Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp606082imm; Mon, 21 May 2018 11:06:25 -0700 (PDT) X-Google-Smtp-Source: AB8JxZqb5jc6J4zScLohjvKuiejw+Z08Xp6wE+mw529SVrz2BOCc6L0/XwOHdeEIlfcwDMHMBYFa X-Received: by 2002:a63:af0e:: with SMTP id w14-v6mr6748821pge.221.1526925985906; Mon, 21 May 2018 11:06:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1526925985; cv=none; d=google.com; s=arc-20160816; b=IPB4VMAsNJbDRgjVSp3nAmKK8TPEk1qVqtfDESOAqSkcECbEJVE8tTkw97RyzlrZCV xNyGjjO1Xnc4kzhDiowMFsE9fnAYKLutMnIZnCpBD7ryEKjaMDrA+l2Woa42lO7NeIMe LSzpnDbOg3d4KdaJMiKQtMC+SVNmNPDsbdzPfJHCNPbk6fMBh4nPCkvETOp9ju1g+ndZ jKdSh6VGVMOSetrTUMagt0kxZHiFYs28YWy1h4eFugD/p0le3gHyDXZ9Bh/4k46BCOEj BQFUa6F1U5iDdWWJisTw/UKwimZtkqBhjkWd7L0AXFwP0f7Qkq8uTrXlk0zg2NtX7rU1 jfsA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :from:references:cc:to:subject:arc-authentication-results; bh=1yyi+M5TY9WxTWUqfEKDZSQnh//yJft6+qOTF+ln+qc=; b=TTbNjZi1t4HTNytT5uPrhgTxfpx55EbOube9iAXgUqv8et18ppYFwu54L0fGDYm98U EWDdpTkYSAYdoBK9Bg7PsbPXxr8hXFc3dEVKg8QCS1IM65EqnHOrmJBryDXKYZfE0U8U 0FLxKvX8Kfbm7AfQHGI5kUqKZ05jW9+bEShSoYrMv2Qc4wngukmYy6iIx7L/nqPo1n8D WjJV/XbBGPV6LW4Svebd3s/h8a9pD/GUBNxqMpzNplH5AYy0K1I0a7hh3Ae5IxB9U5Ye biP4LztL7BRsfwLcct9Ilunl0M+mmI2oUvEJrzWdQu6i0V3xbM9RaChvsW1ij+xbkY57 AJ6w== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x64-v6si14851781pff.196.2018.05.21.11.06.11; Mon, 21 May 2018 11:06:25 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753610AbeEUSET (ORCPT + 99 others); Mon, 21 May 2018 14:04:19 -0400 Received: from mx0a-001b2d01.pphosted.com ([148.163.156.1]:58158 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753595AbeEUSEP (ORCPT ); Mon, 21 May 2018 14:04:15 -0400 Received: from pps.filterd (m0098404.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4LI495L063535 for ; Mon, 21 May 2018 14:04:14 -0400 Received: from e33.co.us.ibm.com (e33.co.us.ibm.com [32.97.110.151]) by mx0a-001b2d01.pphosted.com with ESMTP id 2j41dam8uq-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 21 May 2018 14:04:14 -0400 Received: from localhost by e33.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Mon, 21 May 2018 12:04:13 -0600 Received: from b03cxnp08026.gho.boulder.ibm.com (9.17.130.18) by e33.co.us.ibm.com (192.168.1.133) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Mon, 21 May 2018 12:04:10 -0600 Received: from b03ledav006.gho.boulder.ibm.com (b03ledav006.gho.boulder.ibm.com [9.17.130.237]) by b03cxnp08026.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4LI49Us12583290; Mon, 21 May 2018 11:04:09 -0700 Received: from b03ledav006.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E2A25C603C; Mon, 21 May 2018 12:04:09 -0600 (MDT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b03ledav006.gho.boulder.ibm.com (Postfix) with ESMTP id 3F3FCC6042; Mon, 21 May 2018 12:04:09 -0600 (MDT) Subject: Re: [PATCH] audit: add containerid support for IMA-audit To: Steve Grubb , Mimi Zohar Cc: Richard Guy Briggs , containers@lists.linux-foundation.org, Linux-Audit Mailing List , linux-integrity , LKML , paul@paul-moore.com References: <1520257393.10396.291.camel@linux.vnet.ibm.com> <20180518155659.porewd6moctumkys@madcap2.tricolour.ca> <1526661264.3404.55.camel@linux.vnet.ibm.com> <5705556.pzqfGOkdjC@x2> From: Stefan Berger Date: Mon, 21 May 2018 14:04:08 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: <5705556.pzqfGOkdjC@x2> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-MW X-TM-AS-GCONF: 00 x-cbid: 18052118-0008-0000-0000-000009D37E11 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00009062; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000261; SDB=6.01035634; UDB=6.00529728; IPR=6.00814762; MB=3.00021227; MTD=3.00000008; XFM=3.00000015; UTC=2018-05-21 18:04:12 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18052118-0009-0000-0000-000047621721 