From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: [patch RFC]: userspace crypto auditing Date: Thu, 5 Aug 2010 12:18:20 -0400 Message-ID: <201008051218.20389.sgrubb@redhat.com> References: <1081006303.243841281016932165.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1081006303.243841281016932165.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: Miloslav Trmac List-Id: linux-audit@redhat.com On Thursday, August 05, 2010 10:02:12 am Miloslav Trmac wrote: > I'm posting these patches for early review; users of the code are not in > the kernel yet. Quick public comment (we chatted on IRC), there are already a number of user space crypto events. I think what is in the logs here can be fit into the existing categories and the user space ones can be replicated in the kernel. -Steve > Two new records are defined; in each case output of records is caused by a > syscall, and all other syscall-related data (process identity, syscall > result) is audited in the usual records. > > AUDIT_CRYPTO_STORAGE_KEY is used when a system-wide storage wrapping key is > changed. > > AUDIT_CRYPTO_USERSPACE_OP is used when any user-space program performs a > crypto operation. To disable auditing these records by default and to > allow the users to selectively enable them using filters, a new filter > field AUDIT_CRYPTO_OP is defined; auditing of all crypto operations can > thus be enabled using (auditctl -a exit,always -F crypto_op!=0). > > Attached for review are: > - A kernel patch > - An userspace audit patch > - A few example audit entries > > Mirek