Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp4899469imm;
        Wed, 30 May 2018 14:26:21 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKIIzgZTv2C4OFJVYkB0ObjmYd5iirBShFQMbwfr57ikGgKiuyOXTh1lDmwy8/SU1KvhR7Og
X-Received: by 2002:a17:902:1703:: with SMTP id i3-v6mr4373814pli.263.1527715581654;
        Wed, 30 May 2018 14:26:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1527715581; cv=none;
        d=google.com; s=arc-20160816;
        b=ATGwhZ70VqA8IE5CyGFrHdwKc8uOiFRPdiHsa/Ch0+uyfDOLcwIS2kVQjkOKQrFxzP
         i899hS2Ciwv49AAepliTkffcfQFZ5zypCFllqxGsK+k3X6RAJtzzwJ6cI4e/01wVep5n
         itBDBqAGajAv0M9akRqqfc3ML66h5gY4fpSk24NxkeyswPK4CAdxBq7BoZnrvUMomcqS
         lFAu5ZTBxJZBGEe42N7eJp9B7xxvXUDdWjihMIAWy/pPjXxi/3xJSm/tEZyrUJgzguJz
         0Q4TYhjVpBWTR61DXqLagvzvIdkMaSl8e1ymTn02sCAIz9rdHzkNq2QlGzb9NjDNs/rI
         3+0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=mKpmJnyQgJrEofJaZUmPY92WtrPWrBYhzpuwhfmehrc=;
        b=CZ28uGw77I6NUI6Tfb07vpiiXFzGAyiF0UKmPvU2nlFtalITBg5a+NAPv0rgSysWvy
         GjdPa1RTJcsBhQX8IGDSFahumoe0VGZuYJuZFjeWVud59cP6Y+TY1ryFOJHtnyv2GekJ
         5v1BH+NSI5/Vr7/WQB83pE1rCd05S9z6dWhiHf0rNU7CCxXB6BzaBoMINhVVuO+ToqpH
         lNm5++53CrSHhtWZfS7+zTeSue7FFtuJfCcTlalGl9XoiBC4vBAMgQROCdKXHk9aw+um
         A/kwcxMCfozMREiwhR2MTXMCdvT/WdxM6CEmLpsi/DhugHz3y/+MEfzZ/HJdIyJEKrNN
         zh7w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=QxLc8KHC;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id h1-v6si5065604pgs.221.2018.05.30.14.26.07;
        Wed, 30 May 2018 14:26:21 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@paul-moore-com.20150623.gappssmtp.com header.s=20150623 header.b=QxLc8KHC;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S932453AbeE3VYe (ORCPT <rfc822;7819ynot@gmail.com> + 99 others);
        Wed, 30 May 2018 17:24:34 -0400
Received: from mail-lf0-f66.google.com ([209.85.215.66]:36130 "EHLO
        mail-lf0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S932268AbeE3VYd (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 30 May 2018 17:24:33 -0400
Received: by mail-lf0-f66.google.com with SMTP id u4-v6so6510162lff.3
        for <linux-kernel@vger.kernel.org>; Wed, 30 May 2018 14:24:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=paul-moore-com.20150623.gappssmtp.com; s=20150623;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=mKpmJnyQgJrEofJaZUmPY92WtrPWrBYhzpuwhfmehrc=;
        b=QxLc8KHCGgicGe3W/kQNKaaogwoTg4LAIbFiTK25mb2JgSktKZMuFZIr4yGIhfvHvD
         ZC/pPWv3/5YS9oPQHxobu8EW+PW5s/B9hfCEQ4WYrQSxH8oO6Obhczs+h0ptckyN8foA
         rLFG/RO3oPfnPjEEc5HOeQMBV7PFFlbIJrFB8D7TLnEAiEjCeJOUofklAtI08d0uE1b3
         0y0ACw2hhW0pvU9nytnu7YSBDSjLijAJ5/tjz+y3g3VXp9kgKbpX8gDH+kN9oqdosqv+
         /0GlKSvIDJwJ/zTgT0VJ+UQd/TcZGKnVBVuek8ONH7CLGnAW83lPv+wbpJ+EdtpxkhYa
         xkKw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=mKpmJnyQgJrEofJaZUmPY92WtrPWrBYhzpuwhfmehrc=;
        b=YuWr/p1k0hxYA2853XFv/oRGKW5OWBiTrlQ1gjtq9vUDQkosUO4/zj7jOfZhh7a6gm
         0jqYKP0LeALftJdPZaRRAoZQkyNzow2iDLrHSYLfGcwyg1Iz/z+xH93i9c/v63ViQfMf
         Zrh5c0Hx6ka+yKASmwT4XtV8TFIPIrgy4wiWbekbk1rvzQWEKIoXaLs6IXNEfiF31cHf
         4Gl/aQSkwzbG8ex/PCjiZ7asD6/NE63Qjlb8LsTrOGIukj/63Di5Yt2yQpeKrqxMKuld
         PQ+LThJBLHu7rxcuZpyKdFJNhN+j7rXDSiC9+8nFU18m0CIuaLZ0ghxXaxogaFdI2QGp
         RcjA==
X-Gm-Message-State: ALKqPwce/Dpzx7aXv5+gh1XBwv2X8eAdh3uGLTa5RQvLIsJG99ki2ah4
        kYvr9u2D+phnbRnrnChkO4HgOnsST1RWUQw0Ql9D
X-Received: by 2002:a2e:8246:: with SMTP id j6-v6mr3278997ljh.72.1527715471430;
 Wed, 30 May 2018 14:24:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a19:a911:0:0:0:0:0 with HTTP; Wed, 30 May 2018 14:24:30
 -0700 (PDT)
X-Originating-IP: [108.20.156.165]
In-Reply-To: <1160afb4-4184-b30c-5f67-c21536b5f7d3@linux.vnet.ibm.com>
References: <20180524201105.3179904-1-stefanb@linux.vnet.ibm.com>
 <15281606.YptaXzsEVL@x2> <00f66ee1-7494-8249-f148-688616deca0c@linux.vnet.ibm.com>
 <3607733.4k8ofLVAdP@x2> <1160afb4-4184-b30c-5f67-c21536b5f7d3@linux.vnet.ibm.com>
