* [patch RFC]: userspace crypto auditing
[not found] <1657622092.243781281016896635.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
@ 2010-08-05 14:02 ` Miloslav Trmac
2010-08-05 16:18 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Miloslav Trmac @ 2010-08-05 14:02 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1: Type: text/plain, Size: 833 bytes --]
Hello,
I'm posting these patches for early review; users of the code are not in the kernel yet.
Two new records are defined; in each case output of records is caused by a syscall, and all other syscall-related data (process identity, syscall result) is audited in the usual records.
AUDIT_CRYPTO_STORAGE_KEY is used when a system-wide storage wrapping key is changed.
AUDIT_CRYPTO_USERSPACE_OP is used when any user-space program performs a crypto operation. To disable auditing these records by default and to allow the users to selectively enable them using filters, a new filter field AUDIT_CRYPTO_OP is defined; auditing of all crypto operations can thus be enabled using (auditctl -a exit,always -F crypto_op!=0).
Attached for review are:
- A kernel patch
- An userspace audit patch
- A few example audit entries
Mirek
[-- Attachment #2: kernel.patch --]
[-- Type: text/x-patch, Size: 11132 bytes --]
diff --git a/include/linux/Kbuild b/include/linux/Kbuild
index 756f831..f35589a 100644
--- a/include/linux/Kbuild
+++ b/include/linux/Kbuild
@@ -51,6 +51,7 @@ header-y += comstats.h
header-y += const.h
header-y += cgroupstats.h
header-y += cramfs_fs.h
+header-y += cryptodev.h
header-y += cycx_cfm.h
header-y += dcbnl.h
header-y += dlmconstants.h
@@ -116,6 +117,7 @@ header-y += mmtimer.h
header-y += mqueue.h
header-y += mtio.h
header-y += ncp_no.h
+header-y += ncr.h
header-y += neighbour.h
header-y += net_dropmon.h
header-y += net_tstamp.h
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 3c7a358..8faa4e0 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -122,6 +122,9 @@
#define AUDIT_MAC_UNLBL_STCADD 1416 /* NetLabel: add a static label */
#define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */
+#define AUDIT_CRYPTO_STORAGE_KEY 1600 /* Key storage key configured */
+#define AUDIT_CRYPTO_USERSPACE_OP 1601 /* User-space crypto operation */
+
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
#define AUDIT_ANOM_PROMISCUOUS 1700 /* Device changed promiscuous mode */
@@ -207,6 +210,7 @@
#define AUDIT_OBJ_TYPE 21
#define AUDIT_OBJ_LEV_LOW 22
#define AUDIT_OBJ_LEV_HIGH 23
+#define AUDIT_CRYPTO_OP 24
/* These are ONLY useful when checking
* at syscall exit time (AUDIT_AT_EXIT). */
@@ -314,6 +318,20 @@ enum {
#define AUDIT_PERM_READ 4
#define AUDIT_PERM_ATTR 8
+#define AUDIT_CRYPTO_OP_CONTEXT_NEW 1
+#define AUDIT_CRYPTO_OP_CONTEXT_DEL 2
+#define AUDIT_CRYPTO_OP_SESSION_INIT 3
+#define AUDIT_CRYPTO_OP_SESSION_OP 4
+#define AUDIT_CRYPTO_OP_SESSION_FINAL 5
+#define AUDIT_CRYPTO_OP_KEY_IMPORT 6
+#define AUDIT_CRYPTO_OP_KEY_EXPORT 7
+#define AUDIT_CRYPTO_OP_KEY_WRAP 8
+#define AUDIT_CRYPTO_OP_KEY_UNWRAP 9
+#define AUDIT_CRYPTO_OP_KEY_GEN 10
+#define AUDIT_CRYPTO_OP_KEY_DERIVE 11
+#define AUDIT_CRYPTO_OP_KEY_ZEROIZE 12
+#define AUDIT_CRYPTO_OP_KEY_GET_INFO 13
+
struct audit_status {
