From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B1CD6C43331 for ; Fri, 27 Mar 2020 14:03:26 +0000 (UTC) Received: from us-smtp-delivery-74.mimecast.com (us-smtp-delivery-74.mimecast.com [216.205.24.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 675C3206F2 for ; Fri, 27 Mar 2020 14:03:26 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="ddOo/q8L" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 675C3206F2 Authentication-Results: mail.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1585317805; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=nk6xxZ3Oo0IUSFnqFjxOgJcOYxgRlrBjrev0i8UJfRQ=; b=ddOo/q8LUyL0jdcaEB8mzh1Nt9EzVFQpcdHUM+Qrzrw9y4C6YnnjvrKaDElPZwUX4Ti0NB kC2aWqxnxpWxoirDNXuzqKvhDseBfS46Sg22frJz4olVywO6ZNA2HXxmy4MDsR9m6pkGkP 6LF8vD5qomVsSV7b/H5WoreeHKKdlBU= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-1-xQZOQv9FNSu1uqbvDkj35g-1; Fri, 27 Mar 2020 10:03:23 -0400 X-MC-Unique: xQZOQv9FNSu1uqbvDkj35g-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 77A8A107ACC7; Fri, 27 Mar 2020 14:03:19 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 25DD45E01D; Fri, 27 Mar 2020 14:03:19 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 05CC3944A9; Fri, 27 Mar 2020 14:03:18 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 02RE3GXA007408 for ; Fri, 27 Mar 2020 10:03:16 -0400 Received: by smtp.corp.redhat.com (Postfix) id 23A7E5DA7D; Fri, 27 Mar 2020 14:03:16 +0000 (UTC) Received: from x2.localnet (ovpn-113-202.phx2.redhat.com [10.3.113.202]) by smtp.corp.redhat.com (Postfix) with ESMTP id B777B5DA75; Fri, 27 Mar 2020 14:03:10 +0000 (UTC) From: Steve Grubb To: Paul Moore Subject: Re: Audit record ordering requirements Date: Fri, 27 Mar 2020 10:03:07 -0400 Message-ID: <2966967.03MRl4nvq3@x2> Organization: Red Hat In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: linux-audit@redhat.com Cc: Richard Guy Briggs , "linux-audit@redhat.com" X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Thursday, March 26, 2020 8:28:51 PM EDT Paul Moore wrote: > On Thu, Mar 26, 2020 at 7:49 PM Casey Schaufler wrote: > > I'm looking at adding an audit record type for the case where > > there are multiple security modules providing subject data. There > > are several reasons to create a new record rather than adding the > > additional information to existing records, including possible > > size overflows and format compatibility. > > > > While working with the code I have found that it is much easier > > if the new record (I'm calling it MAC_TASK_CONTEXTS) can be generated > > before the "base" record, which could be a SYSCALL record, than > > after it. Can I get away with this? I haven't seen any documentation > > that says the CWD record has to follow the event's SYSCALL record, > > but I wouldn't be at all surprised if it's implicitly assumed. > > From a kernel perspective, as long as the timestamp matches (so it's > considered part of the same "event") I've got no problem with that. > However, Steve's audit userspace has a lot of assumptions about how > things are done so it's probably best that he comments on this so his > tools don't blow up. There are some assumptions about what record is last in order to speed up "aging" the event during search so that we know the event is complete and ready for processing. We can always change that if needed. But a new kernel won't be compatible with older tools. The only long term fix for this would be to have something that says how many records are in this event, then add a field for each record saying which one it is. Then we can have a reliable way to decide when we have all records ready for processing. This only affects searching/reporting, not logging. But I think the records are in chronological order as the syscall traverses the various observers in the kernel. And as Paul said, as long as they all have the same timestamp/serial number, userspace will collect them all up. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit