lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 02 Feb 2022 11:04:18 -0500
From:   Mimi Zohar <zohar@...ux.ibm.com>
To:     Stefan Berger <stefanb@...ux.ibm.com>,
        Christian Brauner <brauner@...nel.org>, serge@...lyn.com
Cc:     linux-integrity@...r.kernel.org, christian.brauner@...ntu.com,
        containers@...ts.linux.dev, dmitry.kasatkin@...il.com,
        ebiederm@...ssion.com, krzysztof.struczynski@...wei.com,
        roberto.sassu@...wei.com, mpeters@...hat.com, lhinds@...hat.com,
        lsturman@...hat.com, puiterwi@...hat.com, jejb@...ux.ibm.com,
        jamjoom@...ibm.com, linux-kernel@...r.kernel.org,
        paul@...l-moore.com, rgb@...hat.com,
        linux-security-module@...r.kernel.org, jmorris@...ei.org
Subject: Re: [PATCH v10 00/27] ima: Namespace IMA with audit support in
 IMA-ns

On Wed, 2022-02-02 at 09:40 -0500, Stefan Berger wrote:
> On 2/2/22 09:13, Christian Brauner wrote:
> > On Tue, Feb 01, 2022 at 03:37:08PM -0500, Stefan Berger wrote:
> >>
> >> v10:
> >>   - Added A-b's; addressed issues from v9
> >>   - Added 2 patches to support freeing of iint after namespace deletion
> >>   - Added patch to return error code from securityfs functions
> >>   - Added patch to limit number of policy rules in IMA-ns to 1024
> > I'm going to go take a lighter touch with this round of reviews.
> > First, because I have February off. :)
> > Second, because I think that someone who is more familiar with IMA and
> > its requirements should take another look to provide input and ask more
> > questions. Last time I spoke to Serge he did want to give this a longer
> > look and maybe also has additional questions.
> 
> The one problem I am seeing is that we probably cannot support auditing 
> in IMA namespaces since every user can now create an IMA namespace. 
> Unless auditing was namespaced, the way it is now gives too much control 
> to the user to flood the host audit log.

Stefan, we need to differentiate between the different types of audit
records being produced by IMA.  Some of these are informational, like
the policy rules being loaded or "Time of Measure, Time of Use"
(ToMToU) records.  When we discuss IMA-audit we're referring to the
file hashes being added in the audit log.  These are the result of the
IMA "audit" policy rules.

How much of these informational messages should be audited in IMA
namespaces still needs to be discussed.  For now, feel free to limit
the audit messages to just the file hashes.

thanks,

Mimi

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