__u32 mask; /* Bit mask for valid entries */
__u32 enabled; /* 1 = enabled, 0 = disabled */
@@ -479,6 +497,10 @@ extern int __audit_log_bprm_fcaps(struct linux_binprm *bprm,
const struct cred *new,
const struct cred *old);
extern void __audit_log_capset(pid_t pid, const struct cred *new, const struct cred *old);
+extern int __audit_log_crypto_op(int op, int context, int session,
+ const char *operation, const char *algorithm,
+ int key1, void *key1_id, size_t key1_id_size,
+ int key2, void *key2_id, size_t key2_id_size);
static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
{
@@ -532,6 +554,21 @@ static inline void audit_log_capset(pid_t pid, const struct cred *new,
__audit_log_capset(pid, new, old);
}
+static inline int audit_log_crypto_op(int op, int context, int session,
+ const char *operation,
+ const char *algorithm, int key1,
+ void *key1_id, size_t key1_id_size,
+ int key2, void *key2_id,
+ size_t key2_id_size)
+{
+ if (unlikely(!audit_dummy_context()))
+ return __audit_log_crypto_op(op, context, session, operation,
+ algorithm, key1, key1_id,
+ key1_id_size, key2, key2_id,
+ key2_id_size);
+ return 0;
+}
+
extern int audit_n_rules;
extern int audit_signals;
#else
@@ -565,6 +602,7 @@ extern int audit_signals;
#define audit_mq_getsetattr(d,s) ((void)0)
#define audit_log_bprm_fcaps(b, ncr, ocr) ({ 0; })
#define audit_log_capset(pid, ncr, ocr) ((void)0)
+#define audit_log_crypto_op(op, context, session, key1, key1_id, key1_id_size, key2, key2_id, key2_id_size) (0)
#define audit_ptrace(t) ((void)0)
#define audit_n_rules 0
#define audit_signals 0
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index a706040..a25a587 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -363,6 +363,7 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
case AUDIT_DEVMINOR:
case AUDIT_EXIT:
case AUDIT_SUCCESS:
+ case AUDIT_CRYPTO_OP:
/* bit ops are only useful on syscall args */
if (f->op == Audit_bitmask || f->op == Audit_bittest)
goto exit_free;
@@ -457,6 +458,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
case AUDIT_ARG1:
case AUDIT_ARG2:
case AUDIT_ARG3:
+ case AUDIT_CRYPTO_OP:
break;
case AUDIT_ARCH:
entry->rule.arch_f = f;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index fc0f928..47c1cc4 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -50,6 +50,7 @@
#include <linux/mm.h>
#include <linux/module.h>
#include <linux/mount.h>
+#include <linux/ncr.h>
#include <linux/socket.h>
#include <linux/mqueue.h>
#include <linux/audit.h>
@@ -157,6 +158,21 @@ struct audit_aux_data_capset {
struct audit_cap_data cap;
};
+struct audit_crypto_op {
+ struct list_head list;
+ int op;
+ int context;
+ int session;
+ const char *operation;
+ const char *algorithm;
+ int key1;
+ unsigned char key1_id[MAX_KEY_ID_SIZE];
+ size_t key1_id_size;
+ int key2;
+ unsigned char key2_id[MAX_KEY_ID_SIZE];
+ size_t key2_id_size;
+};
+
struct audit_tree_refs {
struct audit_tree_refs *next;
struct audit_chunk *c[31];
@@ -181,6 +197,7 @@ struct audit_context {
struct audit_context *previous; /* For nested syscalls */
struct audit_aux_data *aux;
struct audit_aux_data *aux_pids;
+ struct list_head crypto;
struct sockaddr_storage *sockaddr;
size_t sockaddr_len;
/* Save things to print about task_struct */
@@ -632,6 +649,18 @@ static int audit_filter_rules(struct task_struct *tsk,
