lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ada45440-aefd-a4b2-2a3b-c012872e86cb@linux.microsoft.com>
Date:   Tue, 9 Jun 2020 08:58:02 -0700
From:   Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
To:     Steve Grubb <sgrubb@...hat.com>, linux-audit@...hat.com
Cc:     zohar@...ux.ibm.com, paul@...l-moore.com,
        linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3] IMA: Add audit log for failure conditions

On 6/9/20 8:40 AM, Steve Grubb wrote:

> On Monday, June 8, 2020 5:53:43 PM EDT Lakshmi Ramasubramanian wrote:
>> The final log statement in process_buffer_measurement() for failure
>> condition is at debug level. This does not log the message unless
>> the system log level is raised which would significantly increase
>> the messages in the system log. Change this log message to an audit
>> message for better triaging failures in the function.
>>
>> ima_alloc_key_entry() does not log a message for failure condition.
>> Add an audit message for failure condition in this function.
>>
>> Sample audit messages:
> 
> Wouldn't it be better to have an IMA_ERROR record type?

type "1804" is AUDIT_INTEGRITY_PCR which is used for failures to add to 
the measurement list.

> 
>> [    8.051937] audit: type=1804 audit(1591633422.365:8): pid=1 uid=0
>> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>> op=measuring_keys cause=hashing_error(-22)
> 
> The audit system uses a name=value scheme to express information. This last
> field has something in parenthesis that may need to be interpreted. In its
> current form, we can't do this. It would require writing code to special case
> this event, go to this field, find the first parenthesis, find the second,
> extract what's between, and look it up.
> 
> It would be better if that number in parenthesis was normalized to the
> expected way we do audit events so nothing special has to be made.

The number in parenthesis is the error code (such as ENOMEM, EINVAL, 
etc.) IMA uses this format for reporting TPM errors in one of the audit 
messages (In ima_add_template_entry()). I followed the same pattern.

Would it be better if the value for "cause" is formatted as

    cause=hashing_error_-22

    cause=alloc_entry_-12

thanks,
  -lakshmi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