From: Steve Grubb <sgrubb@redhat.com>
To: Mimi Zohar <zohar@linux.vnet.ibm.com>
Cc: zohar@us.ibm.com, safford@watson.ibm.com,
James Morris <jmorris@namei.org>, Steve G <linux_4ever@yahoo.com>,
linux-audit@redhat.com
Subject: Re: Integrity auditing
Date: Wed, 5 Sep 2007 11:11:57 -0400 [thread overview]
Message-ID: <200709051111.59624.sgrubb@redhat.com> (raw)
In-Reply-To: <1188999967.5563.2.camel@localhost.localdomain>
On Wednesday 05 September 2007 09:46:06 Mimi Zohar wrote:
> On Wed, 2007-07-18 at 08:05 -0700, Steve G wrote:
> > MRPP places some requirements on intergrity checking. Maybe it tells you
> > more information about what's required. More info:
> >
> > http://www.niap-ccevs.org/cc-scheme/pp/pp.cfm?id=PP_OS_ML_MR2.0_V1.91
This ^^^ spells out some requirements for INTEGRITY checks.
> > Might ought to be an integrity audit record type rather than avc. This
> > way aureport can separate it out for its summary report. In
> > /usr/include/linux/audit.h is this note:
> >
> > * 1800 - 1999 future kernel use (maybe integrity labels and related
> > events)
> >
> > So, we could assign the 1800 block to kernel integrity checking. I think
> > we'd need information access decision, creation, modification, and
> > deletion of integrity information/labels. We also probably need the
> > ability to audit by integrity, too. For a detailed audit discussion, I'd
> > recommend linux-audit mail list or at least cc'ing it
>
> I would assume that the integrity label would be managed by the LIM
> provider itself. In which case, does it make sense to audit the LIM
> provider's creation, modification or deletion of the integrity label stored
> as an xattr?
Yes. That is required per section FMT_MSA.1(4), assuming this hardware
assisted integrity checking code needs to go through any kind of
certification.
> IMA, a LIM provider, implements integrity_measure, which does not require
> an integrity label. It is, however, important to log/audit PCR invalidation
> errors. I propose adding the following audit numbers for integrity.
>
> Add to audit.h:
> #define AUDIT_INTEGRITY 1800 /* Integrity verify success/failure
> */ #define AUDIT_INTEGRITY_ERR 1801 /* Internal integrity errors */
> #define AUDIT_INTEGRITY_PCR 1802 /* PCR invalidation errors */
What about configuration changes to it? Can you select the hash algorithm
used? What about enable/disable of checking? Does this integrity scheme cover
only objects or does it also cover subjects? What does a typical integrity
label look like? Is there anything like a mass relabel after installation?
Are there any self-tests for the hardware or keys stored within it?
> Add to integrity.h:
> void integrity_audit(char *function, const unsigned char *fname, char
> *cause); void integrity_audit_pcr(const unsigned char *fname, char *cause);
> void integrity_audit_err(char *cause);
Actually, it would be nice to see the messages being generated to see if they
have everything needed and that they conform to audit system specs.
Thanks,
-Steve
next prev parent reply other threads:[~2007-09-05 15:11 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-07-16 13:57 [RFC]integrity: SELinux patch Mimi Zohar
2007-07-16 18:40 ` Joshua Brindle
2007-07-16 23:13 ` Mimi Zohar
2007-07-16 19:23 ` Paul Moore
2007-07-17 14:30 ` Mimi Zohar
2007-07-17 14:32 ` Paul Moore
2007-07-17 14:54 ` James Morris
2007-07-18 15:05 ` Steve G
2007-09-04 20:46 ` Mimi Zohar
2007-09-04 21:08 ` Steve Grubb
[not found] ` <1188999967.5563.2.camel@localhost.localdomain>
2007-09-05 15:11 ` Steve Grubb [this message]
2007-09-05 19:26 ` Integrity auditing Mimi Zohar
2007-09-06 17:07 ` Steve Grubb
2007-09-10 20:16 ` Mimi Zohar
2007-09-12 13:25 ` Steve Grubb
2007-07-17 0:20 ` [RFC]integrity: SELinux patch James Morris
2007-07-17 13:20 ` Joshua Brindle
2007-07-17 14:44 ` James Morris
2007-07-18 21:33 ` Mimi Zohar
2007-07-17 14:52 ` Stephen Smalley
2007-07-18 21:43 ` Mimi Zohar
2007-07-19 13:08 ` Stephen Smalley
2007-07-20 18:57 ` Mimi Zohar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200709051111.59624.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=jmorris@namei.org \
--cc=linux-audit@redhat.com \
--cc=linux_4ever@yahoo.com \
--cc=safford@watson.ibm.com \
--cc=zohar@linux.vnet.ibm.com \
--cc=zohar@us.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.