Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1638645imm;
        Tue, 22 May 2018 07:10:27 -0700 (PDT)
X-Google-Smtp-Source: AB8JxZpBM44YMIAnRZi8su35vE7b2j8QWK0N8FdEA6tRT/3/lbluHNXdTwwrxJca0jD8t+6mnCXj
X-Received: by 2002:a17:902:6ac3:: with SMTP id i3-v6mr24549915plt.378.1526998227657;
        Tue, 22 May 2018 07:10:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1526998227; cv=none;
        d=google.com; s=arc-20160816;
        b=OcH47pVEmL7s4h24uRXu1fNuAhtlyJ4WDHgL5XDA+/RZcDrAuoSKsaM1+dj7JRFQRr
         WmHdqjzmoqh3snkQK9Ms1YJUtrCOf+QP6+qdt5EZ2X8fIjgWdseBW7c5DB4o6pDvHfXw
         xu92OQN1TkdQvFnULChnB10CM2MroAoO0Jn+V7BGwqUZu0yyV+9XCiJdzyo+wGQGHJ/W
         bJV2Wj87kv0girzc+6zF2peG2YIZMYI7ytX0PA8x0BVT09lPHMtwcws9JaLe2iwLUcT7
         TtxXRzFM1Afz/FCGz99uLzCEVqeeYM777pXvuQpq3ADVd46L+Z8Rg6nwGQi58+5tG6qX
         jiyQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :references:in-reply-to:organization:message-id:date:subject:cc:to
         :from:arc-authentication-results;
        bh=IGhK/SfbDzcr36HCOrw1RVvabAa2CeQnSiJiW7RTWss=;
        b=IE+2fQjT+2WZsFmoe5FeMEQUsrPfZkCNLAFzQzKwa6gva5tFhbL5MbMfTPmpfj5AXA
         LPqiK/cMg2UCeknwyISP6CvoT8vS/crtSKmAKGYQTB7M8mrbqJXrZ9Wt+0J+FtU/qlNH
         adHgcNxfEyp4N24kiX4fzQo7B5rM4NUUnV5r9/kXKuSHWKBWpdJuv4iPanvDSc8Lfb4c
         7L/K7rPucLsN5SQ+mbWMgtDLWRvPcNNTIezpB2QhcekPj9/ejp1ufc0aa6aSx4mmD5n4
         vIpjjv36BB9TDgCyNboehOdFBceLKKvhxgcDrSrhtRRzaVFGPQdqFwK8Tx9e3N1d8SD7
         E5xg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id v81-v6si16266790pfi.22.2018.05.22.07.10.03;
        Tue, 22 May 2018 07:10:27 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751707AbeEVOJc (ORCPT <rfc822;414256we@gmail.com> + 99 others);
        Tue, 22 May 2018 10:09:32 -0400
Received: from mx3-rdu2.redhat.com ([66.187.233.73]:35626 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1751432AbeEVOJa (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 22 May 2018 10:09:30 -0400
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id D451868819;
        Tue, 22 May 2018 14:09:29 +0000 (UTC)
Received: from x2.localnet (ovpn-122-227.rdu2.redhat.com [10.10.122.227])
        by smtp.corp.redhat.com (Postfix) with ESMTP id 7ADB02023585;
        Tue, 22 May 2018 14:09:29 +0000 (UTC)
From:   Steve Grubb <sgrubb@redhat.com>
To:     Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc:     Richard Guy Briggs <rgb@redhat.com>,
        Mimi Zohar <zohar@linux.vnet.ibm.com>,
        containers@lists.linux-foundation.org,
        Linux-Audit Mailing List <linux-audit@redhat.com>,
        linux-integrity <linux-integrity@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>, paul@paul-moore.com
Subject: Re: [PATCH] audit: add containerid support for IMA-audit
Date:   Tue, 22 May 2018 10:09:29 -0400
Message-ID: <1705289.eIvaqvarKh@x2>
Organization: Red Hat
In-Reply-To: <e140278a-1494-ec74-f8bb-7fbac676306e@linux.vnet.ibm.com>
References: <1520257393.10396.291.camel@linux.vnet.ibm.com> <4015765.rtofcNpGHU@x2> <e140278a-1494-ec74-f8bb-7fbac676306e@linux.vnet.ibm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Tue, 22 May 2018 14:09:29 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Tue, 22 May 2018 14:09:29 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'sgrubb@redhat.com' RCPT:''
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Monday, May 21, 2018 5:57:29 PM EDT Stefan Berger wrote:
> >>>> Should some of the fields from INTEGRITY_PCR also appear in
> >>>> INTEGRITY_RULE? If so, which ones?
> >>> 
> >>> pid, uid, auid, tty, session, subj, comm, exe, res.  <- these are
> >>> required to be searchable
> >>> 
> >>>> We could probably refactor the current  integrity_audit_message() and
> >>>> have ima_parse_rule() call into it to get those fields as well. I
> >>>> suppose adding new fields to it wouldn't be considered breaking user
> >>>> space?
> >>> 
> >>> The audit user space utilities pretty much expects those fields in that
> >>> order for any IMA originating events. You can add things like op or
> >>> cause before
> >> 
> >> We will call into audit_log_task, which will put the parameters into
> >> correct order:
> >> 
> >> auid uid gid ses subj pid comm exe
> > 
> > I'm telling you what the correct order is.  :-)  A long time ago, the IMA
> 
>  Thanks. Was getting confused.
> 
> > system had audit events with the order I'm mentioning. For example,
> > here's one from a log I collected back in 2013:
> > 
> > type=INTEGRITY_PCR msg=audit(1327409021.813:21): pid=1 uid=0
> > auid=4294967295 ses=4294967295 subj=kernel op="add_template_measure"
> > cause="hash_added" comm="init" name="01parse-kernel.sh" dev=rootfs
> > ino=5413 res=0
> > 
> > it was missing "tty" and "exe", but the order is as I mentioned. The
> > expectation is that INTEGRITY events maintain this established order
> > across all events.
> 
> I am *appending* exe= and tty= now:
> 
> type=INTEGRITY_PCR msg=audit(1526939047.809:305): pid=1609 uid=0 auid=0
> ses=2 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> op="invalid_pcr" cause="open_writers" comm="ssh"
> name="/var/lib/sss/mc/passwd" dev="dm-0" ino=1962679 res=1
> exe="/usr/bin/ssh" tty=tty2

It is safe to put them where they belong. The tools currently skip over tty 
and exe if they would be present. So, nothing would get messed up. Its very 
simple to add an "if" statement to check for these new fields and collect 
them for searching. Also, "res" is traditionally the last field in any event.

Thanks,
-Steve