From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Integrity auditing Date: Wed, 12 Sep 2007 09:25:51 -0400 Message-ID: <200709120925.53001.sgrubb@redhat.com> References: <604663.1384.qm@web51501.mail.re2.yahoo.com> <200709061307.59986.sgrubb@redhat.com> <1189455383.5809.50.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <1189455383.5809.50.camel@localhost.localdomain> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Mimi Zohar Cc: zohar@us.ibm.com, safford@watson.ibm.com, James Morris , Steve G , linux-audit@redhat.com List-Id: linux-audit@redhat.com On Monday 10 September 2007 16:16:23 Mimi Zohar wrote: > > I wonder if these should be emitted as an audit event? > > Ok. =C2=A0Instead of only logging the boot parameter errors, we will au= dit them. > The format will be: integrity: pid=3D auid=3D comm=3D op=3D How about: pid=3D uid=3D auid=3D subj=3D op=3D comm=3D res=3D pid, uid, comm are not really required, but they are nice to have. > where op is one of: > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0op=3Dima_enabled=C2=A0=C2= =A0 > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0op=3Dima_not_enabled > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0op=3Dhash_setup(sha1) > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0op=3Dhash_setup(md5) > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0op=3Dhash_setup(invalid= _hash_type) For the last 3 messages op=3Dsetup hash=3D But in a way, this really sounds like you need 2 event types. One for IMA= and=20 one for hash selection. This is because they are doing fundamentally=20 different things. > > The above message needs to have auid so that we know who initiated th= e > > action. =C2=A0 It also should have res=3D0 or res=3D1 at the end to i= ndicate > > success or failure. 0 being failure and 1 being success. Also, this a= udit > > record has only a file name in it. Because mount points can change th= e > > names of things, you should also probably include the device and inod= e to > > help identify what is really being reported. > > Ok. Based on your comments, would the following format be acceptable? > > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0integrity: pid=3D auid=3D= comm=3D name=3D dev=3D inode=3D op=3D res=3D Sure. optionally, you could put uid=3D right before auid=3D. The selinux = labels=20 are missing. So, I'd suggest an order like this: pid=3D uid=3D auid=3D subj=3D op=3D comm=3D name=3D dev=3D inode=3D obj=3D= res=3D > Although both integrity_audit() and integrity_audit_pcr() would have > the same format, integrity_audit() would be used to report the results > of integrity_verify_metadata()/data(), while integrity_audit_pcr() > would report the results of extending the PCR register. OK > For integrity_audit_pcr, the op would be: > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0op=3Dinvalidate_pcr(ToM= ToU) > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0op=3Dinvalidate_pcr(ope= n_writers) what you have in parenthesis should probably be name=3Dvalue. > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0op=3Dadd_measure(ENOMEM= ) > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0op=3Dadd_measure(null_h= ash) > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0op=3Dadd_measure(long_d= igest) > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0op=3Dadd_measure > > For integrity_audit(), the op would probably be something similar to: > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0op=3Dverify_metadata > =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0op=3Dverify_data Again, this sounds like you need 3 audit event types since the messages a= re=20 trying to express something different.=20 > > If selinux is enabled, this event should also have obj=3D and > > the selinux context. The subj should be likewise recorded. > > This brings us back to the original question as to who should be emitti= ng > the integrity audit msgs. =C2=A0If the LIM provider is emitting the aud= it msg, > then shouldn't it be LSM agnostic? We just went through an LSPP certification of the Linux kernel. We have l= abels=20 on everything. We really need to keep the standard since its a lot of tro= uble=20 to hunt these all down and fix next time the kernel goes through a common= =20 criteria certification. I don't know enough about your subsystem to say w= ho=20 should do it. But we should have the labels in a portable fashion. What w= e=20 were doing is something like this: struct audit_aux_data_ipcctl *axi =3D (void *)aux= ; audit_log_format(ab, "ouid=3D%u ogid=3D%u mode=3D%x", axi->uid, axi->gid, axi->mode); ^^^ This would be the normal part that is for CAPP. The next part optiona= lly=20 does the obj if selinux is enabled: if (axi->osid !=3D 0) { char *ctx =3D NULL; u32 len; if (selinux_ctxid_to_string( axi->osid, &ctx, &len)) { audit_log_format(ab, " osid=3D%u"= , axi->osid); call_panic =3D 1; } else=20 audit_log_format(ab, " obj=3D%s",= ctx); kfree(ctx); } By doing this, people that have selinux get the labels, the people withou= t=20 selinux do not have wasted space in the audit logs. Thanks, -Steve