lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <200707251921.l6PJLhxV015256@faith.austin.ibm.com>
Date:	Wed, 25 Jul 2007 14:21:43 -0500
From:	Joy Latten <latten@...tin.ibm.com>
To:	netdev@...r.kernel.org
Cc:	davem@...emloft.net, linux-audit@...hat.com, sgrubb@...hat.com
Subject: [PATCH]: 2nd revision of make xfrm_audit_log more generic

This is 2nd revision of patch to modify xfrm_audit_log() such
that it can accomodate auditing other ipsec events
besides add/delete of an SA or SPD entry.

2nd revision includes new define for all IPsec
events in audit.h and introduces "op=" entry
in logfile as well as add a hyphen in description
for report parsing. 

This is a small change to accomodate updating
ipsec protocol to RFCs 4301, 4302 and 4303 which
require auditing some ipsec events if auditing
is available. Please let me know if ok.

Regards,
Joy

Signed-off-by: Joy Latten <latten@...tin.ibm.com>

diff -urpN linux-2.6.22/include/linux/audit.h linux-2.6.22.patch/include/linux/audit.h
--- linux-2.6.22/include/linux/audit.h	2007-07-23 14:35:28.000000000 -0500
+++ linux-2.6.22.patch/include/linux/audit.h	2007-07-23 14:38:51.000000000 -0500
@@ -112,6 +112,7 @@
 #define AUDIT_MAC_IPSEC_DELSA	1412	/* Delete a XFRM state */
 #define AUDIT_MAC_IPSEC_ADDSPD	1413	/* Add a XFRM policy */
 #define AUDIT_MAC_IPSEC_DELSPD	1414	/* Delete a XFRM policy */
+#define AUDIT_MAC_IPSEC_EVENT	1415	/* Audit IPSec events */
 
 #define AUDIT_FIRST_KERN_ANOM_MSG   1700
 #define AUDIT_LAST_KERN_ANOM_MSG    1799
diff -urpN linux-2.6.22/include/net/xfrm.h linux-2.6.22.patch/include/net/xfrm.h
--- linux-2.6.22/include/net/xfrm.h	2007-07-23 14:35:28.000000000 -0500
+++ linux-2.6.22.patch/include/net/xfrm.h	2007-07-23 14:38:51.000000000 -0500
@@ -427,9 +427,11 @@ struct xfrm_audit
 
 #ifdef CONFIG_AUDITSYSCALL
 extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,
-		    struct xfrm_policy *xp, struct xfrm_state *x);
+			   u16 family, xfrm_address_t saddr, 
+			   xfrm_address_t daddr, __be32 spi, __be32 flowid, 
+			   struct xfrm_sec_ctx *sctx, char *buf);
 #else
-#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0)
+#define xfrm_audit_log(a,i,t,r,f,s,d,p,l,c,b) do { ; } while (0)
 #endif /* CONFIG_AUDITSYSCALL */
 
 static inline void xfrm_pol_hold(struct xfrm_policy *policy)
diff -urpN linux-2.6.22/net/key/af_key.c linux-2.6.22.patch/net/key/af_key.c
--- linux-2.6.22/net/key/af_key.c	2007-07-08 18:32:17.000000000 -0500
+++ linux-2.6.22.patch/net/key/af_key.c	2007-07-24 11:50:35.000000000 -0500
@@ -1459,7 +1459,9 @@ static int pfkey_add(struct sock *sk, st
 		err = xfrm_state_update(x);
 
 	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-		       AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
+		       AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+		       x->props.family, x->props.saddr, x->id.daddr, 
+		       x->id.spi, 0, x->security, "SAD-add");
 
 	if (err < 0) {
 		x->km.state = XFRM_STATE_DEAD;
@@ -1513,7 +1515,10 @@ static int pfkey_delete(struct sock *sk,
 	km_state_notify(x, &c);
 out:
 	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-		       AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+		       AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, x->props.family,
+		       x->props.saddr, x->id.daddr, x->id.spi, 0,
+		       x->security, "SAD-delete");
+
 	xfrm_state_put(x);
 
 	return err;
@@ -2266,7 +2271,9 @@ static int pfkey_spdadd(struct sock *sk,
 				 hdr->sadb_msg_type != SADB_X_SPDUPDATE);
 
 	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-		       AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL);
+		       AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+		       xp->selector.family, xp->selector.saddr,
+		       xp->selector.daddr, 0, 0, xp->security, "SPD-add");
 
 	if (err)
 		goto out;
@@ -2350,7 +2357,9 @@ static int pfkey_spddelete(struct sock *
 		return -ENOENT;
 
 	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-		       AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+		       AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1,
+		       xp->selector.family, xp->selector.saddr,
+		       xp->selector.daddr, 0, 0, xp->security, "SPD-delete");
 
 	if (err)
 		goto out;
@@ -2611,7 +2620,10 @@ static int pfkey_spdget(struct sock *sk,
 
 	if (delete) {
 		xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-			       AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+			       AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+			       xp->selector.family, xp->selector.saddr,
+			       xp->selector.daddr, 0, 0, xp->security,
+			       "SPD-delete");
 
 		if (err)
 			goto out;
diff -urpN linux-2.6.22/net/xfrm/xfrm_policy.c linux-2.6.22.patch/net/xfrm/xfrm_policy.c
--- linux-2.6.22/net/xfrm/xfrm_policy.c	2007-07-23 14:35:29.000000000 -0500
+++ linux-2.6.22.patch/net/xfrm/xfrm_policy.c	2007-07-24 11:46:24.000000000 -0500
@@ -853,8 +853,11 @@ xfrm_policy_flush_secctx_check(u8 type, 
 			if (err) {
 				xfrm_audit_log(audit_info->loginuid,
 					       audit_info->secid,
-					       AUDIT_MAC_IPSEC_DELSPD, 0,
-					       pol, NULL);
+					       AUDIT_MAC_IPSEC_EVENT, 0,
+					       pol->selector.family, 
+					       pol->selector.saddr, 
+					       pol->selector.daddr, 0, 0,
+					       pol->security, "SPD-delete");
 				return err;
 			}
 		}
@@ -868,8 +871,12 @@ xfrm_policy_flush_secctx_check(u8 type, 
 				if (err) {
 					xfrm_audit_log(audit_info->loginuid,
 						       audit_info->secid,
-						       AUDIT_MAC_IPSEC_DELSPD,
-						       0, pol, NULL);
+						       AUDIT_MAC_IPSEC_EVENT,
+						       0, pol->selector.family, 
+						       pol->selector.saddr, 
+						       pol->selector.daddr, 
+						       0, 0, pol->security, 
+						       "SPD-delete");
 					return err;
 				}
 			}
@@ -911,7 +918,11 @@ int xfrm_policy_flush(u8 type, struct xf
 			write_unlock_bh(&xfrm_policy_lock);
 
 			xfrm_audit_log(audit_info->loginuid, audit_info->secid,
-				       AUDIT_MAC_IPSEC_DELSPD, 1, pol, NULL);
+				       AUDIT_MAC_IPSEC_EVENT, 1, 
+				       pol->selector.family,
+				       pol->selector.saddr,
+				       pol->selector.daddr, 0, 0,
+				       pol->security, "SPD-delete");
 
 			xfrm_policy_kill(pol);
 			killed++;
@@ -933,8 +944,11 @@ int xfrm_policy_flush(u8 type, struct xf
 
 				xfrm_audit_log(audit_info->loginuid,
 					       audit_info->secid,
-					       AUDIT_MAC_IPSEC_DELSPD, 1,
-					       pol, NULL);
+					       AUDIT_MAC_IPSEC_EVENT, 1,
+					       pol->selector.family,
+					       pol->selector.saddr,
+					       pol->selector.daddr, 0, 0,
+					       pol->security, "SPD-delete");
 
 				xfrm_policy_kill(pol);
 				killed++;
@@ -2154,44 +2168,23 @@ EXPORT_SYMBOL(xfrm_bundle_ok);
 /* Audit addition and deletion of SAs and ipsec policy */
 
 void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
-		    struct xfrm_policy *xp, struct xfrm_state *x)
+                    u16 family, xfrm_address_t saddr, xfrm_address_t daddr,
+                    __be32 spi, __be32 flowlabel, struct xfrm_sec_ctx *sctx,
+                    char *buf)
 {
-
 	char *secctx;
 	u32 secctx_len;
-	struct xfrm_sec_ctx *sctx = NULL;
 	struct audit_buffer *audit_buf;
-	int family;
 	extern int audit_enabled;
 
 	if (audit_enabled == 0)
 		return;
 
-	BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA ||
-		type == AUDIT_MAC_IPSEC_DELSA) && !x);
-	BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD ||
-		type == AUDIT_MAC_IPSEC_DELSPD) && !xp);
-
 	audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
 	if (audit_buf == NULL)
 		return;
 