From:   Paul Moore <paul@paul-moore.com>
Date:   Wed, 30 May 2018 17:24:30 -0400
Message-ID: <CAHC9VhQZeBS3EzgsWogeuCPtGxSFVDm1jUOLV7Jk4JRC4CVLyQ@mail.gmail.com>
Subject: Re: [PATCH 8/8] ima: Differentiate auditing policy rules from "audit" actions
To:     Stefan Berger <stefanb@linux.vnet.ibm.com>
Cc:     Steve Grubb <sgrubb@redhat.com>, zohar@linux.vnet.ibm.com,
        linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org,
        linux-audit@redhat.com
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, May 30, 2018 at 3:54 PM, Stefan Berger
<stefanb@linux.vnet.ibm.com> wrote:
> On 05/30/2018 12:27 PM, Steve Grubb wrote:
>>
>> On Wednesday, May 30, 2018 11:25:05 AM EDT Stefan Berger wrote:
>>>
>>> On 05/30/2018 11:15 AM, Steve Grubb wrote:
>>>>
>>>> On Wednesday, May 30, 2018 9:54:00 AM EDT Stefan Berger wrote:
>>>>>
>>>>> On 05/29/2018 05:30 PM, Steve Grubb wrote:
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> On Thursday, May 24, 2018 4:11:05 PM EDT Stefan Berger wrote:
>>>>>>>
>>>>>>> The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and
>>>>>>> the IMA "audit" policy action.  This patch defines
>>>>>>> AUDIT_INTEGRITY_POLICY_RULE to reflect the IMA policy rules.
>>>>>>>
>>>>>>> With this change we now call integrity_audit_msg_common() to get
>>>>>>> common integrity auditing fields. This now produces the following
>>>>>>> record when parsing an IMA policy rule:
>>>>>>>
>>>>>>> type=UNKNOWN[1806] msg=audit(1527004216.690:311): action=dont_measure
>>>>>>> \
>>>>>>>
>>>>>>> fsmagic=0x9fa0 pid=1613 uid=0 auid=0 ses=2 \
>>>>>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \
>>>>>>> op=policy_update cause=parse_rule comm="echo" exe="/usr/bin/echo" \
>>>>>>> tty=tty2 res=1
>>>>>>
>>>>>> Since this is a new event, do you mind moving the tty field to be
>>>>>> between
>>>>>> auid= and ses=  ?   That is the more natural place for it.
>>>>>
>>>>> 6/8 refactors the code so that the integrity audit records produced by
>>>>> IMA follow one format in terms of ordering of the fields, with fields
>>>>> like inode optional, though, and AUDIT_INTEGRITY_RULE in the end being
>>>>> the only one with a different format. Do we really want to change that
>>>>> order just for 1806?
>>>>>
>>>>> 5/8 now produces the following:
>>>>>
>>>>> type=INTEGRITY_PCR msg=audit(1527685075.941:502): pid=2431 \
>>>>> uid=0 auid=1000 ses=5 \
>>>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \
>>>>> op=invalid_pcr cause=open_writers comm="grep" \
>>>>> name="/var/log/audit/audit.log" dev="dm-0" ino=1962494 \
>>>>> exe="/usr/bin/grep" tty=pts0 res=1
>>>>>
>>>>> Comparing the two:
>>>>>
>>>>> 1806:          action, fsmagic, pid, uid, auid, ses, subj, op, cause,
>>>>> comm,    exe, tty, res
>>>>> INTEGRITY_PCR:                  pid, uid, auid, ses, subj, op, cause,
>>>>> comm, name, dev, ino, exe, tty, res
>>>>
>>>> OK. I guess go with it as is. It passes testing.
>>>
>>> What about the position of 'res' field relative to the two new fields
>>> 'exe' and 'tty'?
>>
>> res (results) is always the last field for every event. We have no events
>> where it is not the last field. I'd prefer to go with it as is. The events
>> pass my testing the way they are.
>>
>>> Do we want to keep them as shown or strictly append the
>>> two new fields 'exe' and 'tty'?
>>
>> I'd prefer the first option to keep things as expected.
>>
>>> Paul seems to request that they appear after 'res'.
>>
>> I'd rather see them dropped, as useful as they could be, than to malform
>> the
>> events.
>
>
> Paul NACK'ed them since he wanted to have them added to the end. You seem to
> say it's ok to add them before 'res'. Not sure whether to drop them now
> since we are 'at it.'

I talked about this in the other patch's thread, but the "new fields
at the end of existing records" policy applies here too.

Also note Richard's earlier comment about "associating" the IMA
records with all of the related audit records.

-- 
paul moore
www.paul-moore.com