lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <3776526.Vj75JV9fuy@x2>
Date:   Tue, 09 Jun 2020 12:43:58 -0400
From:   Steve Grubb <sgrubb@...hat.com>
To:     Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
Cc:     linux-audit@...hat.com, zohar@...ux.ibm.com, paul@...l-moore.com,
        linux-integrity@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3] IMA: Add audit log for failure conditions

Hello,

On Tuesday, June 9, 2020 11:58:02 AM EDT Lakshmi Ramasubramanian wrote:
> On 6/9/20 8:40 AM, Steve Grubb wrote:
> > On Monday, June 8, 2020 5:53:43 PM EDT Lakshmi Ramasubramanian wrote:
> >> The final log statement in process_buffer_measurement() for failure
> >> condition is at debug level. This does not log the message unless
> >> the system log level is raised which would significantly increase
> >> the messages in the system log. Change this log message to an audit
> >> message for better triaging failures in the function.
> >> 
> >> ima_alloc_key_entry() does not log a message for failure condition.
> >> Add an audit message for failure condition in this function.
> > 
> >> Sample audit messages:
> > Wouldn't it be better to have an IMA_ERROR record type?
> 
> type "1804" is AUDIT_INTEGRITY_PCR which is used for failures to add to
> the measurement list.
> 
> >> [    8.051937] audit: type=1804 audit(1591633422.365:8): pid=1 uid=0
> >> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
> >> op=measuring_keys cause=hashing_error(-22)
> > 
> > The audit system uses a name=value scheme to express information. This
> > last field has something in parenthesis that may need to be interpreted.
> > In its current form, we can't do this. It would require writing code to
> > special case this event, go to this field, find the first parenthesis,
> > find the second, extract what's between, and look it up.
> > 
> > It would be better if that number in parenthesis was normalized to the
> > expected way we do audit events so nothing special has to be made.
> 
> The number in parenthesis is the error code (such as ENOMEM, EINVAL,
> etc.) IMA uses this format for reporting TPM errors in one of the audit
> messages (In ima_add_template_entry()). I followed the same pattern.
> 
> Would it be better if the value for "cause" is formatted as
> 
>     cause=hashing_error_-22
> 
>     cause=alloc_entry_-12

Neither fit the name=value style that all other events follow. What would fit 
the style is something like this:

cause=hashing_error  errno=-22
 
cause=alloc_entry errno=-12

Would this be OK? Also, errno is only to illustrate. You can name it 
something else as long as there are no use case collisions with our 
dictionary of field names.

https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/
field-dictionary.csv

-Steve



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