lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAHC9VhQpK+Shy2b2tv+vrTS+a8+zZbsrRG=pjzoMK0LApJg1Sg@mail.gmail.com>
Date:   Mon, 8 Jun 2020 17:45:05 -0400
From:   Paul Moore <paul@...l-moore.com>
To:     Mimi Zohar <zohar@...ux.ibm.com>
Cc:     Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>,
        linux-integrity@...r.kernel.org, linux-audit@...hat.com,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2] IMA: Add audit log for failure conditions

On Mon, Jun 8, 2020 at 7:52 AM Mimi Zohar <zohar@...ux.ibm.com> wrote:
> Hi Lakshmi,
>
> On Sun, 2020-06-07 at 15:14 -0700, Lakshmi Ramasubramanian wrote:
> > The final log statement in process_buffer_measurement() for failure
> > condition is at debug level. This does not log the message unless
> > the system log level is raised which would significantly increase
> > the messages in the system log. Change this log message to an audit
> > message for better triaging failures in the function.
> >
> > ima_alloc_key_entry() does not log a message for failure condition.
> > Add an audit message for failure condition in this function.
> >
> > Signed-off-by: Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
>
> Audit messages should be at a higher level.  For example,
> "hashing_error", "collect_data", "invalid_pcr".  In the "invalid_pcr"
> case, the audit log contains the reason - "ToMToU" or "open_writers" -
> as to why the measurement list doesn't match the PCR.
>
> Here you would want "measuring_keys", "measuring_boot_cmdline" with
> the reason it failed, not the function name
> "process_buffer_measurement".
>
> Userspace needs to be aware of the new audit messages.  Maybe include
> samples of them in the cover letter.

Yes, examples of the audit record in the commit description (the cover
letter isn't recorded in the git log), are encouraged.

-- 
paul moore
www.paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