Received: by 10.223.185.116 with SMTP id b49csp6191910wrg; Thu, 8 Mar 2018 03:27:04 -0800 (PST) X-Google-Smtp-Source: AG47ELt6rzw/DUoI5KjrLPJ3mqTKwoAwSrQ2Qj42JiPBYgZzSt3MJpeZjW4i68w2Z17FQu6rRYrL X-Received: by 10.99.173.79 with SMTP id y15mr20769251pgo.136.1520508424580; Thu, 08 Mar 2018 03:27:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520508424; cv=none; d=google.com; s=arc-20160816; b=Y2JIuyM/eQoNrSCxsA2mfO1kinTnb60N4uLYZEWR6a5DgGVmXwj8NjdL7oXOu7nGce HnV0VltICQ2E4prQ9gVqBnNOn6R+i8AHAi7MFSw92mOWZZ+0pdeKz3JuT1WvL796Fz6j I3QnOukcEB6sJsMYkc1PEfzGSDGHJj1RIlGGHPmlbunLciqEoEZ8Lm/geS5MIKIgYHZu 8tz0724rpJth/7A2e1zRfG9PNRcSMDiWHqvgeUUcWCxTvYwzcA8rNJJ93uXSZIchJh7G 7a4/PnnTlJ3mD+S8pf6TUlA1RUfAkAAhpNbRY/lV8DMATL6WrcL5wRS86JrgMv3guHYa Syng== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date :arc-authentication-results; bh=1rHtl3otImzR9bzt6IyOc8PVFCtXNs+IfAYqMZEPCKA=; b=DyNOXMUrQu0AWcGWeug0taQGwkvWlbVmqezaSY1Gm1q4jo8jA8YDu+YqpJrlilocfo HdxEwYE2A8ppdZmgWR6L73HtApw6FYvHjAyxNuEkA+G/JljBIHDhRNLjL+G34uvCBuvO hM2AOftPYiNiiDwqZkGYjlLMaR2HCE7BHjpGPVylijDq3BghkQeHXfIPiHKyJAlRUHWL 8s5/9AMZS8asN95wvJsbpqjkew4BnFQg+NlD5FTkzwARDLPqaL8uQUw6NXAR+xUKSJjf ugURJe7gSLFNsbC3YcIhSPvYTsUrUW25iCkGJIf4K7P9AG9nUYfzaIYYTXsIf0ooW/fu dw+g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h13si12825238pgq.409.2018.03.08.03.26.50; Thu, 08 Mar 2018 03:27:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935750AbeCHLZw (ORCPT + 99 others); Thu, 8 Mar 2018 06:25:52 -0500 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:48584 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1755324AbeCHLZm (ORCPT ); Thu, 8 Mar 2018 06:25:42 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 80FA076FB9; Thu, 8 Mar 2018 11:25:41 +0000 (UTC) Received: from madcap2.tricolour.ca (ovpn-112-12.rdu2.redhat.com [10.10.112.12]) by smtp.corp.redhat.com (Postfix) with ESMTPS id AAE871DB20; Thu, 8 Mar 2018 11:25:35 +0000 (UTC) Date: Thu, 8 Mar 2018 06:21:04 -0500 From: Richard Guy Briggs To: Mimi Zohar Cc: containers@lists.linux-foundation.org, Linux-Audit Mailing List , linux-integrity , LKML , paul@paul-moore.com, sgrubb@redhat.com Subject: Re: [PATCH] audit: add containerid support for IMA-audit Message-ID: <20180308112104.z67wohdvjqemy7wy@madcap2.tricolour.ca> References: <1520257393.10396.291.camel@linux.vnet.ibm.com> <20180305135008.po6lheqnmkqqo6q4@madcap2.tricolour.ca> <1520259854.10396.313.camel@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1520259854.10396.313.camel@linux.vnet.ibm.com> User-Agent: NeoMutt/20171027 X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 08 Mar 2018 11:25:41 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 08 Mar 2018 11:25:41 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'rgb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018-03-05 09:24, Mimi Zohar wrote: > On Mon, 2018-03-05 at 08:50 -0500, Richard Guy Briggs wrote: > > On 2018-03-05 08:43, Mimi Zohar wrote: > > > Hi Richard, > > > > > > This patch has been compiled, but not runtime tested. > > > > Ok, great, thank you. I assume you are offering this patch to be > > included in this patchset? > > Yes, thank you. > > > I'll have a look to see where it fits in the > > IMA record. It might be better if it were an AUDIT_CONTAINER_INFO > > auxiliary record, but I'll have a look at the circumstances of the > > event. I had a look at the context of this record to see if adding the contid field to it made sense. I think the only records for which the contid field makes sense are the two newly proposed records, AUDIT_CONTAINER which introduces the container ID and the and AUDIT_CONTAINER_INFO which documents the presence of the container ID in a process event (or process-less network event). All others should use the auxiliary record AUDIT_CONTAINER_INFO rather than include the contid field directly itself. There are several reasons for this including record