From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kees Cook Subject: Re: [PATCH] audit: Report suspicious O_CREAT usage Date: Mon, 30 Sep 2019 11:29:01 -0700 Message-ID: <201909301128.5951C390@keescook> References: <201909251348.A1542A52@keescook> <2065829.xbNJnTdZ4q@x2> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Return-path: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Content-Disposition: inline In-Reply-To: <2065829.xbNJnTdZ4q@x2> To: Steve Grubb Cc: Paul Moore , linux-kernel@vger.kernel.org, =?iso-8859-1?Q?J=E9r=E9mie?= Galarneau , s.mesoraca16@gmail.com, viro@zeniv.linux.org.uk, dan.carpenter@oracle.com, akpm@linux-foundation.org, Mathieu Desnoyers , kernel-hardening@lists.openwall.com, linux-audit@redhat.com, Linus Torvalds List-Id: linux-audit@redhat.com On Mon, Sep 30, 2019 at 09:50:00AM -0400, Steve Grubb wrote: > On Thursday, September 26, 2019 11:31:32 AM EDT Paul Moore wrote: > > On Wed, Sep 25, 2019 at 5:02 PM Kees Cook wrote: > > > This renames the very specific audit_log_link_denied() to > > > audit_log_path_denied() and adds the AUDIT_* type as an argument. This > > > allows for the creation of the new AUDIT_ANOM_CREAT that can be used to > > > report the fifo/regular file creation restrictions that were introduced > > > in commit 30aba6656f61 ("namei: allow restricted O_CREAT of FIFOs and > > > regular files"). Without this change, discovering that the restriction > > > is enabled can be very challenging: > > > https://lore.kernel.org/lkml/CA+jJMxvkqjXHy3DnV5MVhFTL2RUhg0WQ-XVFW3ngDQO > > > dkFq0PA@mail.gmail.com > > > > > > Reported-by: Jérémie Galarneau > > > Signed-off-by: Kees Cook > > > --- > > > This is not a complete fix because reporting was broken in commit > > > 15564ff0a16e ("audit: make ANOM_LINK obey audit_enabled and > > > audit_dummy_context") > > > which specifically goes against the intention of these records: they > > > should _always_ be reported. If auditing isn't enabled, they should be > > > ratelimited. > > > > > > Instead of using audit, should this just go back to using > > > pr_ratelimited()? > > > > I'm going to ignore the rename and other aspects of this patch for the > > moment so we can focus on the topic of if/when/how these records > > should be emitted by the kernel. > > > > Unfortunately, people tend to get very upset if audit emits *any* > > records when they haven't explicitly enabled audit, the significance > > of the record doesn't seem to matter, which is why you see patches > > like 15564ff0a16e ("audit: make ANOM_LINK obey audit_enabled and > > audit_dummy_context"). We could consider converting some records to > > printk()s, rate-limited or not, but we need to balance this with the > > various security certifications which audit was created to satisfy. > > In some cases a printk() isn't sufficient. > > > > Steve is probably the only one who really keeps track of the various > > auditing requirements of the different security certifications; what > > say you Steve on this issue with ANOM_CREAT records? > > Common Criteria and other security standards I track do not call out for > anomoly detection. So, there are no requirements on this. That said, we do > have other anomaly detections because they give early warning that something > strange is happening. I think adding this event is a nice improvement as long > as it obeys audit_enabled before emitting an event - for example, look at the > AUDIT_ANOM_ABEND event. Okay, so the patch is good as-is? (The "report things always" issue I will deal with separately. For now I'd just like to gain this anomaly detection corner case...) Paul, what do you see as next steps here? -- Kees Cook