-	switch(type) {
-	case AUDIT_MAC_IPSEC_ADDSA:
-		audit_log_format(audit_buf, "SAD add: auid=%u", auid);
-		break;
-	case AUDIT_MAC_IPSEC_DELSA:
-		audit_log_format(audit_buf, "SAD delete: auid=%u", auid);
-		break;
-	case AUDIT_MAC_IPSEC_ADDSPD:
-		audit_log_format(audit_buf, "SPD add: auid=%u", auid);
-		break;
-	case AUDIT_MAC_IPSEC_DELSPD:
-		audit_log_format(audit_buf, "SPD delete: auid=%u", auid);
-		break;
-	default:
-		return;
-	}
+	audit_log_format(audit_buf, "op=%s: auid=%u", buf, auid);
 
 	if (sid != 0 &&
 		security_secid_to_secctx(sid, &secctx, &secctx_len) == 0)
@@ -2199,16 +2192,6 @@ void xfrm_audit_log(uid_t auid, u32 sid,
 	else
 		audit_log_task_context(audit_buf);
 
-	if (xp) {
-		family = xp->selector.family;
-		if (xp->security)
-			sctx = xp->security;
-	} else {
-		family = x->props.family;
-		if (x->security)
-			sctx = x->security;
-	}
-
 	if (sctx)
 		audit_log_format(audit_buf,
 				" sec_alg=%u sec_doi=%u sec_obj=%s",
@@ -2216,48 +2199,24 @@ void xfrm_audit_log(uid_t auid, u32 sid,
 
 	switch(family) {
 	case AF_INET:
-		{
-			struct in_addr saddr, daddr;
-			if (xp) {
-				saddr.s_addr = xp->selector.saddr.a4;
-				daddr.s_addr = xp->selector.daddr.a4;
-			} else {
-				saddr.s_addr = x->props.saddr.a4;
-				daddr.s_addr = x->id.daddr.a4;
-			}
-			audit_log_format(audit_buf,
-					 " src=%u.%u.%u.%u dst=%u.%u.%u.%u",
-					 NIPQUAD(saddr), NIPQUAD(daddr));
-		}
-			break;
+		audit_log_format(audit_buf,
+				 " src=" NIPQUAD_FMT " dst=" NIPQUAD_FMT,
+				 NIPQUAD(saddr.a4), NIPQUAD(daddr.a4));
+		break;
 	case AF_INET6:
-		{
-			struct in6_addr saddr6, daddr6;
-			if (xp) {
-				memcpy(&saddr6, xp->selector.saddr.a6,
-					sizeof(struct in6_addr));
-				memcpy(&daddr6, xp->selector.daddr.a6,
-					sizeof(struct in6_addr));
-			} else {
-				memcpy(&saddr6, x->props.saddr.a6,
-					sizeof(struct in6_addr));
-				memcpy(&daddr6, x->id.daddr.a6,
-					sizeof(struct in6_addr));
-			}
-			audit_log_format(audit_buf,
-					 " src=" NIP6_FMT " dst=" NIP6_FMT,
-					 NIP6(saddr6), NIP6(daddr6));
-		}
+		audit_log_format(audit_buf, " src=" NIP6_FMT " dst=" NIP6_FMT,
+				 NIP6(*((struct in6_addr *)&saddr.a6)),
+				 NIP6(*((struct in6_addr *)&daddr.a6)));
 		break;
 	}
 
-	if (x)
-		audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s",
-				(unsigned long)ntohl(x->id.spi),
-				(unsigned long)ntohl(x->id.spi),
-				x->id.proto == IPPROTO_AH ? "AH" :
-				(x->id.proto == IPPROTO_ESP ?
-				"ESP" : "IPCOMP"));
+	if (flowlabel)
+		audit_log_format(audit_buf, " flowlabel=%u", flowlabel);
+
+	if (spi)
+		audit_log_format(audit_buf, " spi=%lu(0x%lx)",
+				(unsigned long)ntohl(spi),
+				(unsigned long)ntohl(spi));
 
 	audit_log_format(audit_buf, " res=%u", result);
 	audit_log_end(audit_buf);
diff -urpN linux-2.6.22/net/xfrm/xfrm_state.c linux-2.6.22.patch/net/xfrm/xfrm_state.c
--- linux-2.6.22/net/xfrm/xfrm_state.c	2007-07-23 14:35:29.000000000 -0500
+++ linux-2.6.22.patch/net/xfrm/xfrm_state.c	2007-07-24 11:48:27.000000000 -0500
@@ -303,7 +303,9 @@ expired:
 		km_state_expired(x, 1, 0);
 
