From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
paul@paul-moore.com
Cc: linux-integrity@vger.kernel.org, linux-audit@redhat.com,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] IMA: Add audit log for failure conditions
Date: Mon, 08 Jun 2020 07:52:51 -0400 [thread overview]
Message-ID: <1591617171.4638.33.camel@linux.ibm.com> (raw)
In-Reply-To: <20200607221449.2837-1-nramas@linux.microsoft.com>
Hi Lakshmi,
On Sun, 2020-06-07 at 15:14 -0700, Lakshmi Ramasubramanian wrote:
> The final log statement in process_buffer_measurement() for failure
> condition is at debug level. This does not log the message unless
> the system log level is raised which would significantly increase
> the messages in the system log. Change this log message to an audit
> message for better triaging failures in the function.
>
> ima_alloc_key_entry() does not log a message for failure condition.
> Add an audit message for failure condition in this function.
>
> Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Audit messages should be at a higher level. For example,
"hashing_error", "collect_data", "invalid_pcr". In the "invalid_pcr"
case, the audit log contains the reason - "ToMToU" or "open_writers" -
as to why the measurement list doesn't match the PCR.
Here you would want "measuring_keys", "measuring_boot_cmdline" with
the reason it failed, not the function name
"process_buffer_measurement".
Userspace needs to be aware of the new audit messages. Maybe include
samples of them in the cover letter.
thanks,
Mimi
> ---
> security/integrity/ima/ima_main.c | 17 ++++++++++++-----
> security/integrity/ima/ima_queue_keys.c | 4 ++++
> 2 files changed, 16 insertions(+), 5 deletions(-)
>
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 800fb3bba418..1225198fceb1 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -739,6 +739,7 @@ void process_buffer_measurement(const void *buf, int size,
> int pcr, const char *keyring)
> {
> int ret = 0;
> + const char *audit_cause = "ENOMEM";
> struct ima_template_entry *entry = NULL;
> struct integrity_iint_cache iint = {};
> struct ima_event_data event_data = {.iint = &iint,
> @@ -793,21 +794,27 @@ void process_buffer_measurement(const void *buf, int size,
> iint.ima_hash->length = hash_digest_size[ima_hash_algo];
>
> ret = ima_calc_buffer_hash(buf, size, iint.ima_hash);
> - if (ret < 0)
> + if (ret < 0) {
> + audit_cause = "calc_buffer_hash";
> goto out;
> + }
>
> ret = ima_alloc_init_template(&event_data, &entry, template);
> - if (ret < 0)
> + if (ret < 0) {
> + audit_cause = "alloc_init_template";
> goto out;
> + }
>
> ret = ima_store_template(entry, violation, NULL, buf, pcr);
> -
> - if (ret < 0)
> + if (ret < 0) {
> + audit_cause = "store_template";
> ima_free_template_entry(entry);
> + }
>
> out:
> if (ret < 0)
> - pr_devel("%s: failed, result: %d\n", __func__, ret);
> + integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, eventname,
> + __func__, audit_cause, ret, 0);
>
> return;
> }
> diff --git a/security/integrity/ima/ima_queue_keys.c b/security/integrity/ima/ima_queue_keys.c
> index cb3e3f501593..fa606ce68f87 100644
> --- a/security/integrity/ima/ima_queue_keys.c
> +++ b/security/integrity/ima/ima_queue_keys.c
> @@ -68,6 +68,7 @@ static struct ima_key_entry *ima_alloc_key_entry(struct key *keyring,
> size_t payload_len)
> {
> int rc = 0;
> + const char *audit_cause = "ENOMEM";
> struct ima_key_entry *entry;
>
> entry = kzalloc(sizeof(*entry), GFP_KERNEL);
> @@ -88,6 +89,9 @@ static struct ima_key_entry *ima_alloc_key_entry(struct key *keyring,
>
> out:
> if (rc) {
> + integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL,
> + keyring->description, __func__,
> + audit_cause, rc, 0);
> ima_free_key_entry(entry);
> entry = NULL;
> }
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
paul@paul-moore.com
Cc: linux-integrity@vger.kernel.org, linux-audit@redhat.com,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] IMA: Add audit log for failure conditions
Date: Mon, 08 Jun 2020 07:52:51 -0400 [thread overview]
Message-ID: <1591617171.4638.33.camel@linux.ibm.com> (raw)
In-Reply-To: <20200607221449.2837-1-nramas@linux.microsoft.com>
Hi Lakshmi,
On Sun, 2020-06-07 at 15:14 -0700, Lakshmi Ramasubramanian wrote:
> The final log statement in process_buffer_measurement() for failure
> condition is at debug level. This does not log the message unless
> the system log level is raised which would significantly increase
> the messages in the system log. Change this log message to an audit
> message for better triaging failures in the function.
