[PATCH] missing audispd-pconfig.h in Makefile.am
by Klaus Heinrich Kiwi
The audispd-pconfig.h file is missing from the noinst_HEADERS list at
audisp/Makefile.am, rendering in a broken 'make dist' target
Signed-off-by: Klaus Heinrich Kiwi <klausk(a)br.ibm.com>
diff -purN audit-1.6.2/audisp/Makefile.am audit-1.6.2_khk/audisp/Makefile.am
--- audit-1.6.2/audisp/Makefile.am 2007-09-12 13:04:00.000000000 -0300
+++ audit-1.6.2_khk/audisp/Makefile.am 2007-09-27 15:51:20.000000000 -0300
@@ -25,7 +25,7 @@ CONFIG_CLEAN_FILES = Makefile.in *.rej *
AUTOMAKE_OPTIONS = no-dependencies
INCLUDES = -I.. -I${top_srcdir}/lib
sbin_PROGRAMS = audispd
-noinst_HEADERS = audispd-config.h audispd-llist.h queue.h audispd-builtins.h
+noinst_HEADERS = audispd-config.h audispd-pconfig.h audispd-llist.h queue.h audispd-builtins.h
LIBS = -L${top_srcdir}/src/mt -lauditmt
LDADD = -lpthread
AM_CFLAGS = -D_REENTRANT
17 years, 3 months
[PATCH] audit=0 appears not to completely disable auditing
by Steve Grubb
Hi,
There was a bz, 231371, reporting that current upstream kernels do not completely
disable auditing when boot with audit=0 and the audit daemon not configured to
run. You can reproduce the problem by:
service auditd stop
auditctl -e 0
auditctl -w /etc/passwd
and you'd get an event in syslog:
Mar 9 15:43:04 localhost kernel: audit(1173472984.321:982): auid=4294967295
subj=user_u:system_r:auditctl_t:s0 op=add rule key=(null) list=4 res=1
The patch below solves this problem by checking audit_enabled before creating
an audit event.
Signed-off-by: Steve Grubb <sgrubb(a)redhat.com>
diff -urp linux-2.6.18.x86_64.orig/kernel/audit.c linux-2.6.18.x86_64/kernel/audit.c
--- linux-2.6.18.x86_64.orig/kernel/audit.c 2007-03-09 14:08:18.000000000 -0500
+++ linux-2.6.18.x86_64/kernel/audit.c 2007-03-09 14:06:59.000000000 -0500
@@ -238,46 +238,50 @@ void audit_log_lost(const char *message)
static int audit_set_rate_limit(int limit, uid_t loginuid, u32 sid)
{
- int old = audit_rate_limit;
+ if (audit_enabled) {
+ int old = audit_rate_limit;
- if (sid) {
- char *ctx = NULL;
- u32 len;
- int rc;
- if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
- return rc;
- else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ if (sid) {
+ char *ctx = NULL;
+ u32 len;
+ int rc;
+ if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+ return rc;
+ else
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_rate_limit=%d old=%d by auid=%u subj=%s",
- limit, old, loginuid, ctx);
- kfree(ctx);
- } else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "audit_rate_limit=%d old=%d by auid=%u",
- limit, old, loginuid);
+ limit, old, loginuid, ctx);
+ kfree(ctx);
+ } else
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ "audit_rate_limit=%d old=%d by auid=%u",
+ limit, old, loginuid);
+ }
audit_rate_limit = limit;
return 0;
}
static int audit_set_backlog_limit(int limit, uid_t loginuid, u32 sid)
{
- int old = audit_backlog_limit;
+ if (audit_enabled) {
+ int old = audit_backlog_limit;
- if (sid) {
- char *ctx = NULL;
- u32 len;
- int rc;
- if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
- return rc;
- else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ if (sid) {
+ char *ctx = NULL;
+ u32 len;
+ int rc;
+ if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+ return rc;
+ else
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_backlog_limit=%d old=%d by auid=%u subj=%s",
- limit, old, loginuid, ctx);
- kfree(ctx);
