From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
sgrubb@redhat.com, paul@paul-moore.com
Cc: rgb@redhat.com, linux-integrity@vger.kernel.org,
linux-audit@redhat.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] IMA: Add audit log for failure conditions
Date: Fri, 12 Jun 2020 16:23:51 -0400 [thread overview]
Message-ID: <1591993431.11061.116.camel@linux.ibm.com> (raw)
In-Reply-To: <20200611000400.3771-2-nramas@linux.microsoft.com>
Hi Lakshmi,
I haven't yet tested the patch. Below are a couple of comments.
On Wed, 2020-06-10 at 17:04 -0700, Lakshmi Ramasubramanian wrote:
> The final log statement in process_buffer_measurement() for failure
> condition is at debug level. This does not log the message unless
> the system log level is raised which would significantly increase
> the messages in the system log. Change this to an audit message to
> audit integrity failures with the "op" field of the audit message
> set to indicate the measurement operation that failed.
The problem with the existing "pr" level is kind of irrelevant. You
could keep the existing pr_debug() statement, if you wanted to. The
reason for auditing a failure is because it is "integrity" relevant or
more generically "security" relevant. The first patch addresses the
change in the audit message format.
>
> Also, add an audit message for failures in ima_alloc_key_entry().
>
> Sample audit messages:
>
> [ 6.284329] audit: type=1804 audit(1591756723.627:2): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=kernel
> op=measuring_kexec_cmdline cause=alloc_entry errno=-12
> comm="swapper/0" name="kexec-cmdline" res=0
>
> [ 8.017126] audit: type=1804 audit(1591756725.360:10): pid=1
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:init_t:s0 op=measuring_key
> cause=hashing_error errno=-22 comm="systemd"
> name=".builtin_trusted_keys" res=0
>
> Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> security/integrity/ima/ima.h | 48 ++++++++++++++++---------
> security/integrity/ima/ima_main.c | 18 +++++++---
> security/integrity/ima/ima_policy.c | 2 +-
> security/integrity/ima/ima_queue_keys.c | 5 +++
> 4 files changed, 51 insertions(+), 22 deletions(-)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index df93ac258e01..e42101eebd69 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -186,27 +186,43 @@ static inline unsigned int ima_hash_key(u8 *digest)
> return (digest[0] | digest[1] << 8) % IMA_MEASURE_HTABLE_SIZE;
> }
>
> -#define __ima_hooks(hook) \
> - hook(NONE) \
> - hook(FILE_CHECK) \
> - hook(MMAP_CHECK) \
> - hook(BPRM_CHECK) \
> - hook(CREDS_CHECK) \
> - hook(POST_SETATTR) \
> - hook(MODULE_CHECK) \
> - hook(FIRMWARE_CHECK) \
> - hook(KEXEC_KERNEL_CHECK) \
> - hook(KEXEC_INITRAMFS_CHECK) \
> - hook(POLICY_CHECK) \
> - hook(KEXEC_CMDLINE) \
> - hook(KEY_CHECK) \
> - hook(MAX_CHECK)
> -#define __ima_hook_enumify(ENUM) ENUM,
> +#define __ima_hooks(hook) \
> + hook(NONE, none) \
> + hook(FILE_CHECK, file) \
> + hook(MMAP_CHECK, mmap) \
> + hook(BPRM_CHECK, bprm) \
> + hook(CREDS_CHECK, creds) \
> + hook(POST_SETATTR, post_setattr) \
> + hook(MODULE_CHECK, module) \
> + hook(FIRMWARE_CHECK, firmware) \
> + hook(KEXEC_KERNEL_CHECK, kexec_kernel) \
> + hook(KEXEC_INITRAMFS_CHECK, kexec_initramfs) \
> + hook(POLICY_CHECK, policy) \
> + hook(KEXEC_CMDLINE, kexec_cmdline) \
> + hook(KEY_CHECK, key) \
> + hook(MAX_CHECK, none)
> +
> +#define __ima_hook_enumify(ENUM, str) ENUM,
> +#define __ima_stringify(arg) (#arg)
> +#define __ima_hook_measuring_stringify(ENUM, str) \
> + (__ima_stringify(measuring_ ##str)),
>
> enum ima_hooks {
> __ima_hooks(__ima_hook_enumify)
> };
>
> +static const char * const ima_hooks_measure_str[] = {
> + __ima_hooks(__ima_hook_measuring_stringify)
> +};
> +
> +static inline const char *ima_hooks_func_measure_str(enum ima_hooks func)
"ima_hooks_func_measure_str" is a bit long. There's no reason for
having both "hooks" and "func" in the name. Also this is a static
function, so it doesn't really need to be prefixed with "ima_". Maybe
truncate it to "func_measure_str()", similar to "func_token".
