FLAM Issue Tracker - FL5
View Issue Details
IDProjectCategoryView StatusDate SubmittedLast Update
0000880FL52.2 Subprogram FLUC (CONV)public2017-06-12 08:272019-06-17 16:00
ReporterFalk Reichbott 
Assigned ToFalk Reichbott 
PrioritynormalSeverityfeatureReproducibilityN/A
StatusresolvedResolutionfixed 
PlatformGeneralOSGeneralOS VersionGeneral
Product Version5.1.15 
Target Version5.1.21Fixed in Version5.1.21 
Summary0000880: Support encryption and key management policies
DescriptionTo get better control about preffered and allowed algos, mechanism uso for cryptographic protection a set of policies would be fine.

E.g. in a PGP certificate preffered algos, key length aso. are defined, but in a enterprise point of view you must be shure that no week stuff can be used at all. In such case a policies must forbit some of this, so that you can be sure that only secure agos, mechanisms and key length are in use.
Steps To Reproduce
Additional Information
TagsNo tags attached.
Relationships
related to 0000879resolved Falk Reichbott Support SAF request in SW implementations for key access and other resources 
Attached Files
Issue History
Date ModifiedUsernameFieldChange
2017-06-12 08:27Falk ReichbottNew Issue
2017-06-12 08:27Falk ReichbottStatusnew => assigned
2017-06-12 08:27Falk ReichbottAssigned To => Mykhailo Moldavskyy
2017-06-12 08:27Falk ReichbottRelationship addedrelated to 0000879
2017-06-12 09:31Falk ReichbottNote Added: 0001107
2018-03-05 07:55Falk ReichbottTarget Version5.1.17 => 5.1.19
2018-09-03 09:53Falk ReichbottTarget Version5.1.19 => 5.1.20
2018-11-02 12:50Falk ReichbottAssigned ToMykhailo Moldavskyy => Falk Reichbott
2019-02-28 17:33Falk ReichbottTarget Version5.1.20 => 5.1.21
2019-06-17 16:00Falk ReichbottNote Added: 0001267
2019-06-17 16:00Falk ReichbottStatusassigned => resolved
2019-06-17 16:00Falk ReichbottFixed in Version => 5.1.21
2019-06-17 16:00Falk ReichbottResolutionopen => fixed
2019-06-17 16:01Falk ReichbottNote View State: 0001267: public

Notes
(0001107)
Falk Reichbott   
2017-06-12 09:31   
Include enforcment of KeyID entry at import
(0001267)
Falk Reichbott   
2019-06-17 16:00   
A first set of additional SAF checks are implemented