- } else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "audit_backlog_limit=%d old=%d by auid=%u",
- limit, old, loginuid);
+ limit, old, loginuid, ctx);
+ kfree(ctx);
+ } else
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ "audit_backlog_limit=%d old=%d by auid=%u",
+ limit, old, loginuid);
+ }
audit_backlog_limit = limit;
return 0;
}
@@ -289,21 +293,23 @@ static int audit_set_enabled(int state,
if (state != 0 && state != 1)
return -EINVAL;
- if (sid) {
- char *ctx = NULL;
- u32 len;
- int rc;
- if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
- return rc;
- else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ if (audit_enabled || state) {
+ if (sid) {
+ char *ctx = NULL;
+ u32 len;
+ int rc;
+ if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+ return rc;
+ else
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_enabled=%d old=%d by auid=%u subj=%s",
- state, old, loginuid, ctx);
- kfree(ctx);
- } else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "audit_enabled=%d old=%d by auid=%u",
- state, old, loginuid);
+ state, old, loginuid, ctx);
+ kfree(ctx);
+ } else
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ "audit_enabled=%d old=%d by auid=%u",
+ state, old, loginuid);
+ }
audit_enabled = state;
return 0;
}
@@ -317,21 +323,23 @@ static int audit_set_failure(int state,
&& state != AUDIT_FAIL_PANIC)
return -EINVAL;
- if (sid) {
- char *ctx = NULL;
- u32 len;
- int rc;
- if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
- return rc;
- else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ if (audit_enabled) {
+ if (sid) {
+ char *ctx = NULL;
+ u32 len;
+ int rc;
+ if ((rc = selinux_ctxid_to_string(sid, &ctx, &len)))
+ return rc;
+ else
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_failure=%d old=%d by auid=%u subj=%s",
- state, old, loginuid, ctx);
- kfree(ctx);
- } else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
- "audit_failure=%d old=%d by auid=%u",
- state, old, loginuid);
+ state, old, loginuid, ctx);
+ kfree(ctx);
+ } else
+ audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
+ "audit_failure=%d old=%d by auid=%u",
+ state, old, loginuid);
+ }
audit_failure = state;
return 0;
}
@@ -536,22 +544,26 @@ static int audit_receive_msg(struct sk_b
if (err < 0) return err;
}
if (status_get->mask & AUDIT_STATUS_PID) {
- int old = audit_pid;
- if (sid) {
- if ((err = selinux_ctxid_to_string(
- sid, &ctx, &len)))
- return err;
- else
+ if (audit_enabled) {
+ int old = audit_pid;
+ if (sid) {
+ if ((err = selinux_ctxid_to_string(
+ sid, &ctx, &len)))
+ return err;
+ else
+ audit_log(NULL, GFP_KERNEL,
+ AUDIT_CONFIG_CHANGE,
+ "audit_pid=%d old=%d by auid=%u subj=%s",
+ status_get->pid, old,
+ loginuid, ctx);
+ kfree(ctx);
+ } else
audit_log(NULL, GFP_KERNEL,
AUDIT_CONFIG_CHANGE,
- "audit_pid=%d old=%d by auid=%u subj=%s",
- status_get->pid, old,
- loginuid, ctx);
- kfree(ctx);
- } else
- audit_log(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE,
"audit_pid=%d old=%d by auid=%u",
- status_get->pid, old, loginuid);
+ status_get->pid, old,
+ loginuid);
+ }
audit_pid = status_get->pid;
}
if (status_get->mask & AUDIT_STATUS_RATE_LIMIT)
diff -urp linux-2.6.18.x86_64.orig/kernel/auditfilter.c linux-2.6.18.x86_64/kernel/auditfilter.c
--- linux-2.6.18.x86_64.orig/kernel/auditfilter.c 2007-03-09 14:08:18.000000000 -0500
+++ linux-2.6.18.x86_64/kernel/auditfilter.c 2007-03-09 14:05:54.000000000 -0500
@@ -95,6 +95,8 @@ extern struct inotify_handle *audit_ih;
/* Inotify events we care about. */
