Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp246546ybz; Tue, 21 Apr 2020 08:17:09 -0700 (PDT) X-Google-Smtp-Source: APiQypK6qR4YEDLqjIJ7swQH/mc0VuLtS/leZmRU1PJxliiYTL6nkXFmJFFs2Zix41nWFDjicJ5d X-Received: by 2002:a50:f095:: with SMTP id v21mr19541215edl.103.1587482229185; Tue, 21 Apr 2020 08:17:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587482229; cv=none; d=google.com; s=arc-20160816; b=eRZo+aIoKZ2KROoV+uSrJLiOh0ZX6uGtA24/1FpHKqqM1I6zWjgWK+UjrVxQnqgKTe wr/PmpCVqxGWdO7UYq3fzc+uX9VHQ3pvRlH2D/TbCk+yZnsfQz4WHklHXOEMt/7/NP1g 1z4Zbz+yfMuZSbHASnYcPxIMQc+VCNoiZNKZ+JzhQ+jrY0ZwQYG/ORw7jj31Kzwfm+sv L3siSDqnrCThnEewX0RG3+AaYTnZ8uzD0ihpinDRsG0KrIuegaWE7hqy9Xf+rphdCXJi HeQUwEDBbwWvPaEFAUIhoWI3JM7WNG6n/TThVv58B5gIjx+v7mCLA1bAzR7snVx3KCJ/ uB5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from:dkim-signature; bh=04PEf90F+6uRCyLy6Mn+cR2kwE1/6Z45D9X5YBg8bFQ=; b=K8j96h0vl4rvgSzO9gAgD1btN7NT8sZBu0UOSk5j9G0TKWkZfYeOUpaNni4qfgx3rD 1oPzK8nJPyOjLld3zu6KVNi7gY7bQ/0IVZeOJoMa9oOA5saryHW7KAtRAIa+b/9PZ2au p+x/5iCnuyF8a2zQGaNS5o6CpPhhcU+afFqr1P5kbWZFKmuhxgGpXRDYlRALTLOqbH8t n8gZPylmVYJ6A+t/LbjS1CMMePDIMfqEXFkfMg9++Jtboei4wF5CKcRRqTd2SGbBuh57 /lMNWXy4CED840Ln559XI6R69dWkfp10YSPRGcOZRi2R00vId3I3rN9M/YcPubTjLKYn TJxg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=I9IPejQc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id nh5si1703197ejb.352.2020.04.21.08.16.44; Tue, 21 Apr 2020 08:17:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=I9IPejQc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726115AbgDUPPX (ORCPT + 99 others); Tue, 21 Apr 2020 11:15:23 -0400 Received: from us-smtp-2.mimecast.com ([207.211.31.81]:37430 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725902AbgDUPPX (ORCPT ); Tue, 21 Apr 2020 11:15:23 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1587482121; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=04PEf90F+6uRCyLy6Mn+cR2kwE1/6Z45D9X5YBg8bFQ=; b=I9IPejQcITuNJIcVNKwq+bOoc3OOKRHJMToxPIZjefsnERsCwW6UN2dmWV5QxDi0jcOXCJ xfe1UrBZLHepA40/84jMZSw0nnoSJc6pbSpdbUjwJ8mXGQywnxXKvQnTeHUvDgVOGpHliq mSKSbvrHSVC3wXjKyAsRekIeussJacs= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-349-DnTW3m3TOnWJI0bXu-clzw-1; Tue, 21 Apr 2020 11:15:14 -0400 X-MC-Unique: DnTW3m3TOnWJI0bXu-clzw-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E5A2218FE867; Tue, 21 Apr 2020 15:15:11 +0000 (UTC) Received: from x2.localnet (ovpn-113-195.phx2.redhat.com [10.3.113.195]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2781376E92; Tue, 21 Apr 2020 15:15:04 +0000 (UTC) From: Steve Grubb To: linux-audit@redhat.com Cc: Paul Moore , Richard Guy Briggs , fw@strlen.de, LKML , netfilter-devel@vger.kernel.org, ebiederm@xmission.com, twoerner@redhat.com, Eric Paris , tgraf@infradead.org Subject: Re: [PATCH ghak25 v3 3/3] audit: add subj creds to NETFILTER_CFG record to cover async unregister Date: Tue, 21 Apr 2020 11:15:02 -0400 Message-ID: <2156032.xcGZvdN1jG@x2> Organization: Red Hat In-Reply-To: References: <20200318213327.ow22q6nnjn3ijq6v@madcap2.tricolour.ca> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Friday, April 17, 2020 5:53:47 PM EDT Paul Moore wrote: > On Wed, Mar 18, 2020 at 5:33 PM Richard Guy Briggs wrote: > > On 2020-03-18 17:22, Paul Moore wrote: > > > On Wed, Mar 18, 2020 at 9:12 AM Richard Guy Briggs wrote: > > > > On 2020-03-17 17:30, Richard Guy Briggs wrote: > > > > > Some table unregister actions seem to be initiated by the kernel to > > > > > garbage collect unused tables that are not initiated by any > > > > > userspace actions. It was found to be necessary to add the subject > > > > > credentials to cover this case to reveal the source of these > > > > > actions. A sample record: > > > > > type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) : > > > > > table=nat family=bridge entries=0 op=unregister pid=153 uid=root > > > > > auid=unset tty=(none) ses=unset > > > > > subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2 exe=(null) If this is the kernel, why is pid not 0? And if pid is 0, then isn't exe=/boot/vmlinuz-X.Y.Z-blah? > > > > Given the precedent set by bpf unload, I'd really rather drop this > > > > patch that adds subject credentials. > I'm in the middle of building patches 1/3 and 2/3, assuming all goes > well I'll merge them into audit/next (expect mail soon), however I'm > going back and forth on this patch. Like you I kinda don't like it, > and with both of us not in love with this patch I have to ask if there > is certification requirement for this? Yes, any change to information flow must be auditable. > I know about the generic > subj/obj requirements, but in the case where there is no associated > task/syscall/etc. information it isn't like the extra fields supplied > in this patch are going to have much information in that regard; it's > really the *absence* of that information which is telling. Exactly. But if someone does a search based on the fields, they need to be able to find this record. For example, suppose I want to know what actions have been performed by kernel_t, I can run a search and find this event. > Which brings me to wonder if simply the lack of any associated records in > this event is enough? Before when we weren't associating records into > a single event it would have been a problem, but the way things > currently are, if there are no other records (and you have configured > that) then I think you have everything you need to know. > > Thoughts? You can't search on the absense of information. There are some fields that have meaning. It's OK if they are unset. It happens for daemons, too. But we don't remove the fields because of it. It tells part of the story. -Steve