From mboxrd@z Thu Jan 1 00:00:00 1970 From: Mimi Zohar Subject: Re: [PATCH 8/8] ima: Differentiate auditing policy rules from "audit" actions Date: Wed, 30 May 2018 18:41:16 -0400 Message-ID: <1527720076.3534.84.camel@linux.vnet.ibm.com> References: <20180524201105.3179904-1-stefanb@linux.vnet.ibm.com> <15281606.YptaXzsEVL@x2> <00f66ee1-7494-8249-f148-688616deca0c@linux.vnet.ibm.com> <3607733.4k8ofLVAdP@x2> <1160afb4-4184-b30c-5f67-c21536b5f7d3@linux.vnet.ibm.com> <85d2a40a-884c-c63d-50f6-024f7bbea4a8@linux.vnet.ibm.com> <1527717628.3534.79.camel@linux.vnet.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org To: Stefan Berger , Paul Moore Cc: Steve Grubb , linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wed, 2018-05-30 at 18:15 -0400, Stefan Berger wrote: > On 05/30/2018 06:00 PM, Mimi Zohar wrote: > > On Wed, 2018-05-30 at 17:49 -0400, Stefan Berger wrote: > >> So the other choice is to only keep patches 1,2, 6, and 7, so leave most > >> of the integrity audit messages untouched. Then only create a different > >> format for the new AUDIT_INTEGRITY_POLICY_RULE (current 8/8) that shares > >> (for consistency reasons) the same format with the existing integrity > >> audit messages but also misses tty= and exe= ? > > Another option would be for the new AUDIT_INTEGRITY_POLICY_RULE to > > call audit_log_task_info() similar to what ima_audit_measurement() > > does. > > Right. [That would mean keep 1,2, 7 and modify 8.] Is that the best > solution? Yes, I think so.  Calling audit_log_task_info() will only add the "exe=" and "tty=" to the new AUDIT_INTEGRITY_POLICY_RULE.