case AUDIT_FILETYPE:
result = audit_match_filetype(ctx, f->val);
break;
+ case AUDIT_CRYPTO_OP:
+ if (ctx) {
+ struct audit_crypto_op *ax;
+
+ list_for_each_entry(ax, &ctx->crypto, list) {
+ result = audit_comparator(ax->op, f->op,
+ f->val);
+ if (result)
+ break;
+ }
+ }
+ break;
}
if (!result) {
@@ -827,6 +856,7 @@ static inline void audit_free_names(struct audit_context *context)
static inline void audit_free_aux(struct audit_context *context)
{
struct audit_aux_data *aux;
+ struct audit_crypto_op *crypto, *tmp;
while ((aux = context->aux)) {
context->aux = aux->next;
@@ -836,6 +866,10 @@ static inline void audit_free_aux(struct audit_context *context)
context->aux_pids = aux->next;
kfree(aux);
}
+ list_for_each_entry_safe(crypto, tmp, &context->crypto, list) {
+ list_del(&crypto->list);
+ kfree(crypto);
+ }
}
static inline void audit_zero_context(struct audit_context *context,
@@ -853,6 +887,7 @@ static inline struct audit_context *audit_alloc_context(enum audit_state state)
if (!(context = kmalloc(sizeof(*context), GFP_KERNEL)))
return NULL;
audit_zero_context(context, state);
+ INIT_LIST_HEAD(&context->crypto);
INIT_LIST_HEAD(&context->killed_trees);
return context;
}
@@ -1316,6 +1351,7 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
int i, call_panic = 0;
struct audit_buffer *ab;
struct audit_aux_data *aux;
+ struct audit_crypto_op *crypto;
const char *tty;
/* tsk == current */
@@ -1442,6 +1478,58 @@ static void audit_log_exit(struct audit_context *context, struct task_struct *ts
call_panic = 1;
}
+ list_for_each_entry(crypto, &context->crypto, list) {
+ static const char *const ops[] = {
+ [AUDIT_CRYPTO_OP_CONTEXT_NEW] = "context_new",
+ [AUDIT_CRYPTO_OP_CONTEXT_DEL] = "context_del",
+ [AUDIT_CRYPTO_OP_SESSION_INIT] = "session_init",
+ [AUDIT_CRYPTO_OP_SESSION_OP] = "session_op",
+ [AUDIT_CRYPTO_OP_SESSION_FINAL] = "session_final",
+ [AUDIT_CRYPTO_OP_KEY_IMPORT] = "key_import",
+ [AUDIT_CRYPTO_OP_KEY_EXPORT] = "key_export",
+ [AUDIT_CRYPTO_OP_KEY_WRAP] = "key_wrap",
+ [AUDIT_CRYPTO_OP_KEY_UNWRAP] = "key_unwrap",
+ [AUDIT_CRYPTO_OP_KEY_GEN] = "key_gen",
+ [AUDIT_CRYPTO_OP_KEY_DERIVE] = "key_derive",
+ [AUDIT_CRYPTO_OP_KEY_ZEROIZE] = "key_zeroize",
+ [AUDIT_CRYPTO_OP_KEY_GET_INFO] = "key_get_info",
+ };
+
+ ab = audit_log_start(context, GFP_KERNEL,
+ AUDIT_CRYPTO_USERSPACE_OP);
+ if (!ab)
+ continue;
+ if (crypto->op < ARRAY_SIZE(ops) && ops[crypto->op] != NULL)
+ audit_log_format(ab, "crypto_op=%s", ops[crypto->op]);
+ else
+ audit_log_format(ab, "crypto_op=%d", crypto->op);
+ audit_log_format(ab, " ctx=%d", crypto->context);
+ if (crypto->session != -1)
+ audit_log_format(ab, " session=%d", crypto->session);
+ if (crypto->operation != NULL)
+ audit_log_format(ab, " operation=%s",
+ crypto->operation);
+ if (crypto->algorithm != NULL)
+ audit_log_format(ab, " algo=%s", crypto->algorithm);
+ if (crypto->key1 != -1) {
+ audit_log_format(ab, " key1=%d", crypto->key1);
+ if (crypto->key1_id_size > 0) {
+ audit_log_format(ab, " key1_id=");
+ audit_log_n_untrustedstring(ab, crypto->key1_id,
+ crypto->key1_id_size);
+ }
+ }
+ if (crypto->key2 != -1) {
+ audit_log_format(ab, " key2=%d", crypto->key2);
+ if (crypto->key2_id_size > 0) {
+ audit_log_format(ab, " key2_id=");