#define AUDIT_IN_WATCH IN_MOVE|IN_CREATE|IN_DELETE|IN_DELETE_SELF|IN_MOVE_SELF
+extern int audit_enabled;
+
void audit_free_parent(struct inotify_watch *i_watch)
{
struct audit_parent *parent;
@@ -897,7 +899,6 @@ static void audit_update_watch(struct au
struct audit_watch *owatch, *nwatch, *nextw;
struct audit_krule *r, *nextr;
struct audit_entry *oentry, *nentry;
- struct audit_buffer *ab;
mutex_lock(&audit_filter_mutex);
list_for_each_entry_safe(owatch, nextw, &parent->watches, wlist) {
@@ -937,13 +938,18 @@ static void audit_update_watch(struct au
call_rcu(&oentry->rcu, audit_free_rule_rcu);
}
- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
- audit_log_format(ab, "op=updated rules specifying path=");
- audit_log_untrustedstring(ab, owatch->path);
- audit_log_format(ab, " with dev=%u ino=%lu\n", dev, ino);
- audit_log_format(ab, " list=%d res=1", r->listnr);
- audit_log_end(ab);
-
+ if (audit_enabled) {
+ struct audit_buffer *ab;
+ ab = audit_log_start(NULL, GFP_KERNEL,
+ AUDIT_CONFIG_CHANGE);
+ audit_log_format(ab,
+ "op=updated rules specifying path=");
+ audit_log_untrustedstring(ab, owatch->path);
+ audit_log_format(ab, " with dev=%u ino=%lu\n",
+ dev, ino);
+ audit_log_format(ab, " list=%d res=1", r->listnr);
+ audit_log_end(ab);
+ }
audit_remove_watch(owatch);
goto add_watch_to_parent; /* event applies to a single watch */
}
@@ -962,25 +968,28 @@ static void audit_remove_parent_watches(
struct audit_watch *w, *nextw;
struct audit_krule *r, *nextr;
struct audit_entry *e;
- struct audit_buffer *ab;
mutex_lock(&audit_filter_mutex);
parent->flags |= AUDIT_PARENT_INVALID;
list_for_each_entry_safe(w, nextw, &parent->watches, wlist) {
list_for_each_entry_safe(r, nextr, &w->rules, rlist) {
e = container_of(r, struct audit_entry, rule);
-
- ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
- audit_log_format(ab, "op=remove rule path=");
- audit_log_untrustedstring(ab, w->path);
- if (r->filterkey) {
- audit_log_format(ab, " key=");
- audit_log_untrustedstring(ab, r->filterkey);
- } else
- audit_log_format(ab, " key=(null)");
- audit_log_format(ab, " list=%d res=1", r->listnr);
- audit_log_end(ab);
-
+ if (audit_enabled) {
+ struct audit_buffer *ab;
+ ab = audit_log_start(NULL, GFP_KERNEL,
+ AUDIT_CONFIG_CHANGE);
+ audit_log_format(ab, "op=remove rule path=");
+ audit_log_untrustedstring(ab, w->path);
+ if (r->filterkey) {
+ audit_log_format(ab, " key=");
+ audit_log_untrustedstring(ab,
+ r->filterkey);
+ } else
+ audit_log_format(ab, " key=(null)");
+ audit_log_format(ab, " list=%d res=1",
+ r->listnr);
+ audit_log_end(ab);
+ }
list_del(&r->rlist);
list_del_rcu(&e->list);
call_rcu(&e->rcu, audit_free_rule_rcu);
@@ -1409,6 +1418,9 @@ static void audit_log_rule_change(uid_t
{
struct audit_buffer *ab;
+ if (!audit_enabled)
+ return;
+
ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_CONFIG_CHANGE);
if (!ab)
return;
17 years, 3 months
How to read audit log?
by Scott Ehrlich
As I've reviewed the audit log of a system with audit 1.5.2 installed, I
discovered the format is something I wasn't used to, and performing a man
on auditd, auditctl, and a few others didn't help clarify anything.
Could someone please produce a sample audit log line or two and break down
what each piece means, or direct me to a web page that does so?
I had initially expected some form of date/time stamp, but looking at the
first set of decimal-separated digits couldn't help me decipher a
date/time.
Thanks for any assistance.
Scott
17 years, 3 months
audit 1.6.2 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit It will also be in rawhide
soon. The Changelog is:
- Add support for searching by posix regular expressions in auparse
- Route DEAMON events into rt interface
- If event pipe is full, try again after doing local logging
- Optionally add node/machine name to records in audit daemon
- Update ausearch/aureport to specify nodes to search on
- Fix segfault interpretting saddr fields in avcs
This release focuses on optionally adding node=name field to audit daemon
logged records. ausearch/report/parse were updated to support this format.
This will allow the originating host to be captured in files if they are
copied to another machine. The reporting fixups is in preparation for having
remote logging where the audit logs are aggregated into 1 common log. There
were a few self explanatory bug fixes listed above.
Please let me know if you run across any problems with this release.
-Steve
17 years, 3 months
sudo false negative in audit trails
by Todd, Charles
Greetings,
I'm chasing down a false negative I'm getting in my ausearch output
which makes it look like successful sudo access results in a failed
CRED_ACQ record. Is anyone else seeing this? I'm going to list out my
system specs, but please actually look at a sudo run in your system (if
similar) before writing off my non-standard pieces:
- RHEL4u4 (2.6.9.-42.0.2)
- audit-1.0.15
- quest-sudo-1.6.8p12q76
- pam 0.77-66.17
Command:
# ausearch -m CRED_ACQ |grep sudo |tail -1
type=CRED_ACQ msg=audit(1190207432.508:168552): user pid=13971 uid=0
auid=1110 msg='PAM setcred: user=root exe="/opt/quest/bin/sudo"
(hostname=?, addr=?, terminal=pts/1 result=Permission denied)'
They're all like that. Remember - the sudo actually granted me access
as requested.
/etc/pam.d/sudo looks like this, as generated by quest-sudo:
auth [ignore=ignore success=done default=die] pam_vas3.so create_homedir
account [ignore=ignore success=done default=die] pam_vas3.so
password [ignore=ignore success=done default=die] pam_vas3.so
session [ignore=ignore success=done default=die] pam_vas3.so
create_homedir
For those unfamiliar with Quest's VAS (Vintella Authentication System),
it's basically a commercialized, polished winbindd from Samba 3. They
have open-sourced their changes to the base package (good citizens) as
they are basically kerberizing some of the tools. Sudo was modified to
support treating Active Directory roles as Unix groups (e.g.
DOMAIN\Administrators can run shells, but no one else).
I've reviewed the base sudo package source code and could find no
changelog entries to the part that tells PAM whether or not success was
made. I know that sudo has to tell PAM who tells auditd whether or not
VAS authenticated the user. Sudo works just find though - it's only the
auditing which is squirelly.
Original sudo page that interacts with PAM:
http://www.sudo.ws/cgi-bin/cvsweb/sudo/auth/pam.c?rev=1.43&content-type=
text/x-cvsweb-markup&only_with_tag=SUDO_1_6_8p1
Quests modifications to the same file:
http://rc.quest.com/viewvc/sudo/tags/sudo-1.6.8p12q76/auth/pam.c?revisio
n=77&view=markup
So, I'm not so sure it's in sudo, but perhaps some bug between PAM and
sudo that I don't understand. Can anyone else replicate this?
As for PAM, well, 0.77 is very old, but it's the newest that RedHat has
integrated. RedHat has not posted any PAM changes related to sudo since
my package above. At least RHEL5 is using 0.99.
Thanks for your time,
Charlie Todd
Ball Aerospace & Technologies Corp.
This message and any enclosures are intended only for the addressee. Please
notify the sender by email if you are not the intended recipient. If you are
not the intended recipient, you may not use, copy, disclose, or distribute this
message or its contents or enclosures to any other person and any such actions
may be unlawful. Ball reserves the right to monitor and review all messages
and enclosures sent to or from this email address.
17 years, 3 months
Format of EXECVE
by Matthew Booth
Firstly, on RHEL4 U5, I've noticed that if an argument has spaces in it,
it won't be pretty printed in the EXECVE record. E.g.:
# /bin/echo foo
EXECVE... argv[1]="foo"
# /bin/echo "foo bar"
EXECVE... argv[1]=1234ABCD
Is that a feature?
Secondly, I noticed that the sequence of messages is:
SYSCALL
EXECVE
CWD
PATH
I'm considering expanding argv[0] of EXECVE to be an absolute path.
However, that would mean either buffering things or moving EXECVE after
the PATH record. Would that break any contract, or reasonable
expectations that anyone's aware of?
Thanks,
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
17 years, 3 months
[PATCH]: xfrm audit calls
by Joy Latten
This patch modifies the current ipsec audit layer
by breaking it up into purpose driven audit calls.
So far, the only audit calls made are when add/delete
an SA/policy. It had been discussed to give each
key manager it's own calls to do this, but I found
there to be much redundnacy since they did the exact
same things, except for how they got auid and sid, so I
combined them. The below audit calls can be made by any
key manager. Hopefully, this is ok.
I compiled and tested with CONFIG_AUDITSYSCALLS on and off.
Regards,
Joy Latten
Signed-off-by: Joy Latten <latten(a)austin.ibm.com>
diff -urpN linux-2.6.22/include/linux/audit.h linux-2.6.22-rc6/include/linux/audit.h
--- linux-2.6.22/include/linux/audit.h 2007-09-11 13:59:49.000000000 -0500
+++ linux-2.6.22-rc6/include/linux/audit.h 2007-09-11 14:10:57.000000000 -0500
@@ -108,10 +108,11 @@
#define AUDIT_MAC_CIPSOV4_DEL 1408 /* NetLabel: del CIPSOv4 DOI entry */
#define AUDIT_MAC_MAP_ADD 1409 /* NetLabel: add LSM domain mapping */
#define AUDIT_MAC_MAP_DEL 1410 /* NetLabel: del LSM domain mapping */
-#define AUDIT_MAC_IPSEC_ADDSA 1411 /* Add a XFRM state */
-#define AUDIT_MAC_IPSEC_DELSA 1412 /* Delete a XFRM state */
-#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Add a XFRM policy */
-#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Delete a XFRM policy */
+#define AUDIT_MAC_IPSEC_ADDSA 1411 /* Not used */
+#define AUDIT_MAC_IPSEC_DELSA 1412 /* Not used */
+#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Not used */
+#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Not used */
+#define AUDIT_MAC_IPSEC_EVENT 1415 /* Audit an IPSec event */
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
diff -urpN linux-2.6.22/include/net/xfrm.h linux-2.6.22-rc6/include/net/xfrm.h
--- linux-2.6.22/include/net/xfrm.h 2007-09-11 13:59:49.000000000 -0500
+++ linux-2.6.22-rc6/include/net/xfrm.h 2007-09-11 14:10:57.000000000 -0500
@@ -12,6 +12,7 @@
#include <linux/ipsec.h>
#include <linux/in6.h>
#include <linux/mutex.h>
+#include <linux/audit.h>
#include <net/sock.h>
#include <net/dst.h>
@@ -421,15 +422,46 @@ extern unsigned int xfrm_policy_count[XF
/* Audit Information */
struct xfrm_audit
{
- uid_t loginuid;
+ u32 loginuid;
u32 secid;
};
#ifdef CONFIG_AUDITSYSCALL
-extern void xfrm_audit_log(uid_t auid, u32 secid, int type, int result,
- struct xfrm_policy *xp, struct xfrm_state *x);
+static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid)
+{
+ struct audit_buffer *audit_buf = NULL;
+ char *secctx;
+ u32 secctx_len;
+
+ audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC,
+ AUDIT_MAC_IPSEC_EVENT);
+ if (audit_buf == NULL)
+ return NULL;
+
+ audit_log_format(audit_buf, "auid=%u", auid);
+
+ if (sid != 0 &&
+ security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) {
+ audit_log_format(audit_buf, " subj=%s", secctx);
+ security_release_secctx(secctx, secctx_len);
+ } else
+ audit_log_task_context(audit_buf);
+ return audit_buf;
+}
+
+extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
+ u32 auid, u32 sid);
+extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
+ u32 auid, u32 sid);
+extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
+ u32 auid, u32 sid);
+extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
+ u32 auid, u32 sid);
#else
-#define xfrm_audit_log(a,s,t,r,p,x) do { ; } while (0)
+#define xfrm_audit_policy_add(x, r, a, s) do { ; } while (0)
+#define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0)
+#define xfrm_audit_state_add(x, r, a, s) do { ; } while (0)
+#define xfrm_audit_state_delete(x, r, a, s) do { ; } while (0)
#endif /* CONFIG_AUDITSYSCALL */
static inline void xfrm_pol_hold(struct xfrm_policy *policy)
diff -urpN linux-2.6.22/net/key/af_key.c linux-2.6.22-rc6/net/key/af_key.c
--- linux-2.6.22/net/key/af_key.c 2007-09-11 13:59:52.000000000 -0500
+++ linux-2.6.22-rc6/net/key/af_key.c 2007-09-11 14:10:58.000000000 -0500
@@ -27,7 +27,6 @@
#include <linux/proc_fs.h>
#include <linux/init.h>
#include <net/xfrm.h>
-#include <linux/audit.h>
#include <net/sock.h>
@@ -1461,8 +1460,8 @@ static int pfkey_add(struct sock *sk, st
else
err = xfrm_state_update(x);
- xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
+ xfrm_audit_state_add(x, err ? 0 : 1,
+ audit_get_loginuid(current->audit_context), 0);
if (err < 0) {
x->km.state = XFRM_STATE_DEAD;
@@ -1515,8 +1514,8 @@ static int pfkey_delete(struct sock *sk,
c.event = XFRM_MSG_DELSA;
km_state_notify(x, &c);
out:
- xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+ xfrm_audit_state_delete(x, err ? 0 : 1,
+ audit_get_loginuid(current->audit_context), 0);
xfrm_state_put(x);
return err;
@@ -2268,8 +2267,8 @@ static int pfkey_spdadd(struct sock *sk,
err = xfrm_policy_insert(pol->sadb_x_policy_dir-1, xp,
hdr->sadb_msg_type != SADB_X_SPDUPDATE);
- xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_ADDSPD, err ? 0 : 1, xp, NULL);
+ xfrm_audit_policy_add(xp, err ? 0 : 1,
+ audit_get_loginuid(current->audit_context), 0);
if (err)
goto out;
@@ -2352,8 +2351,8 @@ static int pfkey_spddelete(struct sock *
if (xp == NULL)
return -ENOENT;
- xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+ xfrm_audit_policy_delete(xp, err ? 0 : 1,
+ audit_get_loginuid(current->audit_context), 0);
if (err)
goto out;
@@ -2613,8 +2612,8 @@ static int pfkey_spdget(struct sock *sk,
return -ENOENT;
if (delete) {
- xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+ xfrm_audit_policy_delete(xp, err ? 0 : 1,
+ audit_get_loginuid(current->audit_context), 0);
if (err)
goto out;
diff -urpN linux-2.6.22/net/xfrm/xfrm_policy.c linux-2.6.22-rc6/net/xfrm/xfrm_policy.c
--- linux-2.6.22/net/xfrm/xfrm_policy.c 2007-09-11 13:59:52.000000000 -0500
+++ linux-2.6.22-rc6/net/xfrm/xfrm_policy.c 2007-09-11 14:13:05.000000000 -0500
@@ -23,7 +23,6 @@
#include <linux/netfilter.h>
#include <linux/module.h>
#include <linux/cache.h>
-#include <linux/audit.h>
#include <net/xfrm.h>
#include <net/ip.h>
@@ -850,10 +849,9 @@ xfrm_policy_flush_secctx_check(u8 type,
continue;
err = security_xfrm_policy_delete(pol);
if (err) {
