integrity: audit - Mimi Zohar

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Linux Audit <linux-audit@redhat.com>
Cc: David Safford <safford@watson.ibm.com>, James Morris <jmorris@namei.org>
Subject: integrity: audit
Date: Mon, 09 Mar 2009 11:06:36 -0400	[thread overview]
Message-ID: <1236611196.2931.10.camel@localhost.localdomain> (raw)

The original patch added support to auditd for integrity messages, which
are issued as a result of the integrity patchset that was applied to the 
security-testing-2.6/#next tree.

This patch adds support for the new AUDIT_INTEGRITY_RULE message.

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>

Index: audit-1.7.11/src/ausearch-parse.c
===================================================================
--- audit-1.7.11.orig/src/ausearch-parse.c
+++ audit-1.7.11/src/ausearch-parse.c
@@ -49,6 +49,7 @@ static int parse_login(const lnode *n, s
 static int parse_daemon(const lnode *n, search_items *s);
 static int parse_sockaddr(const lnode *n, search_items *s);
 static int parse_avc(const lnode *n, search_items *s);
+static int parse_integrity(const lnode *n, search_items *s);
 static int parse_kernel_anom(const lnode *n, search_items *s);
 static int parse_simple_message(const lnode *n, search_items *s);
 static int parse_tty(const lnode *n, search_items *s);
@@ -123,6 +124,9 @@ int extract_search_items(llist *l)
 			case AUDIT_MAC_POLICY_LOAD...AUDIT_MAC_UNLBL_STCDEL:
 				ret = parse_simple_message(n, s);
 				break;
+			case AUDIT_INTEGRITY_DATA...AUDIT_INTEGRITY_RULE:
+				ret = parse_integrity(n, s);
+				break;
 			case AUDIT_KERNEL:
 			case AUDIT_IPC:
 			case AUDIT_SELINUX_ERR:
@@ -1150,6 +1154,98 @@ static int parse_sockaddr(const lnode *n
 	return 0;
 }
 
