FLAM® Issue Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000880FL52.2 Subprogram FLUC (CONV)public2017-06-12 08:272019-06-17 16:00
ReporterFalk Reichbott 
Assigned ToFalk Reichbott 
PrioritynormalSeverityfeatureReproducibilityN/A
StatusresolvedResolutionfixed 
PlatformGeneralOSGeneralOS VersionGeneral
Product Version5.1.15 
Target Version5.1.21Fixed in Version5.1.21 
Summary0000880: Support encryption and key management policies
DescriptionTo get better control about preffered and allowed algos, mechanism uso for cryptographic protection a set of policies would be fine.

E.g. in a PGP certificate preffered algos, key length aso. are defined, but in a enterprise point of view you must be shure that no week stuff can be used at all. In such case a policies must forbit some of this, so that you can be sure that only secure agos, mechanisms and key length are in use.
TagsNo tags attached.
Attached Files

- Relationships
related to 0000879resolvedFalk Reichbott Support SAF request in SW implementations for key access and other resources 

-  Notes
(0001107)
Falk Reichbott (administrator)
2017-06-12 09:31

Include enforcment of KeyID entry at import
(0001267)
Falk Reichbott (administrator)
2019-06-17 16:00

A first set of additional SAF checks are implemented

SAF configuration
~~~~~~~~~~~~~~~~~

Since version 5.1.21 FLAM supports additional SAF checks for the classes
and entities below. Each FLAM class starts with '$FL'. To be backward
compatible with previous releases, an undefined resource (return code 4)
will be accepted by default. This also forces that the prefix cannot be
changed. Only a return code greater or equal 8 will result in an authorization
or license error. With the first class the 6 byte long feature code can be
controlled.

CLASS: '$FLFEATR' - Feature de/activation
    Entities: Are equal to FLAM feature names (show in your license)
        Attribute: 'READ' deactivates the feature
        Attribute: 'ALTER' activates the feature

This support will fail with a license error. The class is global and is
only available if a new license module requested. All checks below are
part of the FL5 components, can be controlled over a global master class
and will result in an authorization error.

CLASS: '$FLGLOBL' - Global master class to activate several SAF checks
    Entity: 'MUSTDEF' - Don't accept return code 4 anything must be defined
        Attribute: 'READ' activate the strong SAF checking (return code must be 0 else fail)
        Attribute: 'ALTER' only simple SAF checking active (return code must >=8 to fail)
    Entity: 'POLICIES' - General policies ($FLPOLCY)
    Entity: 'CLP.CONTROL' - Parameter string ($FLCLPAR)
    Entity: 'AVE.CONTROL' - Anti virus exit ($FLAV*)
    Entity: 'CPE.CONTROL' - Column processing exit ($FLCP*)
    Entity: 'KME.CONTROL' - Key management exit ($FLKM*)
    Entity: 'SSH.CONNECT' - SSH connections ($FLSSH*)
    Entity: 'PGP.KEYMNGM' - PGP key management ($FLPGP*)
    Entity: 'SMF.LOGGING' - Enforce SMF-Logging
    Entity: 'PGP.USERID' - Access to user ids ($FLPGUID)
    Entity: 'PGP.KEYID' - Access to key ids ($FLPGKID)
        Attribute: 'READ' activate the SAF checking
        Attribute: 'ALTER' allow to do this without SAF

The classes below are control by the global master above:

CLASS: '$FLPOLCY' - Several policies
    Entity: 'SSH.PCAP.NOT.ALLOWED' - Packet capturing is not allowed
    Entity: 'SSH.WAEK.HOST.KEY.CHECK.NOT.ALLOWED' - WARN and ACCEPT is not allowed
    Entity: 'SSH.CUSTOM.HOST.KEY.NOT.ALLOWED' - A custom host key is not allowed
    Entity: 'SSH.CUSTOM.KNOWN.HOST.FILE.NOT.ALLOWED' - A custom known host key file is not allowed
    Entity: 'KEY.GENERATE.PGP.EXPIRD.REQIRED' - Expiration date required
    Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN1024' - Minimum 1024 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN2048' - Minimum 2048 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN3072' - Minimum 3072 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.RSA.LEN4096' - Minimum 4096 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.DSA.NOT.ALLOWED' - DSA algorithm is not allowed
    Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN1024' - Minimum 1024 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN2048' - Minimum 2048 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN3072' - Minimum 3072 bit required
    Entity: 'KEY.GENERATE.PGP.ALGO.DSA.LEN4096' - Minimum 4096 bit required
    Entity: 'KEY.IMPORT.PGP.KIDVER.REQ04' - A minimum of 4 byte finger print for import
