lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <h2m58f704b21003310026mab69619fi1d2a62be998a89bf@mail.gmail.com>
Date:	Wed, 31 Mar 2010 09:26:36 +0200
From:	Juraj Hlista <juro.hlista@...il.com>
To:	Al Viro <viro@...iv.linux.org.uk>
Cc:	sgrubb@...hat.com, mitr@...hat.com, linux-kernel@...r.kernel.org,
	linux-audit@...hat.com
Subject: Re: [PATCH] audit: Reactive rules

On Wed, Mar 31, 2010 at 12:23 AM, Al Viro <viro@...iv.linux.org.uk> wrote:
> On Wed, Mar 31, 2010 at 12:17:11AM +0200, Juraj Hlista wrote:
>> From: Juraj Hlista <juro.hlista@...il.com>
>>
>> Add support for reactive rules. An audit rule can contain more than one reaction. The reactions are identified by numbers in the kernel and by strings in the user space.
>
> Huh?  We already have a way to associate a unique key with a rule; what does
> that patch offer that can't be happily handled by userland with what we
> already have?
>
If the key was used to associate reactions with a rule, it could be
done, for example, by adding "react-" prefix to the key (-F
key=react-r1). In order to detect if there was a match found with a
reactive rule, every single audit event would have to be checked
whether it includes the key with "react-" prefix, which is not
effective.

There is no need parsing audit events and check if they have such a
key. When there was found a match with a reactive rule, the patch adds
a new record at the beginning of an audit event, for example:

type=REACT_RULE msg=audit(1270026004.497:4): react=1
type=SYSCALL msg=audit(1270026004.497:4): arch=c000003e syscall=2
success=yes exit=3 a0=7fff8022f767 a1=941 a2=1b6 a3=7fff8022e040
items=2 ppid=2777 pid=2804 auid=4294967295 uid=0 gid=0 euid=0 suid=0
fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=4294967295 comm="touch"
exe="/bin/touch" key=(null)
type=CWD msg=audit(1270026004.497:4):  cwd="/root"
type=PATH msg=audit(1270026004.497:4): item=0 name="/tmp/" inode=8112
dev=08:02 mode=041777 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1270026004.497:4): item=1 name="/tmp/file"
inode=9400 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00

The user space only checks the type of the record instead of parsing
it and looking for the keys. The REACT_RULE record has only a list of
reactions - mapping reaction numbers to strings is described in:

https://www.redhat.com/archives/linux-audit/2010-March/msg00040.html
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