lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 12 Jun 2020 12:50:14 -0700
From:   Lakshmi Ramasubramanian <nramas@...ux.microsoft.com>
To:     Mimi Zohar <zohar@...ux.ibm.com>, sgrubb@...hat.com,
        paul@...l-moore.com
Cc:     rgb@...hat.com, linux-integrity@...r.kernel.org,
        linux-audit@...hat.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] integrity: Add errno field in audit message

On 6/12/20 12:25 PM, Mimi Zohar wrote:

> The idea is a good idea, but you're assuming that "result" is always
> errno.  That was probably true originally, but isn't now.  For
> example, ima_appraise_measurement() calls xattr_verify(), which
> compares the security.ima hash with the calculated file hash.  On
> failure, it returns the result of memcmp().  Each and every code path
> will need to be checked.
> 

Good catch Mimi.

Instead of "errno" should we just use "result" and log the value given 
in the result parameter?

 From the audit field dictionary (link given below) "result" is already 
a known field that is used to indicate the result of the audited operation.

@Steve\Paul:
Like "res" is "result" also expected to have only values "0" or "1", or 
can it be any result code?

https://github.com/linux-audit/audit-documentation/blob/master/specs/fields/field-dictionary.csv

res 	alphanumeric 	result of the audited operation(success/fail) 	

result 	alphanumeric 	result of the audited operation(success/fail)

thanks,
  -lakshmi

Powered by blists - more mailing lists