lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhQsRLPcXm7aesGw4XqWSQMH5znnURCrQHH1w5+tfDjYCA@mail.gmail.com>
Date:   Wed, 30 May 2018 17:14:31 -0400
From:   Paul Moore <paul@...l-moore.com>
To:     Stefan Berger <stefanb@...ux.vnet.ibm.com>
Cc:     zohar@...ux.vnet.ibm.com, sgrubb@...hat.com,
        linux-integrity@...r.kernel.org, linux-audit@...hat.com,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 5/8] integrity: Add exe= and tty= before res= to integrity audits

On Wed, May 30, 2018 at 8:17 AM, Stefan Berger
<stefanb@...ux.vnet.ibm.com> wrote:
> On 05/29/2018 05:19 PM, Paul Moore wrote:
>>
>> On Thu, May 24, 2018 at 4:11 PM, Stefan Berger
>> <stefanb@...ux.vnet.ibm.com> wrote:
>>>
>>> Use the new public audit functions to add the exe= and tty=
>>> parts to the integrity audit records. We place them before
>>> res=.
>>>
>>> Signed-off-by: Stefan Berger <stefanb@...ux.vnet.ibm.com>
>>> Suggested-by: Steve Grubb <sgrubb@...hat.com>
>>> ---
>>>   security/integrity/integrity_audit.c | 2 ++
>>>   1 file changed, 2 insertions(+)
>>>
>>> diff --git a/security/integrity/integrity_audit.c
>>> b/security/integrity/integrity_audit.c
>>> index db30763d5525..8d25d3c4dcca 100644
>>> --- a/security/integrity/integrity_audit.c
>>> +++ b/security/integrity/integrity_audit.c
>>> @@ -56,6 +56,8 @@ void integrity_audit_msg(int audit_msgno, struct inode
>>> *inode,
>>>                  audit_log_untrustedstring(ab, inode->i_sb->s_id);
>>>                  audit_log_format(ab, " ino=%lu", inode->i_ino);
>>>          }
>>> +       audit_log_d_path_exe(ab, current->mm);
>>> +       audit_log_tty(ab, current);
>>
>> NACK
>>
>> Please add the new fields to the end of the audit record, thank you.
>
> I put it there since Steve said '"res" is traditionally the last field in
> any event' (https://lkml.org/lkml/2018/5/22/539). I don't mind breaking with
> this tradition...

Unfortunately Steve and I don't see eye-to-eye on everything, and this
is perhaps one of the more prominent issues.

I'll save you several years of arguments, on and off-list, and simply
say that the "safe" option, and the only option I'm likely to ACK,
would be to add new fields at the end of existing records.  We have
made exceptions in the past, but those were pretty extreme cases.

-- 
paul moore
www.paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