lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 2 Feb 2021 16:44:47 -0500
From:   Paul Moore <paul@...l-moore.com>
To:     Daniel Walker <danielwa@...co.com>
Cc:     Eric Paris <eparis@...hat.com>, Phil Zhang <xuanyzha@...co.com>,
        xe-linux-external@...co.com, linux-audit@...hat.com,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 2/2] audit: show (grand)parents information of an audit context

On Tue, Feb 2, 2021 at 4:29 PM Daniel Walker <danielwa@...co.com> wrote:
> From: Phil Zhang <xuanyzha@...co.com>
>
> To ease the root cause analysis of SELinux AVCs, this new feature
> traverses task structs to iteratively find all parent processes
> starting with the denied process and ending at the kernel. Meanwhile,
> it prints out the command lines and subject contexts of those parents.
>
> This provides developers a clear view of how processes were spawned
> and where transitions happened, without the need to reproduce the
> issue and manually audit interesting events.
>
> Example on bash over ssh:
>     $ runcon -u system_u -r system_r -t polaris_hm_t ls
>     ...
>     type=PARENT msg=audit(1610548241.033:255): subj=root:unconfined_r:unconfined_t:s0-s0:c0.c1023  cmdline="-bash"
>     type=PARENT msg=audit(1610548241.033:255): subj=system_u:system_r:sshd_t:s0-s0:c0.c1023        cmdline="sshd: root@.../0"
>     type=PARENT msg=audit(1610548241.033:255): subj=system_u:system_r:sshd_t:s0-s0:c0.c1023        cmdline="/tmp/sw/rp/0/0/rp_security/mount/usr/sbin/sshd
>     type=PARENT msg=audit(1610548241.033:255): subj=system_u:system_r:init_t:s0                    cmdline="/init"
>     type=PARENT msg=audit(1610548241.033:255): subj=system_u:system_r:kernel_t:s0
>     ...
>
> Cc: xe-linux-external@...co.com
> Signed-off-by: Phil Zhang <xuanyzha@...co.com>
> Signed-off-by: Daniel Walker <danielwa@...co.com>
> ---
>  include/uapi/linux/audit.h |  5 ++-
>  init/Kconfig               |  7 +++++
>  kernel/audit.c             |  3 +-
>  kernel/auditsc.c           | 64 ++++++++++++++++++++++++++++++++++++++
>  4 files changed, 77 insertions(+), 2 deletions(-)

This is just for development/testing of SELinux policy, right?  It
seems like this is better done in userspace to me through a
combination of policy analysis and just understanding of how your
system is put together.

If you really need this information in the audit log for some
production use, it seems like you could audit the various
fork()/exec() syscalls to get an understanding of the various process
(sub)trees on the system.  It would require a bit of work to sift
through the audit log and reconstruct the events that led to a process
being started, and generating the AVC you are interested in debugging,
but folks who live The Audit Life supposedly do this sort of thing a
lot (this sort of thing being tracing a process/session).

-- 
paul moore
www.paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