From: Steve Grubb <sgrubb@redhat.com>
To: Paul Moore <paul@paul-moore.com>
Cc: Richard Guy Briggs <rgb@redhat.com>,
"linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: Audit record ordering requirements
Date: Fri, 27 Mar 2020 10:03:07 -0400 [thread overview]
Message-ID: <2966967.03MRl4nvq3@x2> (raw)
In-Reply-To: <CAHC9VhS3Nj=KHAaCV2s9h3G02RG96BzmhiqrGT5n+Y+Cegy_QQ@mail.gmail.com>
On Thursday, March 26, 2020 8:28:51 PM EDT Paul Moore wrote:
> On Thu, Mar 26, 2020 at 7:49 PM Casey Schaufler <casey@schaufler-ca.com>
wrote:
> > I'm looking at adding an audit record type for the case where
> > there are multiple security modules providing subject data. There
> > are several reasons to create a new record rather than adding the
> > additional information to existing records, including possible
> > size overflows and format compatibility.
> >
> > While working with the code I have found that it is much easier
> > if the new record (I'm calling it MAC_TASK_CONTEXTS) can be generated
> > before the "base" record, which could be a SYSCALL record, than
> > after it. Can I get away with this? I haven't seen any documentation
> > that says the CWD record has to follow the event's SYSCALL record,
> > but I wouldn't be at all surprised if it's implicitly assumed.
>
> From a kernel perspective, as long as the timestamp matches (so it's
> considered part of the same "event") I've got no problem with that.
> However, Steve's audit userspace has a lot of assumptions about how
> things are done so it's probably best that he comments on this so his
> tools don't blow up.
There are some assumptions about what record is last in order to speed up
"aging" the event during search so that we know the event is complete and
ready for processing. We can always change that if needed. But a new kernel
won't be compatible with older tools.
The only long term fix for this would be to have something that says how many
records are in this event, then add a field for each record saying which one
it is. Then we can have a reliable way to decide when we have all records
ready for processing. This only affects searching/reporting, not logging.
But I think the records are in chronological order as the syscall traverses
the various observers in the kernel. And as Paul said, as long as they all
have the same timestamp/serial number, userspace will collect them all up.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2020-03-27 14:03 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <de87d7bb-a7df-0251-0f33-9aeeef3d0879.ref@schaufler-ca.com>
2020-03-26 23:49 ` Audit record ordering requirements Casey Schaufler
2020-03-27 0:28 ` Paul Moore
2020-03-27 14:03 ` Steve Grubb [this message]
2020-03-27 14:08 ` Steve Grubb
2020-03-27 16:14 ` Richard Guy Briggs
2020-03-27 16:23 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2966967.03MRl4nvq3@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=paul@paul-moore.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox