lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 9 Jun 2020 13:15:55 -0400
From:   Richard Guy Briggs <rgb@...hat.com>
To:     Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
Cc:     Steve Grubb <sgrubb@...hat.com>, linux-integrity@...r.kernel.org,
        linux-audit@...hat.com, zohar@...ux.ibm.com,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3] IMA: Add audit log for failure conditions

On 2020-06-09 10:00, Lakshmi Ramasubramanian wrote:
> On 6/9/20 9:43 AM, Steve Grubb wrote:
> 
> > > The number in parenthesis is the error code (such as ENOMEM, EINVAL,
> > > etc.) IMA uses this format for reporting TPM errors in one of the audit
> > > messages (In ima_add_template_entry()). I followed the same pattern.
> > > 
> > > Would it be better if the value for "cause" is formatted as
> > > 
> > >      cause=hashing_error_-22
> > > 
> > >      cause=alloc_entry_-12
> > 
> > Neither fit the name=value style that all other events follow. What would fit
> > the style is something like this:
> > 
> > cause=hashing_error  errno=-22
> > cause=alloc_entry errno=-12
> > 
> > Would this be OK? Also, errno is only to illustrate. You can name it
> > something else as long as there are no use case collisions with our
> > dictionary of field names.
> > 
> > https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/
> > field-dictionary.csv
> 
> I am fine with this.
> 
> "errno" is currently not listed in the dictionary of audit message field
> names (Thanks for the pointer to this one Steve)
> 
> Mimi - please let me know if you have any concerns with adding the "result"
> code in "errno" field in integrity_audit_msg().

If it is added, it should be appended to the end of the record since it
is an existing record format, then in the case of res=1, errno= should
still be present (not swing in and out) and just contain zero.  (Or
another value if there is a non-fatal warning?)

> Sample message:
> 
> [    8.051937] audit: type=1804 audit(1591633422.365:8): pid=1 uid=0
> auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
> op=measuring_keys cause=hashing_error errno=-22 comm="systemd"
> name=".builtin_trusted_keys" res=0
> 
> thanks,
>  -lakshmi

- RGB

--
Richard Guy Briggs <rgb@...hat.com>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635

Powered by blists - more mailing lists