Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp4916391imm; Wed, 30 May 2018 14:50:51 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLLv7/7ojJX/073H00FDAP2EsmGtbekXzFRIL2fLH3BDsfWqkXzQvreM/4CSahfUBUx9Syu X-Received: by 2002:a17:902:a416:: with SMTP id p22-v6mr4377014plq.228.1527717051587; Wed, 30 May 2018 14:50:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527717051; cv=none; d=google.com; s=arc-20160816; b=V1gX4izOb/p6V+HJMFcMzGzxnbGne11NujsotJiLAVAenqc8R3+YwtvNpGqGG69lO9 vMnmDxQrXrClmc9qDMziDu3PubY8+9SuEPw5PAwO49Hc+FsQcb2Alu1B08msS46mNSHY QXA059OEMrrNHc44rHN0GdJMu522vREaKv3P3pFOLH+vSdxjM9dTQu3aaCTEImILlloW AMoSkpkwws8m09mZ6mbUqBiL7bOF+H9U78cb94PKY3+psj6iUe7jUsJXwSP3k1XLX9OJ Fvc1V327VgOZZdYyn2s29nbu93k9Kj7h91Uu5TXT0U3FIZbCxq8b6+vCbKfNbXqyDz6f VI8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :from:references:cc:to:subject:arc-authentication-results; bh=sgsA0PGQd9Uc8UU5YE4sbgs53+Lyjb+jsnJMToCfvyM=; b=IwPim9wB9XlW5LWroMtUdAiTEIV6YJQBI2ngXb2U68W4jYgaib5NYl/i8J17itRhMn HFJbgFNCU4NadJNKbjyIpmlIxX6XYHSvrzONWYNQ4CMrhNVDkaZWzfaFs27m+GN+6KDT DIyNpstP1WWUjJkNmXyYxsHRWb/DlhQF7igXCJTEme4d6OsFcMLkYQorw8APdNIrsaWS lspZ3mz4KdSxZf0FFu9vqJpJrJzWJUZevulDIYuQ22nhvc6Nxj23oA91vSOpkmq0nfBn WseXxnpSQX7V1CJTnQWNwqFm6BtotMyBORhpFi8V7D3r2OJWFqlR4QLj8YzI6jmpjahR wBkQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v37-v6si35584036plg.426.2018.05.30.14.50.37; Wed, 30 May 2018 14:50:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=ibm.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753674AbeE3Vtq (ORCPT + 99 others); Wed, 30 May 2018 17:49:46 -0400 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:37996 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S932382AbeE3Vtk (ORCPT ); Wed, 30 May 2018 17:49:40 -0400 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w4ULmwk1118067 for ; Wed, 30 May 2018 17:49:40 -0400 Received: from e12.ny.us.ibm.com (e12.ny.us.ibm.com [129.33.205.202]) by mx0a-001b2d01.pphosted.com with ESMTP id 2ja0dw2t8y-1 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 30 May 2018 17:49:40 -0400 Received: from localhost by e12.ny.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 30 May 2018 17:49:39 -0400 Received: from b01cxnp23034.gho.pok.ibm.com (9.57.198.29) by e12.ny.us.ibm.com (146.89.104.199) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; (version=TLSv1/SSLv3 cipher=AES256-GCM-SHA384 bits=256/256) Wed, 30 May 2018 17:49:36 -0400 Received: from b01ledav004.gho.pok.ibm.com (b01ledav004.gho.pok.ibm.com [9.57.199.109]) by b01cxnp23034.gho.pok.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w4ULnZJC3211664 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Wed, 30 May 2018 21:49:35 GMT Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id DD258112063; Wed, 30 May 2018 17:49:37 -0400 (EDT) Received: from b01ledav004.gho.pok.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id BB6CD112061; Wed, 30 May 2018 17:49:37 -0400 (EDT) Received: from sbct-3.pok.ibm.com (unknown [9.47.158.153]) by b01ledav004.gho.pok.ibm.com (Postfix) with ESMTP; Wed, 30 May 2018 17:49:37 -0400 (EDT) Subject: Re: [PATCH 8/8] ima: Differentiate auditing policy rules from "audit" actions To: Paul Moore Cc: Steve Grubb , zohar@linux.vnet.ibm.com, linux-integrity@vger.kernel.org, linux-kernel@vger.kernel.org, linux-audit@redhat.com References: <20180524201105.3179904-1-stefanb@linux.vnet.ibm.com> <15281606.YptaXzsEVL@x2> <00f66ee1-7494-8249-f148-688616deca0c@linux.vnet.ibm.com> <3607733.4k8ofLVAdP@x2> <1160afb4-4184-b30c-5f67-c21536b5f7d3@linux.vnet.ibm.com> From: Stefan Berger Date: Wed, 30 May 2018 17:49:35 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-MW X-TM-AS-GCONF: 00 x-cbid: 18053021-0048-0000-0000-00000272E85C X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00009099; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000264; SDB=6.01040002; UDB=6.00532333; IPR=6.00819135; MB=3.00021384; MTD=3.00000008; XFM=3.00000015; UTC=2018-05-30 21:49:38 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18053021-0049-0000-0000-000045469207 Message-Id: <85d2a40a-884c-c63d-50f6-024f7bbea4a8@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:,, definitions=2018-05-30_09:,, signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1805220000 definitions=main-1805300232 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 05/30/2018 05:24 PM, Paul Moore wrote: > On Wed, May 30, 2018 at 3:54 PM, Stefan Berger > wrote: >> On 05/30/2018 12:27 PM, Steve Grubb wrote: >>> On Wednesday, May 30, 2018 11:25:05 AM EDT Stefan Berger wrote: >>>> On 05/30/2018 11:15 AM, Steve Grubb wrote: >>>>> On Wednesday, May 30, 2018 9:54:00 AM EDT Stefan Berger wrote: >>>>>> On 05/29/2018 05:30 PM, Steve Grubb wrote: >>>>>>> Hello, >>>>>>> >>>>>>> On Thursday, May 24, 2018 4:11:05 PM EDT Stefan Berger wrote: >>>>>>>> The AUDIT_INTEGRITY_RULE is used for auditing IMA policy rules and >>>>>>>> the IMA "audit" policy action. This patch defines >>>>>>>> AUDIT_INTEGRITY_POLICY_RULE to reflect the IMA policy rules. >>>>>>>> >>>>>>>> With this change we now call integrity_audit_msg_common() to get >>>>>>>> common integrity auditing fields. This now produces the following >>>>>>>> record when parsing an IMA policy rule: >>>>>>>> >>>>>>>> type=UNKNOWN[1806] msg=audit(1527004216.690:311): action=dont_measure >>>>>>>> \ >>>>>>>> >>>>>>>> fsmagic=0x9fa0 pid=1613 uid=0 auid=0 ses=2 \ >>>>>>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \ >>>>>>>> op=policy_update cause=parse_rule comm="echo" exe="/usr/bin/echo" \ >>>>>>>> tty=tty2 res=1 >>>>>>> Since this is a new event, do you mind moving the tty field to be >>>>>>> between >>>>>>> auid= and ses= ? That is the more natural place for it. >>>>>> 6/8 refactors the code so that the integrity audit records produced by >>>>>> IMA follow one format in terms of ordering of the fields, with fields >>>>>> like inode optional, though, and AUDIT_INTEGRITY_RULE in the end being >>>>>> the only one with a different format. Do we really want to change that >>>>>> order just for 1806? >>>>>> >>>>>> 5/8 now produces the following: >>>>>> >>>>>> type=INTEGRITY_PCR msg=audit(1527685075.941:502): pid=2431 \ >>>>>> uid=0 auid=1000 ses=5 \ >>>>>> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 \ >>>>>> op=invalid_pcr cause=open_writers comm="grep" \ >>>>>> name="/var/log/audit/audit.log" dev="dm-0" ino=1962494 \ >>>>>> exe="/usr/bin/grep" tty=pts0 res=1 >>>>>> >>>>>> Comparing the two: >>>>>> >>>>>> 1806: action, fsmagic, pid, uid, auid, ses, subj, op, cause, >>>>>> comm, exe, tty, res >>>>>> INTEGRITY_PCR: pid, uid, auid, ses, subj, op, cause, >>>>>> comm, name, dev, ino, exe, tty, res >>>>> OK. I guess go with it as is. It passes testing. >>>> What about the position of 'res' field relative to the two new fields >>>> 'exe' and 'tty'? >>> res (results) is always the last field for every event. We have no events >>> where it is not the last field. I'd prefer to go with it as is. The events >>> pass my testing the way they are. >>> >>>> Do we want to keep them as shown or strictly append the >>>> two new fields 'exe' and 'tty'? >>> I'd prefer the first option to keep things as expected. >>> >>>> Paul seems to request that they appear after 'res'. >>> I'd rather see them dropped, as useful as they could be, than to malform >>> the >>> events. >> >> Paul NACK'ed them since he wanted to have them added to the end. You seem to >> say it's ok to add them before 'res'. Not sure whether to drop them now >> since we are 'at it.' > I talked about this in the other patch's thread, but the "new fields > at the end of existing records" policy applies here too. I am not sure what to post in v2. It looks like if I append it to the end after 'res' I could get the NACK'ed by Steve?! So the other choice is to only keep patches 1,2, 6, and 7, so leave most of the integrity audit messages untouched. Then only create a different format for the new AUDIT_INTEGRITY_POLICY_RULE (current 8/8) that shares (for consistency reasons) the same format with the existing integrity audit messages but also misses tty= and exe= ? > > Also note Richard's earlier comment about "associating" the IMA > records with all of the related audit records. >