From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Steve G <linux_4ever@yahoo.com>
Cc: James Morris <jmorris@namei.org>,
sgrubb@redhat.com, Paul Moore <paul.moore@hp.com>,
selinux@tycho.nsa.gov, zohar@us.ibm.com, safford@watson.ibm.com
Subject: Re: [RFC]integrity: SELinux patch
Date: Tue, 04 Sep 2007 16:46:50 -0400 [thread overview]
Message-ID: <1188938810.5595.5.camel@localhost.localdomain> (raw)
In-Reply-To: <604663.1384.qm@web51501.mail.re2.yahoo.com>
On Wed, 2007-07-18 at 08:05 -0700, Steve G wrote:
>
> >> No, it isn't being audited, but should be. The question is what type of audit
>
> >> message would be appropriate here. It could be the normal denied/granted
> >> message, but that would be confusing as this isn't based on a permission or
> >> capability check, but an integrity error. Any suggestions how to handle this
> >> here and in the other places?
>
> MRPP places some requirements on intergrity checking. Maybe it tells you more
> information about what's required. More info:
>
> http://www.niap-ccevs.org/cc-scheme/pp/pp.cfm?id=PP_OS_ML_MR2.0_V1.91
>
> >If integrity is being enforced, then the final AVC denial should include
> >information that it was because of an integrity failure.
>
> Might ought to be an integrity audit record type rather than avc. This way
> aureport can separate it out for its summary report. In
> /usr/include/linux/audit.h is this note:
>
> * 1800 - 1999 future kernel use (maybe integrity labels and related events)
>
> So, we could assign the 1800 block to kernel integrity checking. I think we'd
> need information access decision, creation, modification, and deletion of
> integrity information/labels. We also probably need the ability to audit by
> integrity, too. For a detailed audit discussion, I'd recommend linux-audit mail
> list or at least cc'ing it
As a first take, the "integrity: API, hooks, placement and dummy provider" patch
posted on Aug. 28th, adds the following auditing integrity support.
Added to audit.h:
#define AUDIT_INTEGRITY 1800 /* Integrity verify success/failure */
#define AUDIT_INTEGRITY_ERR 1801 /* Internal integrity errors */
#define AUDIT_INTEGRITY_PCR 1802 /* PCR invalidation errors */
Added to integrity.h:
void integrity_audit(char *function, const unsigned char *fname, char *cause);
void integrity_audit_pcr(const unsigned char *fname, char *cause);
void integrity_audit_err(char *cause);
These functions are defined in security/integrity_audit.c.
Based on Stephen's request, I've removed the kernel integrity logging in
the selinux integrity patch. I've added audit calls to IMA, which log PCR
violations. The integrity_audit() calls would be made from a LIM provider
that implements integrity_verify_metadata() and integrity_verify_data().
Mimi Zohar
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-09-04 20:41 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-16 13:57 [RFC]integrity: SELinux patch Mimi Zohar
2007-07-16 18:40 ` Joshua Brindle
2007-07-16 23:13 ` Mimi Zohar
2007-07-16 19:23 ` Paul Moore
2007-07-17 14:30 ` Mimi Zohar
2007-07-17 14:32 ` Paul Moore
2007-07-17 14:54 ` James Morris
2007-07-18 15:05 ` Steve G
2007-09-04 20:46 ` Mimi Zohar [this message]
2007-09-04 21:08 ` Steve Grubb
[not found] ` <1188999967.5563.2.camel@localhost.localdomain>
2007-09-05 15:11 ` Integrity auditing Steve Grubb
2007-09-05 19:26 ` Mimi Zohar
2007-09-06 17:07 ` Steve Grubb
2007-09-10 20:16 ` Mimi Zohar
2007-09-12 13:25 ` Steve Grubb
2007-07-17 0:20 ` [RFC]integrity: SELinux patch James Morris
2007-07-17 13:20 ` Joshua Brindle
2007-07-17 14:44 ` James Morris
2007-07-18 21:33 ` Mimi Zohar
2007-07-17 14:52 ` Stephen Smalley
2007-07-18 21:43 ` Mimi Zohar
2007-07-19 13:08 ` Stephen Smalley
2007-07-20 18:57 ` Mimi Zohar
-- strict thread matches above, loose matches on Subject: below --
2007-08-28 22:35 Mimi Zohar
2007-08-29 4:16 ` Joshua Brindle
2007-08-29 10:14 ` Mimi Zohar
2007-09-19 19:41 ` Mimi Zohar
2007-09-19 21:04 ` Stephen Smalley
2007-09-20 1:34 ` Mimi Zohar
2007-09-20 13:12 ` Stephen Smalley
2007-09-20 21:16 ` James Morris
2007-09-21 14:13 ` Mimi Zohar
2007-09-21 14:02 ` Mimi Zohar
2007-08-30 20:58 ` Serge E. Hallyn
2007-08-30 21:12 ` Serge E. Hallyn
2007-08-31 13:15 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1188938810.5595.5.camel@localhost.localdomain \
--to=zohar@linux.vnet.ibm.com \
--cc=jmorris@namei.org \
--cc=linux_4ever@yahoo.com \
--cc=paul.moore@hp.com \
--cc=safford@watson.ibm.com \
--cc=selinux@tycho.nsa.gov \
--cc=sgrubb@redhat.com \
--cc=zohar@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.