Integrity auditing
Steve Grubb
sgrubb at redhat.com
Wed Sep 12 13:25:51 UTC 2007
On Monday 10 September 2007 16:16:23 Mimi Zohar wrote:
> > I wonder if these should be emitted as an audit event?
>
> Ok. Instead of only logging the boot parameter errors, we will audit them.
> The format will be: integrity: pid= auid= comm= op=
How about:
pid= uid= auid= subj= op= comm= res=
pid, uid, comm are not really required, but they are nice to have.
> where op is one of:
> op=ima_enabled
> op=ima_not_enabled
>
> op=hash_setup(sha1)
> op=hash_setup(md5)
> op=hash_setup(invalid_hash_type)
For the last 3 messages op=setup hash=
But in a way, this really sounds like you need 2 event types. One for IMA and
one for hash selection. This is because they are doing fundamentally
different things.
> > The above message needs to have auid so that we know who initiated the
> > action. It also should have res=0 or res=1 at the end to indicate
> > success or failure. 0 being failure and 1 being success. Also, this audit
> > record has only a file name in it. Because mount points can change the
> > names of things, you should also probably include the device and inode to
> > help identify what is really being reported.
>
> Ok. Based on your comments, would the following format be acceptable?
>
> integrity: pid= auid= comm= name= dev= inode= op= res=
Sure. optionally, you could put uid= right before auid=. The selinux labels
are missing. So, I'd suggest an order like this:
pid= uid= auid= subj= op= comm= name= dev= inode= obj= res=
> Although both integrity_audit() and integrity_audit_pcr() would have
> the same format, integrity_audit() would be used to report the results
> of integrity_verify_metadata()/data(), while integrity_audit_pcr()
> would report the results of extending the PCR register.
OK
> For integrity_audit_pcr, the op would be:
> op=invalidate_pcr(ToMToU)
> op=invalidate_pcr(open_writers)
what you have in parenthesis should probably be name=value.
> op=add_measure(ENOMEM)
> op=add_measure(null_hash)
> op=add_measure(long_digest)
> op=add_measure
>
> For integrity_audit(), the op would probably be something similar to:
> op=verify_metadata
> op=verify_data
Again, this sounds like you need 3 audit event types since the messages are
trying to express something different.
> > If selinux is enabled, this event should also have obj= and
> > the selinux context. The subj should be likewise recorded.
>
> This brings us back to the original question as to who should be emitting
> the integrity audit msgs. If the LIM provider is emitting the audit msg,
> then shouldn't it be LSM agnostic?
We just went through an LSPP certification of the Linux kernel. We have labels
on everything. We really need to keep the standard since its a lot of trouble
to hunt these all down and fix next time the kernel goes through a common
criteria certification. I don't know enough about your subsystem to say who
should do it. But we should have the labels in a portable fashion. What we
were doing is something like this:
struct audit_aux_data_ipcctl *axi = (void *)aux;
audit_log_format(ab,
"ouid=%u ogid=%u mode=%x",
axi->uid, axi->gid, axi->mode);
^^^ This would be the normal part that is for CAPP. The next part optionally
does the obj if selinux is enabled:
if (axi->osid != 0) {
char *ctx = NULL;
u32 len;
if (selinux_ctxid_to_string(
axi->osid, &ctx, &len)) {
audit_log_format(ab, " osid=%u",
axi->osid);
call_panic = 1;
} else
audit_log_format(ab, " obj=%s", ctx);
kfree(ctx);
}
By doing this, people that have selinux get the labels, the people without
selinux do not have wasted space in the audit logs.
Thanks,
-Steve
More information about the Linux-audit
mailing list