Re: New development

On Thursday 25 August 2005 13:55, Steve Grubb wrote: I think its time to kick off the next round of development for the audit system. I would like to propose a list of items to be worked on. This is list does not include LSPP/RBAC...that topic is big enough for a message all its own. I will send an email covering LSPP/RBAC separately in a couple days. This list is by no means complete. It is a starting point for discussion. If anyone else has ideas, please speak up. 1) Syscall auditing enhancements. Collect all args to execve. This would be implemented as an aux record like the socket_addr type. As all items come from userspace, they should all the treated as untrusted data. This might also need to be expanded for ioctl syscall as well. Does anyone know of any function that we need special handling to get its parameters? Also, would collecting EIP that the syscall was made from be useful to anyone? This might be useful to people doing IDS systems so they can spot an anomalous EIP/syscall pair to know something has gone wrong. 2) Higher Performance. We need to work on ways to lessen the load when the audit system is both disabled and enabled. I put some ideas on the mail list last week. There are more things that can be done. Perhaps a hard look at the organization of the context should be done. Are the structure members really in the best locations for cache effects? Can we get rid of TIF_SYSCALL_AUDIT flag and then successfully re-attach later? Maybe this can be done by walking the process tree or hooking a specific function all programs execute to re-enable. Another way to help performance is to push the decision to audit out to where the hook function is located. Chris has shown that it can be done using inline hook functions. Also, we should look at whether syscall entry filter as implemented is optimal. Right now all syscalls are marked like possible unless there is a rule explicitly saying to not audit the syscall. I think this area needs review. 3) Ability to track child processes. There is a need to be able to audit the actions of a child process. For example, maybe we add a rule to audit a specific pid like apache's. We may need to collect all syscall data for any child it spawns. This can be done by matching on session id, process group, and/or another mechanism. I leave this as an "and" since all 3 things may need to be implemented. Process group and session ID are not fool proof, but work for any non-malicious program. If we want to consider tracking possibly untrusted apps - we need to implement another mechanism. 4) More operators for filters. Right now, we only have == and !=. It would be nice to write rules that could use >, >=, <, <=, and a range. For example, you may want to write a rule that is filtered on uid >= 500 so that you don't collect data for daemons. Does anyone have ideas on rules that are awkward to express given the current techniques? 5) Ability to filter on message type. Because we are going to support LSPP and CAPP, we need to filter this information in the kernel. All messages start with a log_start. That function could call the filter to see if the message should be allowed. If so proceed as done today. Otherwise leave a NULL buffer. All calls to helper functions like log_format & log_end functions would check for NULL and return as if they succeeded. The other way I see this working is have the log_end function do the filtering, but that means that all the helper functions did the full work of building the message before it is discarded. The filter on message type would be one rule where we would want to have a range operator. For example, we may want to block all USER, LSPP, or SE Linux AVC messages. 6) Normalization of SE Linux AVC messages. Right now, SE Linux code has if statements that swing in and out different fields in its messages. This information needs normalizing as a step towards getting to binary message format. This may need to be done as AUX records or changing from a generics AVC message to several message types. 7) Consolidation of information in events. There is duplicate information in various records emitted. We need to try to reduce that information and consolidate. I think this involves reviewing the messages to make sure they follow a standard pattern. A message printing function could be created so that format specifiers are not all over the kernel, but in 1 place. This is a necessary step for creating a binary format. 8) Binary format. We need to create a format where the data is handed to the audit daemon in a binary format. This would avoid all the snprintf that is currently done. If there is no audit daemon, then the kernel would use the common messaging framework mention in #7 above to create the text message. As for implementing these ideas...I think we need to start with the current 2.6.9-11 kernel. When U2 kernel is public, port the audit system to that and continue. At some point, we need to switch to the rawhide kernel. The LSPP work for example does not belong in the 2.6.9 series kernel. What I would like to see get into the 2.6.9 series is #1 & #2. #3, #4, & #5 might be possible to get into the 2.6.9 series if we come up with a good way to make sure old kernels don't panic or do something bad. #6, #7, & #8 would definitely be for rawhide. Let's discuss these points. Do they make sense? Are there more ideas that should be added? Do the ones slated for 2.6.9 make sense? Does anyone in particular want to take on the responsibility of any of these items? I think we need 1-5 either done or pretty close to done this month. The LSPP work would dovetail into #6-#8 nicely. -Steve