 	xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-		       AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+		       AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+		       x->props.family, x->props.saddr, x->id.daddr, x->id.spi,
+		       0, x->security, "SAD-delete");
 
 out:
 	spin_unlock(&x->lock);
@@ -406,9 +408,10 @@ xfrm_state_flush_secctx_check(u8 proto, 
 			   (err = security_xfrm_state_delete(x)) != 0) {
 				xfrm_audit_log(audit_info->loginuid,
 					       audit_info->secid,
-					       AUDIT_MAC_IPSEC_DELSA,
-					       0, NULL, x);
-
+					       AUDIT_MAC_IPSEC_EVENT, 0,
+					       x->props.family, x->props.saddr, 
+					       x->id.daddr, x->id.spi, 0, 
+					       x->security, "SAD-delete");
 				return err;
 			}
 		}
@@ -446,8 +449,11 @@ restart:
 				err = xfrm_state_delete(x);
 				xfrm_audit_log(audit_info->loginuid,
 					       audit_info->secid,
-					       AUDIT_MAC_IPSEC_DELSA,
-					       err ? 0 : 1, NULL, x);
+					       AUDIT_MAC_IPSEC_EVENT, 
+					       err ? 0 : 1, x->props.family,
+					       x->props.saddr, x->id.daddr,
+					       x->id.spi, 0, x->security,
+					       "SAD-delete");
 				xfrm_state_put(x);
 
 				spin_lock_bh(&xfrm_state_lock);
diff -urpN linux-2.6.22/net/xfrm/xfrm_user.c linux-2.6.22.patch/net/xfrm/xfrm_user.c
--- linux-2.6.22/net/xfrm/xfrm_user.c	2007-07-08 18:32:17.000000000 -0500
+++ linux-2.6.22.patch/net/xfrm/xfrm_user.c	2007-07-24 11:49:33.000000000 -0500
@@ -456,7 +456,9 @@ static int xfrm_add_sa(struct sk_buff *s
 		err = xfrm_state_update(x);
 
 	xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
-		       AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
+		       AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+		       x->props.family, x->props.saddr, x->id.daddr, 
+		       x->id.spi, 0, x->security, "SAD-add");
 
 	if (err < 0) {
 		x->km.state = XFRM_STATE_DEAD;
@@ -539,7 +541,9 @@ static int xfrm_del_sa(struct sk_buff *s
 
 out:
 	xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
-		       AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+		       AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+		       x->props.family, x->props.saddr, x->id.daddr, 
+		       x->id.spi, 0, x->security, "SAD-delete");
 	xfrm_state_put(x);
 	return err;
 }
@@ -1149,7 +1153,9 @@ static int xfrm_add_policy(struct sk_buf
 	excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
 	err = xfrm_policy_insert(p->dir, xp, excl);
 	xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
-		       AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+		       AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+		       xp->selector.family, xp->selector.saddr, 
+		       xp->selector.daddr, 0, 0, xp->security, "SPD-delete");
 
 	if (err) {
 		security_xfrm_policy_free(xp);
@@ -1395,7 +1401,10 @@ static int xfrm_get_policy(struct sk_buf
 		}
 	} else {
 		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
-			       AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+			       AUDIT_MAC_IPSEC_EVENT, err ? 0 : 1, 
+			       xp->selector.family, xp->selector.saddr,
+			       xp->selector.daddr, 0, 0, xp->security,
+			       "SPD-delete");
 
 		if (err != 0)
 			goto out;
@@ -1644,8 +1653,9 @@ static int xfrm_add_pol_expire(struct sk
 	if (up->hard) {
 		xfrm_policy_delete(xp, p->dir);
 		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
-				AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL);
-
+			       AUDIT_MAC_IPSEC_EVENT, 1, xp->selector.family,
+			       xp->selector.saddr, xp->selector.daddr, 0, 0,
+			       xp->security, "SPD-delete");
 	} else {
 		// reset the timers here?
 		printk("Dont know what to do with soft policy expire\n");
@@ -1680,7 +1690,9 @@ static int xfrm_add_sa_expire(struct sk_
 	if (ue->hard) {
 		__xfrm_state_delete(x);
 		xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
-			       AUDIT_MAC_IPSEC_DELSA, 1, NULL, x);
+			       AUDIT_MAC_IPSEC_EVENT, 1, x->props.family,
+			       x->props.saddr, x->id.daddr, x->id.spi, 0,
+			       x->security, "SAD-delete");
 	}
 	err = 0;
 out:
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