SAF configuration
~~~~~~~~~~~~~~~~~

Since version 5.1.21 FLAM supports additional SAF checks for the classes
and entities below. Each FLAM class starts with '$FL'. To be backward
compatible with previous releases, an undefined resource (return code 4)
will be accepted by default. This also forces that the prefix cannot be
changed. Only a return code greater or equal 8 will result in an authorization
or license error. With the first class the 6 byte long feature code can be
controlled.

CLASS: '$FLFEATR' - Feature de/activation
    Entities: Are equal to FLAM feature names (show in your license)
        Attribute: 'READ' deactivates the feature
        Attribute: 'ALTER' activates the feature

This support will fail with a license error. The class is global and is
only available if a new license module requested. All checks below are
part of the FL5 components, can be controlled over a global master class
and will result in an authorization error.

CLASS: '$FLGLOBL' - Global master class to activate several SAF checks
    Entity: 'MUSTDEF' - Don't accept return code 4 anything must be defined
        Attribute: 'READ' activate the strong SAF checking (return code must be 0 else fail)
        Attribute: 'ALTER' only simple SAF checking active (return code must >=8 to fail)
    Entity: 'POLICIES' - General policies ($FLPOLCY)
    Entity: 'CLP.CONTROL' - Parameter string ($FLCLPAR)
    Entity: 'AVE.CONTROL' - Anti virus exit ($FLAV*)
    Entity: 'CPE.CONTROL' - Column processing exit ($FLCP*)
    Entity: 'KME.CONTROL' - Key management exit ($FLKM*)
    Entity: 'SSH.CONNECT' - SSH connections ($FLSSH*)
    Entity: 'PGP.KEYMNGM' - PGP key management ($FLPGP*)
    Entity: 'SMF.LOGGING' - Enforce SMF-Logging
    Entity: 'PGP.USERID' - Access to user ids ($FLPGUID)
    Entity: 'PGP.KEYID' - Access to key ids ($FLPGKID)
        Attribute: 'READ' activate the SAF checking
        Attribute: 'ALTER' allow to do this without SAF

The classes below are control by the global master above:

CLASS: '$FLPOLCY' - Several policies
    Entity: 'SSH.PCAP.NOT.ALLOWED' - Packet capturing is not allowed
    Entity: 'SSH.WAEK.HOST.KEY.CHECK.NOT.ALLOWED' - WARN and ACCEPT is not allowed
    Entity: 'SSH.CUSTOM.HOST.KEY.NOT.ALLOWED' - A custom host key is not allowed
    Entity: 'SSH.CUSTOM.KNOWN.HOST.FILE.NOT.ALLOWED' - A custom known host key file is not allowed
    Entity: 'KEY.GENERATE.PGP.EXPIRD.REQIRED' - Expiration date required
    Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN1024' - Minimum 1024 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN2048' - Minimum 2048 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN3072' - Minimum 3072 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN4096' - Minimum 4096 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.DSA.NOT.ALLOWED' - DSA algorithm is not allowed
    Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN1024' - Minimum 1024 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN2048' - Minimum 2048 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN3072' - Minimum 3072 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN4096' - Minimum 4096 bit required
    Entity: 'KEY.IMPORT.PGP.KIDVER.REQ04' - A minimum of 4 byte finger print for import
    Entity: 'KEY.IMPORT.PGP.KIDVER.REQ08' - A minimum of 8 byte finger print for import
    Entity: 'PGP.READ.PWD' - Read with passwords is not allowed (enforce PKA)
    Entity: 'PGP.WRITE.PWD' - Write with passwords is not allowed (enforce PKA)
    Entity: 'PGP.REENC.PWD' - Re encryption with passwords is not allowed (enforce PKA)
    Entity: 'PGP.READ.ENFORCE.ENCRYPTION' - Enforce encryption at read of PGP files
    Entity: 'PGP.READ.ENFORCE.INTEGRITY' - Enforce integrity protection at read of PGP files
    Entity: 'PGP.READ.ENFORCE.SIGNING' - Enforce signing at read of PGP files
    Entity: 'PGP.WRITE.ENFORCE.ENCRYPTION' - Enforce encryption at write of PGP files
    Entity: 'PGP.WRITE.ENFORCE.INTEGRITY' - Enforce integrity protection at write of PGP files
    Entity: 'PGP.WRITE.ENFORCE.SIGNING' - Enforce signing at write of PGP files
        Attribute: 'READ' enforced the policy
        Attribute: 'ALTER' allow to do this

CLASS: '$FLCLPAR' - Command line parser
    Entities: Path to this parameter
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be used

CLASS: '$FLSSHUS' - SSH user
    Entities: SSH user id
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLSSHHO' - SSH host
    Entities: IP oder DSN for SSH daemon
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLSSHPO' - SSH port
    Entities: Port of SSH daemon (decimal number)
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLAVLIB' - FAVE library
    Entities: Library name name
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLAVFUC' - FAVE Function
    Entities: Function name used
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLAVPAR' - FAVE Parameter
    Entities: Parameter string used
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLAVIPH' - FAVE IP host
    Entities: IP address of AV daemon
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLAVIPS' - FAVE IP service/port
    Entities: IP service of AV daemon
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLCPLIB' - FCPE library
    Entities: Library name name
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLCPFUC' - FCPE Function
    Entities: Function name used
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLCPPAR' - FCPE Parameter
    Entities: Parameter string used
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLKMLIB' - FKME library
    Entities: Library name name
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLKMFUC' - FKME Function
    Entities: Function name used
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLKMPAR' - FKME Parameter
    Entities: Parameter string used
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLPGPGN' - PGP generate
    Entities: User ID to be generated
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be done

CLASS: '$FLPGPEX' - PGP export
    Entities: User ID to be exported
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be done

CLASS: '$FLPGPIM' - PGP import
    Entities: User ID to be imported
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be done

CLASS: '$FLPGPDL' - PGP delete
    Entities: User ID to be deleted
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be done

CLASS: '$FLPGUID' - Operational PGP user
    Entities: User ID mainly at write
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be done

CLASS: '$FLPGKID' - Operational PGP key ID
    Entities: Key ID at read and write
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be done