length, the ability to filter unwanted records, the difficulty of changing the order of or removing fields in the future. Syscalls get this information automatically if the container ID is set for a task via the AUDIT_CONTAINER_INFO auxiliary record. Generally a syscall event is one that uses the task's audit_context while a standalone event uses NULL or builds a local audit_context that is discarded immediately after the local use. Looking at the two cases of AUDIT_INTEGRITY_RULE record generation, it appears that they should be split into two distinct audit record types. The record created in ima_audit_measurement() is a syscall record that could possibly stand on its own since the subject attributes are present. If it remains a syscall auxiliary record it will automatically have the AUDIT_CONTAINER_INFO record accompany it anyways. If it is decided to detach it (which would save cpu/netlink/disk bandwidth but is not recommended due to not wanting to throw away any other syscall information or other involved records (PATH, CWD, etc...) then a local audit_context would be created for the AUDIT_INTEGRITY_RULE and AUDIT_CONTAINERID_INFO records only and immediately discarded. The record created in ima_parse_rule() is not currently a syscall record since it is passed an audit_context of NULL and it has a very different format that does not include any subject attributes (except subj_*=). At first glance it appears this one should be a syscall accompanied auxiliary record. Either way it should have an AUDIT_CONTAINER_INFO auxiliary record either by being converted to a syscall auxiliary record by using current->audit_context rather than NULL when calling audit_log_start(), or creating a local audit_context and calling audit_log_container_info() then releasing the local context. This version of the record has additional concerns covered here: https://github.com/linux-audit/audit-kernel/issues/52 Can you briefly describe the circumstances under which these two different identically-numbered records are produced as a first step towards splitting them into two distict records? The four AUDIT_INTEGRITY _METADATA, _PCR, _DATA and _STATUS records appear to be already properly covered for AUDIT_CONTAINER_INFO records by being syscall auxiliary records. The AUDIT_INTEGRITY_HASH record appears to be unused. > > Can you suggest a procedure to test it? > > Like IMA-measurement and IMA-appraisal, IMA-audit is enabled based on > policy. The example IMA policy, below, includes IMA-audit messages for > files executed. 'cat' the policy to /sys/kernel/security/ima/policy. > > /etc/ima/ima-policy: > audit func=BPRM_CHECK > > There's a FireEye blog titled "Extending Linux Executable Logging With > The Integrity Measurement Architecture"* that explains how to augment > their existing system security analytics with file hashes. > > *?https://www.fireeye.com/blog/threat-research/2016/11/extending_linux > _exec.html > > > Mimi > > > > If the containerid is defined, include it in the IMA-audit record. > > > > > > Signed-off-by: Mimi Zohar > > > --- > > > security/integrity/ima/ima_api.c | 3 +++ > > > 1 file changed, 3 insertions(+) > > > > > > diff --git a/security/integrity/ima/ima_api.c b/security/integrity/ima/ima_api.c > > > index 33b4458cdbef..41d29a06f28f 100644 > > > --- a/security/integrity/ima/ima_api.c > > > +++ b/security/integrity/ima/ima_api.c > > > @@ -335,6 +335,9 @@ void ima_audit_measurement(struct integrity_iint_cache *iint, > > > audit_log_untrustedstring(ab, algo_hash); > > > > > > audit_log_task_info(ab, current); > > > + if (audit_containerid_set(current)) > > > + audit_log_format(ab, " contid=%llu", > > > + audit_get_containerid(current)); > > > audit_log_end(ab); > > > > > > iint->flags |= IMA_AUDITED; > > > -- > > > 2.7.5 > > > > > > > - RGB - RGB -- Richard Guy Briggs Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635