    Entity: 'KEY.IMPORT.PGP.KIDVER.REQ08' - A minimum of 8 byte finger print for import
    Entity: 'PGP.READ.PWD' - Read with passwords is not allowed (enforce PKA)
    Entity: 'PGP.WRITE.PWD' - Write with passwords is not allowed (enforce PKA)
    Entity: 'PGP.REENC.PWD' - Re encryption with passwords is not allowed (enforce PKA)
    Entity: 'PGP.READ.ENFORCE.ENCRYPTION' - Enforce encryption at read of PGP files
    Entity: 'PGP.READ.ENFORCE.INTEGRITY' - Enforce integrity protection at read of PGP files
    Entity: 'PGP.READ.ENFORCE.SIGNING' - Enforce signing at read of PGP files
    Entity: 'PGP.WRITE.ENFORCE.ENCRYPTION' - Enforce encryption at write of PGP files
    Entity: 'PGP.WRITE.ENFORCE.INTEGRITY' - Enforce integrity protection at write of PGP files
    Entity: 'PGP.WRITE.ENFORCE.SIGNING' - Enforce signing at write of PGP files
        Attribute: 'READ' enforced the policy
        Attribute: 'ALTER' allow to do this

CLASS: '$FLCLPAR' - Command line parser
    Entities: Path to this parameter
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be used

CLASS: '$FLSSHUS' - SSH user
    Entities: SSH user id
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLSSHHO' - SSH host
    Entities: IP oder DSN for SSH daemon
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLSSHPO' - SSH port
    Entities: Port of SSH daemon (decimal number)
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLAVLIB' - FAVE library
    Entities: Library name name
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLAVFUC' - FAVE Function
    Entities: Function name used
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLAVPAR' - FAVE Parameter
    Entities: Parameter string used
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLAVIPH' - FAVE IP host
    Entities: IP address of AV daemon
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLAVIPS' - FAVE IP service/port
    Entities: IP service of AV daemon
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLCPLIB' - FCPE library
    Entities: Library name name
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLCPFUC' - FCPE Function
    Entities: Function name used
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLCPPAR' - FCPE Parameter
    Entities: Parameter string used
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLKMLIB' - FKME library
    Entities: Library name name
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLKMFUC' - FKME Function
    Entities: Function name used
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLKMPAR' - FKME Parameter
    Entities: Parameter string used
        Attribute: 'READ' not usable
        Attribute: 'ALTER' can be used

CLASS: '$FLPGPGN' - PGP generate
    Entities: User ID to be generated
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be done

CLASS: '$FLPGPEX' - PGP export
    Entities: User ID to be exported
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be done

CLASS: '$FLPGPIM' - PGP import
    Entities: User ID to be imported
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be done

CLASS: '$FLPGPDL' - PGP delete
    Entities: User ID to be deleted
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be done

CLASS: '$FLPGUID' - Operational PGP user
    Entities: User ID mainly at write
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be done

CLASS: '$FLPGKID' - Operational PGP key ID
    Entities: Key ID at read and write
        Attribute: 'READ' not allowed
        Attribute: 'ALTER' can be done

- Issue History
Date Modified Username Field Change
2017-06-12 08:27 Falk Reichbott New Issue
2017-06-12 08:27 Falk Reichbott Status new => assigned
2017-06-12 08:27 Falk Reichbott Assigned To => Mykhailo Moldavskyy
2017-06-12 08:27 Falk Reichbott Relationship added related to 0000879
2017-06-12 09:31 Falk Reichbott Note Added: 0001107
2018-03-05 07:55 Falk Reichbott Target Version 5.1.17 => 5.1.19
2018-09-03 09:53 Falk Reichbott Target Version 5.1.19 => 5.1.20
2018-11-02 12:50 Falk Reichbott Assigned To Mykhailo Moldavskyy => Falk Reichbott
2019-02-28 17:33 Falk Reichbott Target Version 5.1.20 => 5.1.21
2019-06-17 16:00 Falk Reichbott Note Added: 0001267
2019-06-17 16:00 Falk Reichbott Status assigned => resolved
2019-06-17 16:00 Falk Reichbott Fixed in Version => 5.1.21
2019-06-17 16:00 Falk Reichbott Resolution open => fixed
2019-06-17 16:01 Falk Reichbott Note View State: 0001267: public


Copyright © 2000 - 2019 MantisBT Team
Powered by Mantis Bugtracker