lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 2 Feb 2022 16:27:50 -0500
From:   Stefan Berger <stefanb@...ux.ibm.com>
To:     Mimi Zohar <zohar@...ux.ibm.com>,
        Christian Brauner <brauner@...nel.org>, serge@...lyn.com
Cc:     linux-integrity@...r.kernel.org, christian.brauner@...ntu.com,
        containers@...ts.linux.dev, dmitry.kasatkin@...il.com,
        ebiederm@...ssion.com, krzysztof.struczynski@...wei.com,
        roberto.sassu@...wei.com, mpeters@...hat.com, lhinds@...hat.com,
        lsturman@...hat.com, puiterwi@...hat.com, jejb@...ux.ibm.com,
        jamjoom@...ibm.com, linux-kernel@...r.kernel.org,
        paul@...l-moore.com, rgb@...hat.com,
        linux-security-module@...r.kernel.org, jmorris@...ei.org
Subject: Re: [PATCH v10 00/27] ima: Namespace IMA with audit support in IMA-ns


On 2/2/22 13:18, Stefan Berger wrote:
>
> On 2/2/22 11:04, Mimi Zohar wrote:
>> Stefan, we need to differentiate between the different types of audit
>> records being produced by IMA.  Some of these are informational, like
>> the policy rules being loaded or "Time of Measure, Time of Use"
>> (ToMToU) records.  When we discuss IMA-audit we're referring to the
>> file hashes being added in the audit log.  These are the result of the
>> IMA "audit" policy rules.
>>
>> How much of these informational messages should be audited in IMA
>> namespaces still needs to be discussed.  For now, feel free to limit
>> the audit messages to just the file hashes.
> I doubt we should let a user produce informational audit messages or 
> audit messages related to file hashes... it's unfortunate, but it 
> opens a door for abuse.

After some offline discussion with Mimi, the solution may be to gate 
setting IMA audit policy rules with CAP_SYS_ADMIN.

    Stefan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