+static int parse_integrity(const lnode *n, search_items *s)
+{
+	char *ptr, *str, *term;
+	int rc=0;
+
+	term = n->message;
+	// get pid
+	str = strstr(term, "pid=");
+	if (str) {
+		ptr = str + 4;
+		term = strchr(ptr, ' ');
+		if (term == NULL)
+			return 2;
+		*term = 0;
+		errno = 0;
+		s->pid = strtoul(ptr, NULL, 10);
+		if (errno)
+			return 3;
+		*term = ' ';
+	}
+
+	// get uid
+	str = strstr(term, " uid=");
+	if (str) {
+		ptr = str + 4;
+		term = strchr(ptr, ' ');
+		if (term == NULL)
+			return 4;
+		*term = 0;
+		errno = 0;
+		s->uid = strtoul(ptr, NULL, 10);
+		if (errno)
+			return 5;
+		*term = ' ';
+	}
+
+	// get loginuid
+	str = strstr(n->message, "auid=");
+	if (str) {
+		ptr = str + 5;
+		term = strchr(ptr, ' ');
+		if (term == NULL)
+			return 6;
+		*term = 0;
+		errno = 0;
+		s->loginuid = strtoul(ptr, NULL, 10);
+		if (errno)
+			return 7;
+		*term = ' ';
+	}
+
+	str = strstr(term, "comm=");
+	if (str) {
+		str += 5;
+		if (*str == '"') {
+			str++;
+			term = strchr(str, '"');
+			if (term == NULL)
+				return 8;
+			*term = 0;
+			s->comm = strdup(str);
+			*term = '"';
+		} else
+			s->comm = unescape(str);
+	}
+
+	str = strstr(term, " name=");
+	if (str) {
+		str += 6;
+		if (common_path_parser(s, str))
+			return 9;
+	}
+
+	// and results (usually last)
+	str = strstr(term, "res=");
+	if (str != NULL) {
+		ptr = str + 4;
+		term = strchr(ptr, ' ');
+		if (term)
+			*term = 0;
+		errno = 0;
+		s->success = strtoul(ptr, NULL, 10);
+		if (errno)
+			return 10;
+		if (term)
+			*term = ' ';
+	}
+
+	return 0;
+}
+
+
 /* FIXME: If they are in permissive mode or hit an auditallow, there can 
  * be more that 1 avc in the same syscall. For now, we pickup just the first.
  */
Index: audit-1.7.11/lib/libaudit.h
===================================================================
--- audit-1.7.11.orig/lib/libaudit.h
+++ audit-1.7.11/lib/libaudit.h
@@ -174,6 +174,12 @@ extern "C" {
 #ifndef AUDIT_ANOM_ABEND
 #define AUDIT_ANOM_ABEND		1701 /* Process ended abnormally */
 #endif
+#define AUDIT_INTEGRITY_DATA	    1800 /* Data integrity verification */
+#define AUDIT_INTEGRITY_METADATA    1801 /* Metadata integrity verification */
+#define AUDIT_INTEGRITY_STATUS	    1802 /* Integrity enable status */
+#define AUDIT_INTEGRITY_HASH	    1803 /* Integrity HASH type */
+#define AUDIT_INTEGRITY_PCR	    1804 /* PCR invalidation msgs */
+#define AUDIT_INTEGRITY_RULE	    1805 /* Policy rule */
 #define AUDIT_FIRST_ANOM_MSG		2100
 #define AUDIT_LAST_ANOM_MSG		2199
 #define AUDIT_ANOM_LOGIN_FAILURES	2100 // Failed login limit reached
Index: audit-1.7.11/lib/msg_typetab.h
===================================================================
--- audit-1.7.11.orig/lib/msg_typetab.h
+++ audit-1.7.11/lib/msg_typetab.h
@@ -122,6 +122,13 @@ _S(AUDIT_MAC_UNLBL_STCADD,           "MA
 _S(AUDIT_MAC_UNLBL_STCDEL,           "MAC_UNLBL_STCDEL"              )
 _S(AUDIT_ANOM_PROMISCUOUS,           "ANOM_PROMISCUOUS"              )
 _S(AUDIT_ANOM_ABEND,                 "ANOM_ABEND"                    )
+_S(AUDIT_INTEGRITY_DATA,             "INTEGRITY_DATA"                )
+_S(AUDIT_INTEGRITY_METADATA,         "INTEGRITY_METADATA"            )
+_S(AUDIT_INTEGRITY_STATUS,           "INTEGRITY_STATUS"              )
+_S(AUDIT_INTEGRITY_HASH,             "INTEGRITY_HASH"                )
+_S(AUDIT_INTEGRITY_PCR,              "INTEGRITY_PCR"                 )
+_S(AUDIT_INTEGRITY_RULE,             "INTEGRITY_RULE"                )
+
 #ifdef WITH_APPARMOR
 _S(AUDIT_AA,                         "APPARMOR"                      )
 _S(AUDIT_APPARMOR_AUDIT,             "APPARMOR_AUDIT"                )
Index: audit-1.7.11/system-config-audit/src/lists.py
===================================================================
--- audit-1.7.11.orig/system-config-audit/src/lists.py
+++ audit-1.7.11/system-config-audit/src/lists.py
@@ -160,6 +160,12 @@ audit.AUDIT_LAST_KERN_ANOM_MSG,
 audit.AUDIT_ANOM_PROMISCUOUS,
 audit.AUDIT_ANOM_ABEND,
 audit.AUDIT_KERNEL,
+audit.AUDIT_INTEGRITY_DATA,
+audit.AUDIT_INTEGRITY_METADATA,
+audit.AUDIT_INTEGRITY_STATUS,
+audit.AUDIT_INTEGRITY_HASH,
+audit.AUDIT_INTEGRITY_PCR,
+audit.AUDIT_INTEGRITY_RULE,
 )
 
 # From code in src/auditctl.c
Index: audit-1.7.11/lib/netlink.c
===================================================================
--- audit-1.7.11.orig/lib/netlink.c
+++ audit-1.7.11/lib/netlink.c
@@ -182,7 +182,8 @@ static int adjust_reply(struct audit_rep
 		case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
 		case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2:
 		case AUDIT_FIRST_EVENT...AUDIT_LAST_KERN_ANOM_MSG:
-			rep->message = NLMSG_DATA(rep->nlh); 
+		case AUDIT_INTEGRITY_DATA...AUDIT_INTEGRITY_RULE:
+			rep->message = NLMSG_DATA(rep->nlh);
 			break;
 		case AUDIT_SIGNAL_INFO:
 			rep->signal_info = NLMSG_DATA(rep->nlh);

next             reply	other threads:[~2009-03-09 15:06 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-03-09 15:06 Mimi Zohar [this message]
  -- strict thread matches above, loose matches on Subject: below --
2009-02-06 12:43 integrity: audit Mimi Zohar
2009-02-06 15:01 ` Steve Grubb
2009-02-06 16:15   ` Mimi Zohar
2009-02-06 16:33     ` Steve Grubb
2009-02-06 16:33       ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1236611196.2931.10.camel@localhost.localdomain \
    --to=zohar@linux.vnet.ibm.com \
    --cc=jmorris@namei.org \
    --cc=linux-audit@redhat.com \
    --cc=safford@watson.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.