>
> ima_alloc_key_entry() does not log a message for failure condition.
> Add an audit message for failure condition in this function.
>
> Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
Audit messages should be at a higher level. For example,
"hashing_error", "collect_data", "invalid_pcr". In the "invalid_pcr"
case, the audit log contains the reason - "ToMToU" or "open_writers" -
as to why the measurement list doesn't match the PCR.
Here you would want "measuring_keys", "measuring_boot_cmdline" with
the reason it failed, not the function name
"process_buffer_measurement".
Userspace needs to be aware of the new audit messages. Maybe include
samples of them in the cover letter.
thanks,
Mimi
> ---
> security/integrity/ima/ima_main.c | 17 ++++++++++++-----
> security/integrity/ima/ima_queue_keys.c | 4 ++++
> 2 files changed, 16 insertions(+), 5 deletions(-)
>
> diff --git a/security/integrity/ima/ima_main.c b/security/integrity/ima/ima_main.c
> index 800fb3bba418..1225198fceb1 100644
> --- a/security/integrity/ima/ima_main.c
> +++ b/security/integrity/ima/ima_main.c
> @@ -739,6 +739,7 @@ void process_buffer_measurement(const void *buf, int size,
> int pcr, const char *keyring)
> {
> int ret = 0;
> + const char *audit_cause = "ENOMEM";
> struct ima_template_entry *entry = NULL;
> struct integrity_iint_cache iint = {};
> struct ima_event_data event_data = {.iint = &iint,
> @@ -793,21 +794,27 @@ void process_buffer_measurement(const void *buf, int size,
> iint.ima_hash->length = hash_digest_size[ima_hash_algo];
>
> ret = ima_calc_buffer_hash(buf, size, iint.ima_hash);
> - if (ret < 0)
> + if (ret < 0) {
> + audit_cause = "calc_buffer_hash";
> goto out;
> + }
>
> ret = ima_alloc_init_template(&event_data, &entry, template);
> - if (ret < 0)
> + if (ret < 0) {
> + audit_cause = "alloc_init_template";
> goto out;
> + }
>
> ret = ima_store_template(entry, violation, NULL, buf, pcr);
> -
> - if (ret < 0)
> + if (ret < 0) {
> + audit_cause = "store_template";
> ima_free_template_entry(entry);
> + }
>
> out:
> if (ret < 0)
> - pr_devel("%s: failed, result: %d\n", __func__, ret);
> + integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL, eventname,
> + __func__, audit_cause, ret, 0);
>
> return;
> }
> diff --git a/security/integrity/ima/ima_queue_keys.c b/security/integrity/ima/ima_queue_keys.c
> index cb3e3f501593..fa606ce68f87 100644
> --- a/security/integrity/ima/ima_queue_keys.c
> +++ b/security/integrity/ima/ima_queue_keys.c
> @@ -68,6 +68,7 @@ static struct ima_key_entry *ima_alloc_key_entry(struct key *keyring,
> size_t payload_len)
> {
> int rc = 0;
> + const char *audit_cause = "ENOMEM";
> struct ima_key_entry *entry;
>
> entry = kzalloc(sizeof(*entry), GFP_KERNEL);
> @@ -88,6 +89,9 @@ static struct ima_key_entry *ima_alloc_key_entry(struct key *keyring,
>
> out:
> if (rc) {
> + integrity_audit_msg(AUDIT_INTEGRITY_PCR, NULL,
> + keyring->description, __func__,
> + audit_cause, rc, 0);
> ima_free_key_entry(entry);
> entry = NULL;
> }
next prev parent reply other threads:[~2020-06-08 12:32 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-07 22:14 [PATCH v2] IMA: Add audit log for failure conditions Lakshmi Ramasubramanian
2020-06-07 22:14 ` Lakshmi Ramasubramanian
2020-06-08 11:52 ` Mimi Zohar [this message]
2020-06-08 11:52 ` Mimi Zohar
2020-06-08 21:45 ` Paul Moore
2020-06-08 21:45 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1591617171.4638.33.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-audit@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.