| Anonymous | Login | Signup for a new account | 2024-04-23 17:50 CEST | |
| My View | View Issues | Change Log | Roadmap | Search |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
| 0000880 | FL5 | 2.2 Subprogram FLUC (CONV) | public | 2017-06-12 08:27 | 2019-06-17 16:00 | ||||
| Reporter | Falk Reichbott | ||||||||
| Assigned To | Falk Reichbott | ||||||||
| Priority | normal | Severity | feature | Reproducibility | N/A | ||||
| Status | resolved | Resolution | fixed | ||||||
| Platform | General | OS | General | OS Version | General | ||||
| Product Version | 5.1.15 | ||||||||
| Target Version | 5.1.21 | Fixed in Version | 5.1.21 | ||||||
| Summary | 0000880: Support encryption and key management policies | ||||||||
| Description | To get better control about preffered and allowed algos, mechanism uso for cryptographic protection a set of policies would be fine. E.g. in a PGP certificate preffered algos, key length aso. are defined, but in a enterprise point of view you must be shure that no week stuff can be used at all. In such case a policies must forbit some of this, so that you can be sure that only secure agos, mechanisms and key length are in use. | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files | |||||||||
 Relationships |
||||||
|
||||||
 Relationships |
|
Notes |
|
|
(0001107) Falk Reichbott (administrator) 2017-06-12 09:31 |
Include enforcment of KeyID entry at import |
|
(0001267) Falk Reichbott (administrator) 2019-06-17 16:00 |
A first set of additional SAF checks are implemented SAF configuration ~~~~~~~~~~~~~~~~~ Since version 5.1.21 FLAM supports additional SAF checks for the classes and entities below. Each FLAM class starts with '$FL'. To be backward compatible with previous releases, an undefined resource (return code 4) will be accepted by default. This also forces that the prefix cannot be changed. Only a return code greater or equal 8 will result in an authorization or license error. With the first class the 6 byte long feature code can be controlled. CLASS: '$FLFEATR' - Feature de/activation Entities: Are equal to FLAM feature names (show in your license) Attribute: 'READ' deactivates the feature Attribute: 'ALTER' activates the feature This support will fail with a license error. The class is global and is only available if a new license module requested. All checks below are part of the FL5 components, can be controlled over a global master class and will result in an authorization error. CLASS: '$FLGLOBL' - Global master class to activate several SAF checks Entity: 'MUSTDEF' - Don't accept return code 4 anything must be defined Attribute: 'READ' activate the strong SAF checking (return code must be 0 else fail) Attribute: 'ALTER' only simple SAF checking active (return code must >=8 to fail) Entity: 'POLICIES' - General policies ($FLPOLCY) Entity: 'CLP.CONTROL' - Parameter string ($FLCLPAR) Entity: 'AVE.CONTROL' - Anti virus exit ($FLAV*) Entity: 'CPE.CONTROL' - Column processing exit ($FLCP*) Entity: 'KME.CONTROL' - Key management exit ($FLKM*) Entity: 'SSH.CONNECT' - SSH connections ($FLSSH*) Entity: 'PGP.KEYMNGM' - PGP key management ($FLPGP*) Entity: 'SMF.LOGGING' - Enforce SMF-Logging Entity: 'PGP.USERID' - Access to user ids ($FLPGUID) Entity: 'PGP.KEYID' - Access to key ids ($FLPGKID) Attribute: 'READ' activate the SAF checking Attribute: 'ALTER' allow to do this without SAF The classes below are control by the global master above: CLASS: '$FLPOLCY' - Several policies Entity: 'SSH.PCAP.NOT.ALLOWED' - Packet capturing is not allowed Entity: 'SSH.WAEK.HOST.KEY.CHECK.NOT.ALLOWED' - WARN and ACCEPT is not allowed Entity: 'SSH.CUSTOM.HOST.KEY.NOT.ALLOWED' - A custom host key is not allowed Entity: 'SSH.CUSTOM.KNOWN.HOST.FILE.NOT.ALLOWED' - A custom known host key file is not allowed Entity: 'KEY.GENERATE.PGP.EXPIRD.REQIRED' - Expiration date required Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN1024' - Minimum 1024 bit required Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN2048' - Minimum 2048 bit required Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN3072' - Minimum 3072 bit required Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN4096' - Minimum 4096 bit required Entity: 'KEY.GENERATE.PGP.ALGO.DSA.NOT.ALLOWED' - DSA algorithm is not allowed Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN1024' - Minimum 1024 bit required Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN2048' - Minimum 2048 bit required Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN3072' - Minimum 3072 bit required Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN4096' - Minimum 4096 bit required Entity: 'KEY.IMPORT.PGP.KIDVER.REQ04' - A minimum of 4 byte finger print for import Entity: 'KEY.IMPORT.PGP.KIDVER.REQ08' - A minimum of 8 byte finger print for import Entity: 'PGP.READ.PWD' - Read with passwords is not allowed (enforce PKA) Entity: 'PGP.WRITE.PWD' - Write with passwords is not allowed (enforce PKA) Entity: 'PGP.REENC.PWD' - Re encryption with passwords is not allowed (enforce PKA) Entity: 'PGP.READ.ENFORCE.ENCRYPTION' - Enforce encryption at read of PGP files Entity: 'PGP.READ.ENFORCE.INTEGRITY' - Enforce integrity protection at read of PGP files Entity: 'PGP.READ.ENFORCE.SIGNING' - Enforce signing at read of PGP files Entity: 'PGP.WRITE.ENFORCE.ENCRYPTION' - Enforce encryption at write of PGP files Entity: 'PGP.WRITE.ENFORCE.INTEGRITY' - Enforce integrity protection at write of PGP files Entity: 'PGP.WRITE.ENFORCE.SIGNING' - Enforce signing at write of PGP files Attribute: 'READ' enforced the policy Attribute: 'ALTER' allow to do this CLASS: '$FLCLPAR' - Command line parser Entities: Path to this parameter Attribute: 'READ' not allowed Attribute: 'ALTER' can be used CLASS: '$FLSSHUS' - SSH user Entities: SSH user id Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLSSHHO' - SSH host Entities: IP oder DSN for SSH daemon Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLSSHPO' - SSH port Entities: Port of SSH daemon (decimal number) Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLAVLIB' - FAVE library Entities: Library name name Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLAVFUC' - FAVE Function Entities: Function name used Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLAVPAR' - FAVE Parameter Entities: Parameter string used Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLAVIPH' - FAVE IP host Entities: IP address of AV daemon Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLAVIPS' - FAVE IP service/port Entities: IP service of AV daemon Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLCPLIB' - FCPE library Entities: Library name name Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLCPFUC' - FCPE Function Entities: Function name used Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLCPPAR' - FCPE Parameter Entities: Parameter string used Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLKMLIB' - FKME library Entities: Library name name Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLKMFUC' - FKME Function Entities: Function name used Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLKMPAR' - FKME Parameter Entities: Parameter string used Attribute: 'READ' not usable Attribute: 'ALTER' can be used CLASS: '$FLPGPGN' - PGP generate Entities: User ID to be generated Attribute: 'READ' not allowed Attribute: 'ALTER' can be done CLASS: '$FLPGPEX' - PGP export Entities: User ID to be exported Attribute: 'READ' not allowed Attribute: 'ALTER' can be done CLASS: '$FLPGPIM' - PGP import Entities: User ID to be imported Attribute: 'READ' not allowed Attribute: 'ALTER' can be done CLASS: '$FLPGPDL' - PGP delete Entities: User ID to be deleted Attribute: 'READ' not allowed Attribute: 'ALTER' can be done CLASS: '$FLPGUID' - Operational PGP user Entities: User ID mainly at write Attribute: 'READ' not allowed Attribute: 'ALTER' can be done CLASS: '$FLPGKID' - Operational PGP key ID Entities: Key ID at read and write Attribute: 'READ' not allowed Attribute: 'ALTER' can be done |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2017-06-12 08:27 | Falk Reichbott | New Issue | |
| 2017-06-12 08:27 | Falk Reichbott | Status | new => assigned |
| 2017-06-12 08:27 | Falk Reichbott | Assigned To | => Mykhailo Moldavskyy |
| 2017-06-12 08:27 | Falk Reichbott | Relationship added | related to 0000879 |
| 2017-06-12 09:31 | Falk Reichbott | Note Added: 0001107 | |
| 2018-03-05 07:55 | Falk Reichbott | Target Version | 5.1.17 => 5.1.19 |
| 2018-09-03 09:53 | Falk Reichbott | Target Version | 5.1.19 => 5.1.20 |
| 2018-11-02 12:50 | Falk Reichbott | Assigned To | Mykhailo Moldavskyy => Falk Reichbott |
| 2019-02-28 17:33 | Falk Reichbott | Target Version | 5.1.20 => 5.1.21 |
| 2019-06-17 16:00 | Falk Reichbott | Note Added: 0001267 | |
| 2019-06-17 16:00 | Falk Reichbott | Status | assigned => resolved |
| 2019-06-17 16:00 | Falk Reichbott | Fixed in Version | => 5.1.21 |
| 2019-06-17 16:00 | Falk Reichbott | Resolution | open => fixed |
| 2019-06-17 16:01 | Falk Reichbott | Note View State: 0001267: public | |
|
Issue History |
| Copyright © 2000 - 2024 MantisBT Team |
 |