[PATCH ghak122 v1] audit: store event sockaddr in case of no rules

Mon Jul 13 22:30:51 UTC 2020

On Mon, Jul 13, 2020 at 1:40 PM Richard Guy Briggs <rgb at redhat.com> wrote:
> On 2020-07-08 18:49, Paul Moore wrote:
> > On Fri, Jul 3, 2020 at 1:18 PM Richard Guy Briggs <rgb at redhat.com> wrote:
> > > When there are no rules present, the event SOCKADDR record is not
> > > generated due to audit_dummy_context() generated at syscall entry from
> > > audit_n_rules.  Store this information if there is a context present to
> > > store it so that mandatory events are more complete (startup, LSMs...).
> > >
> > > Please see the upstream issue
> > > https://github.com/linux-audit/audit-kernel/issues/122
> > >
> > > Signed-off-by: Richard Guy Briggs <rgb at redhat.com>
> > > ---
> > > Passes audit-testsuite.
> > >
> > >  include/linux/audit.h | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > Do we have any certification requirements driving this change?  I ask
> > because if we make this change, why not do the same for PATH records?
>
> I filed the issue because I noticed the SOCKADDR record missing from
> configuration events required for certification.

I guess my original question wasn't very clear, let me try again ...

Do we have any certification requirements for this that require the
SOCKADDR record without an explicit audit configuration that would
capture/generate the sockaddr information?  It's been a while since
I've been involved in a certification effort, but if I remember
correctly those efforts required a specific audit configuration to be
compliant (file watches, syscall rules, etc.).

If there is a certification requirement for this, it might be a good
idea to include it in the commit description.  I don't believe we've
been very good about doing that in the past, but it seems like
something that would be worthwhile.

> > The problem of course is that doing this for both is going to be
> > costly, the PATH records in particular seem like they would raise a
> > performance regression.
>
> I had a minor concern about performance for SOCKADDR.  I filed SOCKADDR
> because I noticed it missing, but intended to file others as noticed.
>
> I agree the PATH records would have a larger performance concern, but if
> they are required to support event records that are required for
> certification then either we store them when the context is present or
> generate them retroactively once a required event record is generated.
>
> In the case of SOCKADDR it may be possible to store that information
> once the required record has been generated rather than whenever there
> is a valid audit context, but it is currently collected earlier than
> config records are emitted.

Before we go too far on this, let's track down the answer to the
question above - is this more an issue of having the proper,
certification-compliant audit configuration loaded into the kernel?

> > I agree it would be nice to have this information, but I fear that
> > gating this on audit_dummy_context() is the right thing to do unless
> > there is a strong requirement that we always record this information.
>
> That would have been great feedback when the issue was filed.
> However, there may be a middle ground as descirbed above.

I've mentioned before that while the GH issues are nice for tracking
issues, technical discussions should happen on list ... like they are
now.

-- 
paul moore
www.paul-moore.com