Mimi
> +{
> + if (func >= MAX_CHECK)
> + return ima_hooks_measure_str[NONE];
> +
> + return ima_hooks_measure_str[func];
> +}
> +
> extern const char *const func_tokens[];
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
WARNING: multiple messages have this Message-ID (diff)
From: Mimi Zohar <zohar@linux.ibm.com>
To: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>,
sgrubb@redhat.com, paul@paul-moore.com
Cc: rgb@redhat.com, linux-integrity@vger.kernel.org,
linux-audit@redhat.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 2/2] IMA: Add audit log for failure conditions
Date: Fri, 12 Jun 2020 16:23:51 -0400 [thread overview]
Message-ID: <1591993431.11061.116.camel@linux.ibm.com> (raw)
In-Reply-To: <20200611000400.3771-2-nramas@linux.microsoft.com>
Hi Lakshmi,
I haven't yet tested the patch. Below are a couple of comments.
On Wed, 2020-06-10 at 17:04 -0700, Lakshmi Ramasubramanian wrote:
> The final log statement in process_buffer_measurement() for failure
> condition is at debug level. This does not log the message unless
> the system log level is raised which would significantly increase
> the messages in the system log. Change this to an audit message to
> audit integrity failures with the "op" field of the audit message
> set to indicate the measurement operation that failed.
The problem with the existing "pr" level is kind of irrelevant. You
could keep the existing pr_debug() statement, if you wanted to. The
reason for auditing a failure is because it is "integrity" relevant or
more generically "security" relevant. The first patch addresses the
change in the audit message format.
>
> Also, add an audit message for failures in ima_alloc_key_entry().
>
> Sample audit messages:
>
> [ 6.284329] audit: type=1804 audit(1591756723.627:2): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=kernel
> op=measuring_kexec_cmdline cause=alloc_entry errno=-12
> comm="swapper/0" name="kexec-cmdline" res=0
>
> [ 8.017126] audit: type=1804 audit(1591756725.360:10): pid=1
> uid=0 auid=4294967295 ses=4294967295
> subj=system_u:system_r:init_t:s0 op=measuring_key
> cause=hashing_error errno=-22 comm="systemd"
> name=".builtin_trusted_keys" res=0
>
> Signed-off-by: Lakshmi Ramasubramanian <nramas@linux.microsoft.com>
> Suggested-by: Mimi Zohar <zohar@linux.ibm.com>
> ---
> security/integrity/ima/ima.h | 48 ++++++++++++++++---------
> security/integrity/ima/ima_main.c | 18 +++++++---
> security/integrity/ima/ima_policy.c | 2 +-
> security/integrity/ima/ima_queue_keys.c | 5 +++
> 4 files changed, 51 insertions(+), 22 deletions(-)
>
> diff --git a/security/integrity/ima/ima.h b/security/integrity/ima/ima.h
> index df93ac258e01..e42101eebd69 100644
> --- a/security/integrity/ima/ima.h
> +++ b/security/integrity/ima/ima.h
> @@ -186,27 +186,43 @@ static inline unsigned int ima_hash_key(u8 *digest)
> return (digest[0] | digest[1] << 8) % IMA_MEASURE_HTABLE_SIZE;
> }
>
> -#define __ima_hooks(hook) \
> - hook(NONE) \
> - hook(FILE_CHECK) \
> - hook(MMAP_CHECK) \
> - hook(BPRM_CHECK) \
> - hook(CREDS_CHECK) \
> - hook(POST_SETATTR) \
> - hook(MODULE_CHECK) \
> - hook(FIRMWARE_CHECK) \
> - hook(KEXEC_KERNEL_CHECK) \