+ audit_log_n_untrustedstring(ab, crypto->key2_id,
+ crypto->key2_id_size);
+ }
+ }
+ audit_log_end(ab);
+ }
+
if (context->target_pid &&
audit_log_pid_context(context, context->target_pid,
context->target_auid, context->target_uid,
@@ -2486,6 +2574,54 @@ void __audit_log_capset(pid_t pid,
}
/**
+ * __audit_log_crypto_op - store information about an user-space crypto op
+ * @op: AUDIT_CRYPTO_OP_*
+ * @context: user-space context ID
+ * @session: session ID within @context, or -1
+ * @operation: more detailed operation description, or NULL
+ * @algorithm: algorithm (crypto API transform) name, or NULL
+ * @key1: ID of key 1 within @context, or -1
+ * @key1_id: user-space ID of key 1 set from user-space if @key1 != -1
+ * @key1_id_size: Size of @key1_id
+ * @key2: ID of key 2 within @context, or -1
+ * @key2_id: user-space ID of key 2 set from user-space if @key2 != -1
+ * @key2_id_size: Size of @key2_id
+ */
+int __audit_log_crypto_op(int op, int context, int session,
+ const char *operation, const char *algorithm,
+ int key1, void *key1_id, size_t key1_id_size,
+ int key2, void *key2_id, size_t key2_id_size)
+{
+ struct audit_crypto_op *ax;
+ struct audit_context *ctx = current->audit_context;
+
+ ax = kmalloc(sizeof(*ax), GFP_KERNEL);
+ if (!ax)
+ return -ENOMEM;
+
+ ax->op = op;
+ ax->context = context;
+ ax->session = session;
+ ax->operation = operation;
+ ax->algorithm = algorithm;
+ ax->key1 = key1;
+ if (key1 != -1) {
+ ax->key1_id_size = min(key1_id_size, sizeof(ax->key1_id));
+ memcpy(ax->key1_id, key1_id, ax->key1_id_size);
+ } else
+ ax->key1_id_size = 0;
+ ax->key2 = key2;
+ if (key2 != -1) {
+ ax->key2_id_size = min(key2_id_size, sizeof(ax->key2_id));
+ memcpy(ax->key2_id, key2_id, ax->key2_id_size);
+ } else
+ ax->key2_id_size = 0;
+ list_add_tail(&ax->list, &ctx->crypto);
+ return 0;
+}
+EXPORT_SYMBOL_GPL(__audit_log_crypto_op);
+
+/**
* audit_core_dumps - record information about processes that end abnormally
* @signr: signal value
*
[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #3: audit-2.0.4-userspace_crypto.patch --]
[-- Type: text/x-patch; name=audit-2.0.4-userspace_crypto.patch, Size: 7281 bytes --]
Index: lib/errormsg.h
===================================================================
--- lib/errormsg.h (revision 395)
+++ lib/errormsg.h (working copy)
@@ -54,5 +54,6 @@
{ -19, 0, "Key field needs a watch or syscall given prior to it" },
{ -20, 2, "-F missing value after operation for" },
{ -21, 2, "-F value should be number for" },
- { -22, 2, "-F missing field name before operator for" }
+ { -22, 2, "-F missing field name before operator for" },
+ { -23, 2, "-F unknown crypto_op - " }
};
Index: lib/fieldtab.h
===================================================================
--- lib/fieldtab.h (revision 395)
+++ lib/fieldtab.h (working copy)
@@ -45,6 +45,7 @@
_S(AUDIT_OBJ_TYPE, "obj_type" )
_S(AUDIT_OBJ_LEV_LOW, "obj_lev_low" )
_S(AUDIT_OBJ_LEV_HIGH, "obj_lev_high" )
+_S(AUDIT_CRYPTO_OP, "crypto_op" )
_S(AUDIT_DEVMAJOR, "devmajor" )
_S(AUDIT_DEVMINOR, "devminor" )
Index: lib/msg_typetab.h
===================================================================
--- lib/msg_typetab.h (revision 395)
+++ lib/msg_typetab.h (working copy)
