lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 29 May 2018 17:35:48 -0400
From:   Steve Grubb <sgrubb@...hat.com>
To:     Paul Moore <paul@...l-moore.com>
Cc:     Stefan Berger <stefanb@...ux.vnet.ibm.com>,
        zohar@...ux.vnet.ibm.com, linux-integrity@...r.kernel.org,
        linux-audit@...hat.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 5/8] integrity: Add exe= and tty= before res= to integrity audits

On Tuesday, May 29, 2018 5:19:39 PM EDT Paul Moore wrote:
> On Thu, May 24, 2018 at 4:11 PM, Stefan Berger
> 
> <stefanb@...ux.vnet.ibm.com> wrote:
> > Use the new public audit functions to add the exe= and tty=
> > parts to the integrity audit records. We place them before
> > res=.
> > 
> > Signed-off-by: Stefan Berger <stefanb@...ux.vnet.ibm.com>
> > Suggested-by: Steve Grubb <sgrubb@...hat.com>
> > ---
> > 
> >  security/integrity/integrity_audit.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/security/integrity/integrity_audit.c
> > b/security/integrity/integrity_audit.c index db30763d5525..8d25d3c4dcca
> > 100644
> > --- a/security/integrity/integrity_audit.c
> > +++ b/security/integrity/integrity_audit.c
> > @@ -56,6 +56,8 @@ void integrity_audit_msg(int audit_msgno, struct inode
> > *inode,> 
> >                 audit_log_untrustedstring(ab, inode->i_sb->s_id);
> >                 audit_log_format(ab, " ino=%lu", inode->i_ino);
> >         
> >         }
> > 
> > +       audit_log_d_path_exe(ab, current->mm);
> > +       audit_log_tty(ab, current);
> 
> NACK
> 
> Please add the new fields to the end of the audit record, thank you.

Let's see what an example event looks like before NACK'ing this. Way back in 
2013 the IMA events were good. I think this is repairing the event after some 
drift.

Thanks,
-Steve
 
> >         audit_log_format(ab, " res=%d", !result);
> >         audit_log_end(ab);
> >  
> >  }

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