From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: containers@lists.linux-foundation.org,
Linux-Audit Mailing List <linux-audit@redhat.com>,
linux-integrity <linux-integrity@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] audit: add containerid support for IMA-audit
Date: Mon, 05 Mar 2018 09:24:14 -0500 [thread overview]
Message-ID: <1520259854.10396.313.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180305135008.po6lheqnmkqqo6q4@madcap2.tricolour.ca>
On Mon, 2018-03-05 at 08:50 -0500, Richard Guy Briggs wrote:
> On 2018-03-05 08:43, Mimi Zohar wrote:
> > Hi Richard,
> >
> > This patch has been compiled, but not runtime tested.
>
> Ok, great, thank you. I assume you are offering this patch to be
> included in this patchset?
Yes, thank you.
> I'll have a look to see where it fits in the
> IMA record. It might be better if it were an AUDIT_CONTAINER_INFO
> auxiliary record, but I'll have a look at the circumstances of the
> event. Can you suggest a procedure to test it?
Like IMA-measurement and IMA-appraisal, IMA-audit is enabled based on
policy. The example IMA policy, below, includes IMA-audit messages for
files executed. 'cat' the policy to /sys/kernel/security/ima/policy.
/etc/ima/ima-policy:
audit func=BPRM_CHECK
There's a FireEye blog titled "Extending Linux Executable Logging With
The Integrity Measurement Architecture"* that explains how to augment
their existing system security analytics with file hashes.
* https://www.fireeye.com/blog/threat-research/2016/11/extending_linux
_exec.html
Mimi
>
> > ---
> >
> > If the containerid is defined, include it in the IMA-audit record.
> >
> > Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> > ---
> > security/integrity/ima/ima_api.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
> > index 33b4458cdbef..41d29a06f28f 100644
> > --- a/security/integrity/ima/ima_api.c
> > +++ b/security/integrity/ima/ima_api.c
> > @@ -335,6 +335,9 @@ void ima_audit_measurement(struct integrity_iint_cache *iint,
> > audit_log_untrustedstring(ab, algo_hash);
> >
> > audit_log_task_info(ab, current);
> > + if (audit_containerid_set(current))
> > + audit_log_format(ab, " contid=%llu",
> > + audit_get_containerid(current));
> > audit_log_end(ab);
> >
> > iint->flags |= IMA_AUDITED;
> > --
> > 2.7.5
> >
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.vnet.ibm.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: containers@lists.linux-foundation.org,
Linux-Audit Mailing List <linux-audit@redhat.com>,
linux-integrity <linux-integrity@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] audit: add containerid support for IMA-audit
Date: Mon, 05 Mar 2018 09:24:14 -0500 [thread overview]
Message-ID: <1520259854.10396.313.camel@linux.vnet.ibm.com> (raw)
In-Reply-To: <20180305135008.po6lheqnmkqqo6q4@madcap2.tricolour.ca>
On Mon, 2018-03-05 at 08:50 -0500, Richard Guy Briggs wrote:
> On 2018-03-05 08:43, Mimi Zohar wrote:
> > Hi Richard,
> >
> > This patch has been compiled, but not runtime tested.
>
> Ok, great, thank you. I assume you are offering this patch to be
> included in this patchset?
Yes, thank you.
> I'll have a look to see where it fits in the
> IMA record. It might be better if it were an AUDIT_CONTAINER_INFO
> auxiliary record, but I'll have a look at the circumstances of the
> event. Can you suggest a procedure to test it?
Like IMA-measurement and IMA-appraisal, IMA-audit is enabled based on
policy. The example IMA policy, below, includes IMA-audit messages for
files executed. 'cat' the policy to /sys/kernel/security/ima/policy.
/etc/ima/ima-policy:
audit func=BPRM_CHECK
There's a FireEye blog titled "Extending Linux Executable Logging With
The Integrity Measurement Architecture"* that explains how to augment
their existing system security analytics with file hashes.
* https://www.fireeye.com/blog/threat-research/2016/11/extending_linux
_exec.html
Mimi
>
> > ---
> >
> > If the containerid is defined, include it in the IMA-audit record.
> >
> > Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
> > ---
> > security/integrity/ima/ima_api.c | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c
> > index 33b4458cdbef..41d29a06f28f 100644
> > --- a/security/integrity/ima/ima_api.c
> > +++ b/security/integrity/ima/ima_api.c
> > @@ -335,6 +335,9 @@ void ima_audit_measurement(struct integrity_iint_cache *iint,
> > audit_log_untrustedstring(ab, algo_hash);
> >
> > audit_log_task_info(ab, current);
> > + if (audit_containerid_set(current))
> > + audit_log_format(ab, " contid=%llu",
> > + audit_get_containerid(current));
> > audit_log_end(ab);
> >
> > iint->flags |= IMA_AUDITED;
> > --
> > 2.7.5
> >
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Sr. S/W Engineer, Kernel Security, Base Operating Systems
> Remote, Ottawa, Red Hat Canada
> IRC: rgb, SunRaycer
> Voice: +1.647.777.2635, Internal: (81) 32635
>
next prev parent reply other threads:[~2018-03-05 14:24 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-05 13:43 [PATCH] audit: add containerid support for IMA-audit Mimi Zohar
[not found] ` <1520257393.10396.291.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-03-05 13:50 ` Richard Guy Briggs
2018-03-05 13:50 ` Richard Guy Briggs
[not found] ` <20180305135008.po6lheqnmkqqo6q4-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2018-03-05 14:24 ` Mimi Zohar
2018-03-05 14:24 ` Mimi Zohar [this message]
2018-03-05 14:24 ` Mimi Zohar
[not found] ` <1520259854.10396.313.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-03-08 11:21 ` Richard Guy Briggs
2018-03-08 11:21 ` Richard Guy Briggs
2018-03-08 11:21 ` Richard Guy Briggs
2018-03-08 18:02 ` Mimi Zohar
2018-03-08 18:02 ` Mimi Zohar
[not found] ` <1520532165.3605.51.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-03-13 5:53 ` Richard Guy Briggs
2018-03-13 5:53 ` Richard Guy Briggs
2018-03-13 5:53 ` Richard Guy Briggs
2018-05-17 14:18 ` Stefan Berger
2018-05-17 14:18 ` Stefan Berger
2018-05-17 21:30 ` Richard Guy Briggs
2018-05-17 21:30 ` Richard Guy Briggs
2018-05-18 11:49 ` Stefan Berger
2018-05-18 11:49 ` Stefan Berger
2018-05-18 12:53 ` Mimi Zohar
2018-05-18 12:53 ` Mimi Zohar
2018-05-18 12:53 ` Mimi Zohar
2018-05-18 13:54 ` Stefan Berger
2018-05-18 13:54 ` Stefan Berger
[not found] ` <ef567d60-42f7-0a87-8597-1ef381e15be0-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-05-18 14:39 ` Mimi Zohar
2018-05-18 14:39 ` Mimi Zohar
2018-05-18 14:39 ` Mimi Zohar
2018-05-18 14:52 ` Stefan Berger
2018-05-18 14:52 ` Stefan Berger
[not found] ` <1347e0c5-40c9-34a4-9c54-60bd2917b2d7-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-05-18 16:00 ` Richard Guy Briggs
2018-05-18 16:00 ` Richard Guy Briggs
2018-05-18 16:00 ` Richard Guy Briggs
2018-05-18 15:56 ` Richard Guy Briggs
2018-05-18 15:56 ` Richard Guy Briggs
2018-05-18 15:56 ` Richard Guy Briggs
2018-05-18 16:34 ` Mimi Zohar
2018-05-18 16:34 ` Mimi Zohar
2018-05-18 16:50 ` Richard Guy Briggs
2018-05-18 16:50 ` Richard Guy Briggs
[not found] ` <1526661264.3404.55.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-05-18 16:50 ` Richard Guy Briggs
2018-05-21 17:21 ` Steve Grubb
2018-05-21 17:21 ` Steve Grubb
2018-05-21 18:04 ` Stefan Berger
[not found] ` <7abd3460-0797-f003-12c7-7329beb0835b-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-05-21 18:40 ` Steve Grubb
2018-05-21 18:40 ` Steve Grubb
2018-05-21 18:40 ` Steve Grubb
2018-05-21 18:04 ` Stefan Berger
[not found] ` <20180518155659.porewd6moctumkys-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2018-05-18 16:34 ` Mimi Zohar
[not found] ` <1526654395.3632.196.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-05-18 14:52 ` Stefan Berger
2018-05-18 15:56 ` Richard Guy Briggs
[not found] ` <1526647996.3632.164.camel-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-05-18 13:54 ` Stefan Berger
2018-05-18 15:51 ` Richard Guy Briggs
2018-05-18 15:51 ` Richard Guy Briggs
2018-05-18 15:51 ` Richard Guy Briggs
[not found] ` <86df5c2c-9db3-21b9-b91b-30a4f53f9504-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-05-18 12:53 ` Mimi Zohar
2018-05-18 15:45 ` Richard Guy Briggs
2018-05-18 15:45 ` Richard Guy Briggs
2018-05-18 15:45 ` Richard Guy Briggs
[not found] ` <20180518154553.dy53m3os7aql3urd-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2018-05-18 16:49 ` Stefan Berger
2018-05-18 16:49 ` Stefan Berger
2018-05-18 16:49 ` Stefan Berger
[not found] ` <7fdca0e0-19d5-1f08-8aa2-f295ad3a86de-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-05-18 17:01 ` Richard Guy Briggs
2018-05-18 17:01 ` Richard Guy Briggs
2018-05-18 17:01 ` Richard Guy Briggs
[not found] ` <20180517213001.62caslkjwv575xgl-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2018-05-18 11:49 ` Stefan Berger
[not found] ` <efb6c164-febe-67bb-43a9-795476c4902f-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-05-17 21:30 ` Richard Guy Briggs
2018-05-21 16:58 ` Steve Grubb
2018-05-21 16:58 ` Steve Grubb
2018-05-21 17:53 ` Stefan Berger
2018-05-21 17:53 ` Stefan Berger
[not found] ` <21646a72-e782-e33a-9e75-5cc98b241f36-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-05-21 18:30 ` Steve Grubb
2018-05-21 18:30 ` Steve Grubb
2018-05-21 21:57 ` Stefan Berger
2018-05-21 21:57 ` Stefan Berger
2018-05-21 21:57 ` Stefan Berger
2018-05-22 13:43 ` Richard Guy Briggs
2018-05-22 13:43 ` Richard Guy Briggs
2018-05-22 14:12 ` Steve Grubb
[not found] ` <20180522134346.b3bm7ndfjjchju3b-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2018-05-22 14:12 ` Steve Grubb
[not found] ` <e140278a-1494-ec74-f8bb-7fbac676306e-23VcF4HTsmIX0ybBhKVfKdBPR1lH4CV8@public.gmane.org>
2018-05-22 13:43 ` Richard Guy Briggs
2018-05-22 14:09 ` Steve Grubb
2018-05-22 14:09 ` Steve Grubb
[not found] ` <20180308112104.z67wohdvjqemy7wy-bcJWsdo4jJjeVoXN4CMphl7TgLCtbB0G@public.gmane.org>
2018-03-08 18:02 ` Mimi Zohar
2018-05-17 14:18 ` Stefan Berger
-- strict thread matches above, loose matches on Subject: below --
2018-03-05 13:43 Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1520259854.10396.313.camel@linux.vnet.ibm.com \
--to=zohar@linux.vnet.ibm.com \
--cc=containers@lists.linux-foundation.org \
--cc=linux-audit@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.