@@ -120,6 +120,8 @@
_S(AUDIT_MAC_IPSEC_EVENT, "MAC_IPSEC_EVENT" )
_S(AUDIT_MAC_UNLBL_STCADD, "MAC_UNLBL_STCADD" )
_S(AUDIT_MAC_UNLBL_STCDEL, "MAC_UNLBL_STCDEL" )
+_S(AUDIT_CRYPTO_STORAGE_KEY, "CRYPTO_STORAGE_KEY" )
+_S(AUDIT_CRYPTO_USERSPACE_OP, "CRYPTO_USERSPACE_OP" )
_S(AUDIT_ANOM_PROMISCUOUS, "ANOM_PROMISCUOUS" )
_S(AUDIT_ANOM_ABEND, "ANOM_ABEND" )
_S(AUDIT_INTEGRITY_DATA, "INTEGRITY_DATA" )
Index: lib/libaudit.c
===================================================================
--- lib/libaudit.c (revision 395)
+++ lib/libaudit.c (working copy)
@@ -38,6 +38,8 @@
#include <fcntl.h> /* O_NOFOLLOW needs gnu defined */
#include <limits.h> /* for PATH_MAX */
+#include "gen_tables.h"
+#include "crypto_ops.h"
#include "libaudit.h"
#include "private.h"
#include "errormsg.h"
@@ -1109,6 +1111,21 @@
else
return -21;
break;
+ case AUDIT_CRYPTO_OP:
+ if (flags != AUDIT_FILTER_EXIT)
+ return -7;
+ if (isdigit((unsigned char)*v))
+ rule->values[rule->field_count] =
+ strtoul(v, NULL, 0);
+ else {
+ int op;
+
+ if (crypto_op_s2i(v, &op) != 0)
+ rule->values[rule->field_count] = op;
+ else
+ return -23;
+ }
+ break;
case AUDIT_DEVMAJOR...AUDIT_INODE:
case AUDIT_SUCCESS:
if (flags != AUDIT_FILTER_EXIT)
Index: lib/libaudit.h
===================================================================
--- lib/libaudit.h (revision 395)
+++ lib/libaudit.h (working copy)
@@ -116,6 +116,8 @@
#endif
#define AUDIT_FIRST_KERN_CRYPTO_MSG 1600
+#define AUDIT_CRYPTO_STORAGE_KEY 1600 /* Key storage key configured */
+#define AUDIT_CRYPTO_USERSPACE_OP 1601 /* User-space crypto operation */
#define AUDIT_LAST_KERN_CRYPTO_MSG 1699
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
@@ -199,7 +201,22 @@
#define AUDIT_LAST_USER_MSG2 2999
#endif
+#define AUDIT_CRYPTO_OP 24
+#define AUDIT_CRYPTO_OP_CONTEXT_NEW 1
+#define AUDIT_CRYPTO_OP_CONTEXT_DEL 2
+#define AUDIT_CRYPTO_OP_SESSION_INIT 3
+#define AUDIT_CRYPTO_OP_SESSION_OP 4
+#define AUDIT_CRYPTO_OP_SESSION_FINAL 5
+#define AUDIT_CRYPTO_OP_KEY_IMPORT 6
+#define AUDIT_CRYPTO_OP_KEY_EXPORT 7
+#define AUDIT_CRYPTO_OP_KEY_WRAP 8
+#define AUDIT_CRYPTO_OP_KEY_UNWRAP 9
+#define AUDIT_CRYPTO_OP_KEY_GEN 10
+#define AUDIT_CRYPTO_OP_KEY_DERIVE 11
+#define AUDIT_CRYPTO_OP_KEY_ZEROIZE 12
+#define AUDIT_CRYPTO_OP_KEY_GET_INFO 13
+
/* This is related to the filterkey patch */
#define AUDIT_KEY_SEPARATOR 0x01
Index: lib/crypto_ops_table.h
===================================================================
--- lib/crypto_ops_table.h (revision 0)
+++ lib/crypto_ops_table.h (revision 0)
@@ -0,0 +1,35 @@
+/* crypto_ops_table.h --
+ * Copyright 2010 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Authors:
+ * Miloslav Trmač <mitr@redhat.com>
+ */
+
+_S(AUDIT_CRYPTO_OP_CONTEXT_NEW, "context_new")
+_S(AUDIT_CRYPTO_OP_CONTEXT_DEL, "context_del")
+_S(AUDIT_CRYPTO_OP_SESSION_INIT, "session_init")
+_S(AUDIT_CRYPTO_OP_SESSION_OP, "session_op")
+_S(AUDIT_CRYPTO_OP_SESSION_FINAL, "session_final")
+_S(AUDIT_CRYPTO_OP_KEY_IMPORT, "key_import")
+_S(AUDIT_CRYPTO_OP_KEY_EXPORT, "key_export")
+_S(AUDIT_CRYPTO_OP_KEY_WRAP, "key_wrap")
+_S(AUDIT_CRYPTO_OP_KEY_UNWRAP, "key_unwrap")
+_S(AUDIT_CRYPTO_OP_KEY_GEN, "key_gen")
+_S(AUDIT_CRYPTO_OP_KEY_DERIVE, "key_derive")
+_S(AUDIT_CRYPTO_OP_KEY_ZEROIZE, "key_zeroize")