> - hook(KEXEC_INITRAMFS_CHECK) \
> - hook(POLICY_CHECK) \
> - hook(KEXEC_CMDLINE) \
> - hook(KEY_CHECK) \
> - hook(MAX_CHECK)
> -#define __ima_hook_enumify(ENUM) ENUM,
> +#define __ima_hooks(hook) \
> + hook(NONE, none) \
> + hook(FILE_CHECK, file) \
> + hook(MMAP_CHECK, mmap) \
> + hook(BPRM_CHECK, bprm) \
> + hook(CREDS_CHECK, creds) \
> + hook(POST_SETATTR, post_setattr) \
> + hook(MODULE_CHECK, module) \
> + hook(FIRMWARE_CHECK, firmware) \
> + hook(KEXEC_KERNEL_CHECK, kexec_kernel) \
> + hook(KEXEC_INITRAMFS_CHECK, kexec_initramfs) \
> + hook(POLICY_CHECK, policy) \
> + hook(KEXEC_CMDLINE, kexec_cmdline) \
> + hook(KEY_CHECK, key) \
> + hook(MAX_CHECK, none)
> +
> +#define __ima_hook_enumify(ENUM, str) ENUM,
> +#define __ima_stringify(arg) (#arg)
> +#define __ima_hook_measuring_stringify(ENUM, str) \
> + (__ima_stringify(measuring_ ##str)),
>
> enum ima_hooks {
> __ima_hooks(__ima_hook_enumify)
> };
>
> +static const char * const ima_hooks_measure_str[] = {
> + __ima_hooks(__ima_hook_measuring_stringify)
> +};
> +
> +static inline const char *ima_hooks_func_measure_str(enum ima_hooks func)
"ima_hooks_func_measure_str" is a bit long. There's no reason for
having both "hooks" and "func" in the name. Also this is a static
function, so it doesn't really need to be prefixed with "ima_". Maybe
truncate it to "func_measure_str()", similar to "func_token".
Mimi
> +{
> + if (func >= MAX_CHECK)
> + return ima_hooks_measure_str[NONE];
> +
> + return ima_hooks_measure_str[func];
> +}
> +
> extern const char *const func_tokens[];
next prev parent reply other threads:[~2020-06-15 13:20 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-11 0:03 [PATCH 1/2] integrity: Add errno field in audit message Lakshmi Ramasubramanian
2020-06-11 0:03 ` Lakshmi Ramasubramanian
2020-06-11 0:04 ` [PATCH 2/2] IMA: Add audit log for failure conditions Lakshmi Ramasubramanian
2020-06-11 0:04 ` Lakshmi Ramasubramanian
2020-06-12 20:23 ` Mimi Zohar [this message]
2020-06-12 20:23 ` Mimi Zohar
2020-06-11 1:45 ` [PATCH 1/2] integrity: Add errno field in audit message Paul Moore
2020-06-11 1:45 ` Paul Moore
2020-06-11 1:58 ` Lakshmi Ramasubramanian
2020-06-11 1:58 ` Lakshmi Ramasubramanian
2020-06-11 2:19 ` Paul Moore
2020-06-11 2:19 ` Paul Moore
2020-06-12 19:25 ` Mimi Zohar
2020-06-12 19:25 ` Mimi Zohar
2020-06-12 19:50 ` Lakshmi Ramasubramanian
2020-06-12 19:50 ` Lakshmi Ramasubramanian
2020-06-15 22:23 ` Steve Grubb
2020-06-15 22:23 ` Steve Grubb
2020-06-15 22:58 ` Paul Moore
2020-06-15 22:58 ` Paul Moore
2020-06-16 15:29 ` Steve Grubb
2020-06-16 15:29 ` Steve Grubb
2020-06-16 15:43 ` Lakshmi Ramasubramanian
2020-06-16 15:43 ` Lakshmi Ramasubramanian
2020-06-16 15:55 ` Steve Grubb
2020-06-16 15:55 ` Steve Grubb
2020-06-16 19:53 ` Mimi Zohar
2020-06-16 19:53 ` Mimi Zohar
2020-06-16 20:28 ` Steve Grubb
2020-06-16 20:28 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1591993431.11061.116.camel@linux.ibm.com \
--to=zohar@linux.ibm.com \
--cc=linux-audit@redhat.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nramas@linux.microsoft.com \
--cc=paul@paul-moore.com \
--cc=rgb@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.