Message-Id: <7abd3460-0797-f003-12c7-7329beb0835b@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-21_06:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1805210214 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 05/21/2018 01:21 PM, Steve Grubb wrote: > On Friday, May 18, 2018 12:34:24 PM EDT Mimi Zohar wrote: >> On Fri, 2018-05-18 at 11:56 -0400, Richard Guy Briggs wrote: >>> On 2018-05-18 10:39, Mimi Zohar wrote: >>>> On Fri, 2018-05-18 at 09:54 -0400, Stefan Berger wrote: >>>>> On 05/18/2018 08:53 AM, Mimi Zohar wrote: >>>> [..] >>>> >>>>>>>>> If so, which ones? We could probably refactor the current >>>>>>>>> integrity_audit_message() and have ima_parse_rule() call into it >>>>>>>>> to get >>>>>>>>> those fields as well. I suppose adding new fields to it wouldn't >>>>>>>>> be >>>>>>>>> considered breaking user space? >>>>>>>> Changing the order of existing fields or inserting fields could >>>>>>>> break >>>>>>>> stuff and is strongly discouraged without a good reason, but >>>>>>>> appending >>>>>>>> fields is usually the right way to add information. >>>>>>>> >>>>>>>> There are exceptions, and in this case, I'd pick the "more >>>>>>>> standard" of >>>>>>>> the formats for AUDIT_INTEGRITY_RULE (ima_audit_measurement?) and >>>>>>>> stick >>>>>>>> with that, abandoning the other format, renaming the less >>>>>>>> standard >>>>>>>> version of the record (ima_parse_rule?) and perhpas adopting that >>>>>>>> abandonned format for the new record type while using >>>>>>>> current->audit_context. >>>>>> This sounds right, other than "type=INTEGRITY_RULE" (1805) for >>>>>> ima_audit_measurement(). Could we rename type=1805 to be >>>>> So do we want to change both? I thought that what >>>>> ima_audit_measurement() produces looks ok but may not have a good >>>>> name >>>>> for the 'type'. Now in this case I would not want to 'break user >>>>> space'. >>>>> The only change I was going to make was to what ima_parse_rule() >>>>> produces. >>>> The only change for now is separating the IMA policy rules from the >>>> IMA-audit messages. >>>> >>>> Richard, when the containerid is appended to the IMA-audit messages, >>>> would we make the audit type name change then? >>> No, go ahead and make the change now. I'm expecting that the >>> containerid record will just be another auxiliary record and should not >>> affect you folks. >> To summarize, we need to disambiguate the 1805, as both >> ima_parse_rule() and ima_audit_measurement() are using the same number >> with different formats. The main usage of 1805 that we are aware of >> is ima_audit_measurement(). Yet the "type=" name for >> ima_audit_measurement() should be INTEGRITY_IMA_AUDIT, not >> INTEGRITY_RULE. >> >> option 1: breaks both uses >> 1805 - INTEGRITY_IMA_AUDIT - ima_audit_measurement() >> 1806 - INTEGRITY_POLICY_RULE - ima_parse_rule() >> >> option 2: breaks the most common usage >> 1805 - INTEGRITY_RULE - ima_parse_rule() >> 1806 - INTEGRITY_IMA_AUDIT - ima_audit_measurement() >> >> option 3: leaves the most common usage with the wrong name, and breaks >> the other less common usage >> 1805 - INTEGRITY_RULE - ima_audit_measurement() >> 1806 - INTEGRITY_POLICY_RULE - ima_parse_rule() >> >> So option 3 is the best option? > From a user space perspective, I don't care as long the event is well formed Are you saying this because of the tools you referred to that require proper ordering and all fields need to be available? > (No unnecessary untrusted string logging) and we have the required fields for > searching: pid, uid, auid, tty, session, subj, comm, exe, & res. And the > object is identifiable in the event. There's at least one documented user that showed the existing format... https://www.fireeye.com/blog/threat-research/2016/11/extending_linux_exec.html