+_S(AUDIT_CRYPTO_OP_KEY_GET_INFO, "key_get_info")
Index: lib/Makefile.am
===================================================================
--- lib/Makefile.am (revision 395)
+++ lib/Makefile.am (working copy)
@@ -37,7 +37,7 @@
libaudit_la_LDFLAGS = -Wl,-z,relro -version-info $(VERSION_INFO)
nodist_libaudit_la_SOURCES = $(BUILT_SOURCES)
-BUILT_SOURCES = actiontabs.h errtabs.h fieldtabs.h flagtabs.h \
+BUILT_SOURCES = actiontabs.h crypto_ops.h errtabs.h fieldtabs.h flagtabs.h \
ftypetabs.h i386_tables.h ia64_tables.h machinetabs.h \
msg_typetabs.h optabs.h ppc_tables.h s390_tables.h \
s390x_tables.h x86_64_tables.h
@@ -47,8 +47,8 @@
if USE_ARMEB
BUILT_SOURCES += armeb_tables.h
endif
-noinst_PROGRAMS = gen_actiontabs_h gen_errtabs_h gen_fieldtabs_h \
- gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \
+noinst_PROGRAMS = gen_actiontabs_h gen_crypto_ops_h gen_errtabs_h \
+ gen_fieldtabs_h gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \
gen_ia64_tables_h gen_machinetabs_h gen_msg_typetabs_h \
gen_optabs_h gen_ppc_tables_h gen_s390_tables_h \
gen_s390x_tables_h gen_x86_64_tables_h
@@ -77,6 +77,11 @@
./gen_armeb_tables_h --lowercase --i2s --s2i armeb_syscall > $@
endif
+gen_crypto_ops_h_SOURCES = gen_tables.c gen_tables.h crypto_ops_table.h
+gen_crypto_ops_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="crypto_ops_table.h"'
+crypto_ops.h: gen_crypto_ops_h Makefile
+ ./gen_crypto_ops_h --lowercase --s2i crypto_op > $@
+
gen_errtabs_h_SOURCES = gen_tables.c gen_tables.h errtab.h
gen_errtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="errtab.h"'
errtabs.h: gen_errtabs_h Makefile
[-- Attachment #4: audit.log --]
[-- Type: text/x-log, Size: 3891 bytes --]
# CRYPTO_STORAGE_KEY: Setting a storage master key
type=SYSCALL msg=audit(1281013374.713:11671): arch=c000003e syscall=2 success=yes exit=3 a0=400b67 a1=2 a2=0 a3=7fff4daa1200 items=1 ppid=1352 pid=1375 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty6 ses=3 comm="ncr-setkey" exe="/home/mitr/cryptodev-linux/userspace/ncr-setkey" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CRYPTO_USERSPACE_OP msg=audit(1281013374.713:11671): crypto_op=context_new ctx=0
type=CWD msg=audit(1281013374.713:11671): cwd="/root"
type=PATH msg=audit(1281013374.713:11671): item=0 name="/dev/crypto" inode=12498 dev=00:05 mode=020660 ouid=0 ogid=0 rdev=0a:3a obj=system_u:object_r:device_t:s0
type=CRYPTO_STORAGE_KEY msg=audit(1281013374.715:11672): key_size=16
type=SYSCALL msg=audit(1281013374.715:11672): arch=c000003e syscall=16 success=yes exit=128 a0=3 a1=80106304 a2=7fff4daa1530 a3=7fff4daa1200 items=0 ppid=1352 pid=1375 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty6 ses=3 comm="ncr-setkey" exe="/home/mitr/cryptodev-linux/userspace/ncr-setkey" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=SYSCALL msg=audit(1281013374.716:11673): arch=c000003e syscall=3 success=yes exit=0 a0=3 a1=80106304 a2=7fff4daa1530 a3=7fff4daa1200 items=0 ppid=1352 pid=1375 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty6 ses=3 comm="ncr-setkey" exe="/home/mitr/cryptodev-linux/userspace/ncr-setkey" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CRYPTO_USERSPACE_OP msg=audit(1281013374.716:11673): crypto_op=context_del ctx=0
