Wilson sense: It verifies that the input is conforms to the syntax of its input domain, and outputs data which conforms the syntax rules of the output domain. In this way the script defends the integrity of its output domain (and itself; its execution domain). The syntax of input is defined in the user's guide, and the syntax of output is defined by the iptables-save utility.

    Audit trail generation

    The TOE uses the standard syslog mechanism through the syslog python library to generate audit trails. The audit trail generation is conforms to the reguirements of the FAU_GEN CC part 2 requirement class. The TOE makes audit trails of its start and stop (which corresponds to the start and stop of its audit subsystem), all violations of the input syntax, and detailed audit trails of all information crossing domain boundaries.

    Management of trusted security functions of the underlying Operating system

    The TOE outputs an iptables dump, which is expected to be given as input to the iptables-restore utility which in turn manages the netfilter configuration. Netfilter is regarded as a trusted security function of the GNU/Linux operating system. The TOE actually gives an interface to the junior system administrator to do that.

    2.3 Operational Environment

    The TOE is designed to run on a LSPP conformant GNU/Linux operating system, in a python interpreter. It assumes that the operating system "works as expected": it can read its input file, and emanate an iptables dump in its standard output. It also assumes that the python interpreter and the syslog, sys, os, traceback and re python libraries work as expected.

    The output of the TOE is expected to be given to the iptables-restore utility, which modifies the iptables configuration of the underlying (or other) operating system.

    The TOE assumes that the underlying operating system and the system administration practices are adequate to achieve the needed level of separation of domains, and the integrity of the TOE itself and the mechanisms it depends on.

    The TOE does not assume anything about the nature of domain separation method used on the system beyond the assumptions stated above.

    The TOE does assume that the senior system administrator calls it with the correct parameters, which specifically do not contain "unsafe" characters, corresponds to the tables and chains which are actually assigned under the control of the junior system administrator which have the control over the files which will be interpreted, and that those chains can only see packets which assigned under the control of the same junior system administrator.

    Next Previous Contents