Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3825027imm; Tue, 29 May 2018 14:36:31 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJcJCsrHpp9iS83RgAayaAMMxKUSJvJO0OMZ5gX0qrHFvST+0q4jYVQKmBuY0lLiPNpqkku X-Received: by 2002:a17:902:329:: with SMTP id 38-v6mr121424pld.328.1527629791544; Tue, 29 May 2018 14:36:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527629791; cv=none; d=google.com; s=arc-20160816; b=sYe201Ze+sKZ1P02u4POFeJb/uGO8nWiwxOvTUv5UNZDk3vW8tntpSq6Kz/QOYlXB3 B26gcRv1btBBWm3jm2A++vK26SwG6om9gWtctvBmsZPVGemEyA/0xPEbx7YYisG7qoN9 CoimbkB+R7kCfDG83a9Eu6Vm6hOtAISlN15cCRwT0AZXICENSP3Gdn0wJhDVDgIKpf1J AXLSJ4Yb97uep6LPcPPiLAJiqRzSqUPf5MlIaQ1VQezsxhCf5WTe6wKNXsBwaJPFmx61 s7x1rHEaf7QkxqM+8nlig/NF4MVPkhwz0a4ZeUrEZasg+Kxt0hOnNMLTO/3HdCDt2m4f NU0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from:arc-authentication-results; bh=MDFoDmz8gwI3JYYEDuB44koNzqgg/2mxNV/0ZzE+mTU=; b=vIIGdKCBC3ByqtN+o509bL5pVzYx4P4wLPW9yuVK5sJL/xj5AfaWI/PsLX19npiZ7f FJZzqBMPqbpqOA6CF6/5ctdDoxY8dAI8gp/XX+/w4ZqQ4PViSDGtndIIUtBtce5CpADY Kn/0ayXpqk23mrNzZeCfHjU6viVXXHKI5QbBiRsGOCkQTlfXLMd+ZVZvSGuR6UiTKb+B 41TMyOvXkIpxF8yyBNHqJnD1DIDnY2Pk58IfAZUo+tuCqeXDZaDH5pNXdICSHTCeeBY5 8+7v/d0MN4/jkQ/fVv1AmSvKLiihWoybEZiWzJPujMt8awwURSLXqT7y4WDywsRIUw33 2xTQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b35-v6si33423340plh.36.2018.05.29.14.36.17; Tue, 29 May 2018 14:36:31 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S967182AbeE2Vfx (ORCPT + 99 others); Tue, 29 May 2018 17:35:53 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:40492 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S966952AbeE2Vfu (ORCPT ); Tue, 29 May 2018 17:35:50 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3E790401EF0A; Tue, 29 May 2018 21:35:50 +0000 (UTC) Received: from x2.localnet (ovpn-121-112.rdu2.redhat.com [10.10.121.112]) by smtp.corp.redhat.com (Postfix) with ESMTP id E64F920244E0; Tue, 29 May 2018 21:35:49 +0000 (UTC) From: Steve Grubb To: Paul Moore Cc: Stefan Berger , zohar@linux.vnet.ibm.com, linux-integrity@vger.kernel.org, linux-audit@redhat.com, linux-kernel@vger.kernel.org Subject: Re: [PATCH 5/8] integrity: Add exe= and tty= before res= to integrity audits Date: Tue, 29 May 2018 17:35:48 -0400 Message-ID: <4331521.GQBdaJNAj6@x2> Organization: Red Hat In-Reply-To: References: <20180524201105.3179904-1-stefanb@linux.vnet.ibm.com> <20180524201105.3179904-6-stefanb@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Tue, 29 May 2018 21:35:50 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Tue, 29 May 2018 21:35:50 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'sgrubb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tuesday, May 29, 2018 5:19:39 PM EDT Paul Moore wrote: > On Thu, May 24, 2018 at 4:11 PM, Stefan Berger > > wrote: > > Use the new public audit functions to add the exe= and tty= > > parts to the integrity audit records. We place them before > > res=. > > > > Signed-off-by: Stefan Berger > > Suggested-by: Steve Grubb > > --- > > > > security/integrity/integrity_audit.c | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/security/integrity/integrity_audit.c > > b/security/integrity/integrity_audit.c index db30763d5525..8d25d3c4dcca > > 100644 > > --- a/security/integrity/integrity_audit.c > > +++ b/security/integrity/integrity_audit.c > > @@ -56,6 +56,8 @@ void integrity_audit_msg(int audit_msgno, struct inode > > *inode,> > > audit_log_untrustedstring(ab, inode->i_sb->s_id); > > audit_log_format(ab, " ino=%lu", inode->i_ino); > > > > } > > > > + audit_log_d_path_exe(ab, current->mm); > > + audit_log_tty(ab, current); > > NACK > > Please add the new fields to the end of the audit record, thank you. Let's see what an example event looks like before NACK'ing this. Way back in 2013 the IMA events were good. I think this is repairing the event after some drift. Thanks, -Steve > > audit_log_format(ab, " res=%d", !result); > > audit_log_end(ab); > > > > }