# Some other crypto operations - records other than CRYPTO_USERSPACE_OP, e.g.
# SYSCALL, omitted
type=CRYPTO_USERSPACE_OP msg=audit(1281013391.782:11674): crypto_op=context_new ctx=0
type=CRYPTO_USERSPACE_OP msg=audit(1281013391.784:11675): crypto_op=key_zeroize ctx=0 algo=unknown key1=0
type=CRYPTO_USERSPACE_OP msg=audit(1281013391.784:11675): crypto_op=key_import ctx=0 algo=cbc(aes) key1=0 key1_id=61DE
type=CRYPTO_USERSPACE_OP msg=audit(1281013391.786:11676): crypto_op=key_export ctx=0 algo=cbc(aes) key1=0 key1_id=61DE
type=CRYPTO_USERSPACE_OP msg=audit(1281013391.786:11677): crypto_op=key_zeroize ctx=0 algo=cbc(aes) key1=0 key1_id=61DE
type=CRYPTO_USERSPACE_OP msg=audit(1281013391.787:11678): crypto_op=key_zeroize ctx=0 algo=unknown key1=0
type=CRYPTO_USERSPACE_OP msg=audit(1281013391.787:11678): crypto_op=key_gen ctx=0 algo=cbc(aes) key1=0 key1_id=2128C9198B
type=CRYPTO_USERSPACE_OP msg=audit(1281013391.787:11679): crypto_op=key_export ctx=0 algo=cbc(aes) key1=0 key1_id=2128C9198B
type=CRYPTO_USERSPACE_OP msg=audit(1281013391.787:11680): crypto_op=key_zeroize ctx=0 algo=cbc(aes) key1=0 key1_id=2128C9198B
type=CRYPTO_USERSPACE_OP msg=audit(1281013391.788:11681): crypto_op=key_zeroize ctx=0 algo=unknown key1=0
type=CRYPTO_USERSPACE_OP msg=audit(1281013391.788:11681): crypto_op=key_gen ctx=0 algo=cbc(aes) key1=0 key1_id=A8BB4BE77D
type=CRYPTO_USERSPACE_OP msg=audit(1281013391.788:11682): crypto_op=key_export ctx=0 algo=cbc(aes) key1=0 key1_id=A8BB4BE77D
type=CRYPTO_USERSPACE_OP msg=audit(1281013391.789:11683): crypto_op=key_zeroize ctx=0 algo=cbc(aes) key1=0 key1_id=A8BB4BE77D
type=CRYPTO_USERSPACE_OP msg=audit(1281013391.789:11684): crypto_op=key_zeroize ctx=0 algo=unknown key1=0
type=CRYPTO_USERSPACE_OP msg=audit(1281013391.789:11684): crypto_op=key_import ctx=0 algo=cbc(aes) key1=0 key1_id=6100
type=CRYPTO_USERSPACE_OP msg=audit(1281013391.789:11685): crypto_op=session_init ctx=0 session=0 operation=encrypt algo=ecb(aes) key1=0 key1_id=6100
type=CRYPTO_USERSPACE_OP msg=audit(1281013391.789:11685): crypto_op=session_op ctx=0 session=0 operation=encrypt algo=ecb(aes)
type=CRYPTO_USERSPACE_OP msg=audit(1281013391.789:11685): crypto_op=session_final ctx=0 session=0 operation=encrypt algo=ecb(aes)
[-- Attachment #5: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [patch RFC]: userspace crypto auditing
2010-08-05 14:02 ` [patch RFC]: userspace crypto auditing Miloslav Trmac
@ 2010-08-05 16:18 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2010-08-05 16:18 UTC (permalink / raw)
To: linux-audit; +Cc: Miloslav Trmac
On Thursday, August 05, 2010 10:02:12 am Miloslav Trmac wrote:
> I'm posting these patches for early review; users of the code are not in
> the kernel yet.
Quick public comment (we chatted on IRC), there are already a number of user
space crypto events. I think what is in the logs here can be fit into the
existing categories and the user space ones can be replicated in the kernel.
-Steve
> Two new records are defined; in each case output of records is caused by a
> syscall, and all other syscall-related data (process identity, syscall
> result) is audited in the usual records.
>
> AUDIT_CRYPTO_STORAGE_KEY is used when a system-wide storage wrapping key is
> changed.
>
> AUDIT_CRYPTO_USERSPACE_OP is used when any user-space program performs a
> crypto operation. To disable auditing these records by default and to
> allow the users to selectively enable them using filters, a new filter
> field AUDIT_CRYPTO_OP is defined; auditing of all crypto operations can
> thus be enabled using (auditctl -a exit,always -F crypto_op!=0).
>
> Attached for review are:
> - A kernel patch
> - An userspace audit patch
> - A few example audit entries
>
> Mirek
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-08-05 16:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <1657622092.243781281016896635.JavaMail.root@zmail07.collab.prod.int.phx2.redhat.com>
2010-08-05 14:02 ` [patch RFC]: userspace crypto auditing Miloslav Trmac
2010-08-05 16:18 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).