lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 2 Mar 2023 14:05:33 -0500
From:   Paul Moore <paul@...l-moore.com>
To:     Steve Grubb <sgrubb@...hat.com>
Cc:     corbet@....net, zohar@...ux.ibm.com, jmorris@...ei.org,
        serge@...lyn.com, tytso@....edu, ebiggers@...nel.org,
        axboe@...nel.dk, agk@...hat.com, snitzer@...nel.org,
        eparis@...hat.com, linux-audit@...hat.com,
        Fan Wu <wufan@...ux.microsoft.com>, dm-devel@...hat.com,
        linux-doc@...r.kernel.org,
        Deven Bowers <deven.desai@...ux.microsoft.com>,
        roberto.sassu@...wei.com, linux-security-module@...r.kernel.org,
        linux-kernel@...r.kernel.org, linux-block@...r.kernel.org,
        linux-fscrypt@...r.kernel.org, linux-integrity@...r.kernel.org
Subject: Re: [RFC PATCH v9 07/16] uapi|audit|ipe: add ipe auditing support

On Tue, Jan 31, 2023 at 12:11 PM Steve Grubb <sgrubb@...hat.com> wrote:
>
> Hello,
>
> On Monday, January 30, 2023 5:57:22 PM EST Fan Wu wrote:
> > From: Deven Bowers <deven.desai@...ux.microsoft.com>
> >
> > Users of IPE require a way to identify when and why an operation fails,
> > allowing them to both respond to violations of policy and be notified
> > of potentially malicious actions on their systens with respect to IPE
> > itself.
> >
> > The new 1420 audit, AUDIT_IPE_ACCESS indicates the result of a policy
> > evaulation of a resource. The other two events, AUDIT_MAC_POLICY_LOAD,
> > and AUDIT_MAC_CONFIG_CHANGE represent a new policy was loaded into the
> > kernel and the currently active policy changed, respectively.
>
> Typically when you reuse an existing record type, it is expected to maintain
> the same fields in the same order. Also, it is expect that fields that are
> common across diferent records have the same meaning. To aid in this, we have
> a field dictionary here:
>
> https://github.com/linux-audit/audit-documentation/blob/main/specs/fields/
> field-dictionary.csv
>
> For example, dev is expected to be 2 hex numbers separated by a colon which
> are the device major and minor numbers. But down a couple lines from here, we
> find dev="tmpfs". But isn't that a filesystem type?

What Steve said.

I'll also add an administrative note, we just moved upstream Linux
audit development to a new mailing list, audit@...r.kernel.org, please
use that in future patch submissions.  As a positive, it's a fully
open list so you won't run into moderation delays/notifications/etc.

> > This patch also adds support for success auditing, allowing users to
> > identify how a resource passed policy. It is recommended to use this
> > option with caution, as it is quite noisy.
> >
> > This patch adds the following audit records:
> >
> >   audit: AUDIT1420 path="/tmp/tmpwxmam366/deny/bin/hello" dev="tmpfs"
> >     ino=72 rule="DEFAULT op=EXECUTE action=DENY"
>
> Do we really need to log the whole rule?

Fan, would it be reasonable to list the properties which caused the
access denial?  That seems like it might be more helpful than the
specific rule, or am I missing something?

> >   The above audit record shows IPE blocked a file
> >     /tmp/tmpwxmam366/deny/bin/hello in the temp file system.
> >
> >   audit: AUDIT1420 path="/tmp/tmpxkvb3d9x/deny/bin/hello" dev="tmpfs"
> >     ino=157 rule="DEFAULT action=DENY"
> >
> >   The above audit record shows IPE blocked a file
> >     /tmp/tmpxkvb3d9x/deny/bin/hello in the temp file system via another
> >     rule.
> >
> >   audit: MAC_POLICY_LOAD policy_name="dmverity_roothash"
> >     policy_version=0.0.0 sha256=DC67AC19E05894EFB3170A8E55DE529794E248C2
> >     auid=4294967295 ses=4294967295 lsm=ipe res=1
>
> The MAC_POLICY_LOAD record type simply states the lsm that had it's policy
> loaded. There isn't name, version, and hash information. I'd prefer to see
> all users of this record type decide if it should be extended because they
> also have that information available to record.

Not all LSMs which load policy have that information; as an example,
SELinux doesn't have the concept of a policy name or version.  The
SELinux policy version you might see in the kernel sources refers to
the policy format version and has no bearing on the actual policy
content beyond that dictated by the format.

If additional information is required by IPE, perhaps an auxiliary IPE
policy load record could be created with those additional fields.

> >   The above audit record shows IPE loaded a new policy named
> >     "dmverity_roothash" with the sha256 hash of the policy.
> >
> >   audit: MAC_CONFIG_CHANGE old_active_pol_name="Allow_All"
> >     old_active_pol_version=0.0.0
> >     old_sha256=DA39A3EE5E6B4B0D3255BFEF95601890AFD80709
> >     new_active_pol_name="dmverity_roothash" new_active_pol_version=0.0.0
> >     new_sha256=DC67AC19E05894EFB3170A8E55DE529794E248C2
> >     auid=4294967295 ses=4294967295 lsm=ipe res=1
> >
> >   The above audit record shows IPE's active policy switched from
> >     "Allow_All" to "dmverity_roothash".
>
> Shouldn't this just be another MAC_POLICY_LOAD? That would match other LSM's.
> The MAC_CONFIG_CHANGE is to denote that a changeable option was modified from
> one value to another. But it is still operating under the same policy.

If it is just switching from one previously loaded policy to another,
it seems like MAC_CONFIG_CHANGE might be the best choice.

--
paul-moore.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