- xfrm_audit_log(audit_info->loginuid,
- audit_info->secid,
- AUDIT_MAC_IPSEC_DELSPD, 0,
- pol, NULL);
+ xfrm_audit_policy_delete(pol, 0,
+ audit_info->loginuid,
+ audit_info->secid);
return err;
}
}
@@ -865,10 +863,9 @@ xfrm_policy_flush_secctx_check(u8 type,
continue;
err = security_xfrm_policy_delete(pol);
if (err) {
- xfrm_audit_log(audit_info->loginuid,
- audit_info->secid,
- AUDIT_MAC_IPSEC_DELSPD,
- 0, pol, NULL);
+ xfrm_audit_policy_delete(pol, 0,
+ audit_info->loginuid,
+ audit_info->secid);
return err;
}
}
@@ -909,8 +906,8 @@ int xfrm_policy_flush(u8 type, struct xf
hlist_del(&pol->byidx);
write_unlock_bh(&xfrm_policy_lock);
- xfrm_audit_log(audit_info->loginuid, audit_info->secid,
- AUDIT_MAC_IPSEC_DELSPD, 1, pol, NULL);
+ xfrm_audit_policy_delete(pol, 1, audit_info->loginuid,
+ audit_info->secid);
xfrm_policy_kill(pol);
killed++;
@@ -930,11 +927,9 @@ int xfrm_policy_flush(u8 type, struct xf
hlist_del(&pol->byidx);
write_unlock_bh(&xfrm_policy_lock);
- xfrm_audit_log(audit_info->loginuid,
- audit_info->secid,
- AUDIT_MAC_IPSEC_DELSPD, 1,
- pol, NULL);
-
+ xfrm_audit_policy_delete(pol, 1,
+ audit_info->loginuid,
+ audit_info->secid);
xfrm_policy_kill(pol);
killed++;
@@ -2150,123 +2145,6 @@ int xfrm_bundle_ok(struct xfrm_policy *p
EXPORT_SYMBOL(xfrm_bundle_ok);
-#ifdef CONFIG_AUDITSYSCALL
-/* Audit addition and deletion of SAs and ipsec policy */
-
-void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
- struct xfrm_policy *xp, struct xfrm_state *x)
-{
-
- char *secctx;
- u32 secctx_len;
- struct xfrm_sec_ctx *sctx = NULL;
- struct audit_buffer *audit_buf;
- int family;
- extern int audit_enabled;
-
- if (audit_enabled == 0)
- return;
-
- BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA ||
- type == AUDIT_MAC_IPSEC_DELSA) && !x);
- BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD ||
- type == AUDIT_MAC_IPSEC_DELSPD) && !xp);
-
- audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
- if (audit_buf == NULL)
- return;
-
- switch(type) {
- case AUDIT_MAC_IPSEC_ADDSA:
- audit_log_format(audit_buf, "SAD add: auid=%u", auid);
- break;
- case AUDIT_MAC_IPSEC_DELSA:
- audit_log_format(audit_buf, "SAD delete: auid=%u", auid);
- break;
- case AUDIT_MAC_IPSEC_ADDSPD:
- audit_log_format(audit_buf, "SPD add: auid=%u", auid);
- break;
- case AUDIT_MAC_IPSEC_DELSPD:
- audit_log_format(audit_buf, "SPD delete: auid=%u", auid);
- break;
- default:
- return;
- }
-
- if (sid != 0 &&
- security_secid_to_secctx(sid, &secctx, &secctx_len) == 0) {
- audit_log_format(audit_buf, " subj=%s", secctx);
- security_release_secctx(secctx, secctx_len);
- } else
- audit_log_task_context(audit_buf);
-
- if (xp) {
- family = xp->selector.family;
- if (xp->security)
- sctx = xp->security;
- } else {
- family = x->props.family;
- if (x->security)
- sctx = x->security;
- }
-
- if (sctx)
- audit_log_format(audit_buf,
- " sec_alg=%u sec_doi=%u sec_obj=%s",
- sctx->ctx_alg, sctx->ctx_doi, sctx->ctx_str);
-
- switch(family) {
- case AF_INET:
- {
- struct in_addr saddr, daddr;
- if (xp) {
- saddr.s_addr = xp->selector.saddr.a4;
- daddr.s_addr = xp->selector.daddr.a4;
- } else {
- saddr.s_addr = x->props.saddr.a4;
- daddr.s_addr = x->id.daddr.a4;
- }
- audit_log_format(audit_buf,
- " src=%u.%u.%u.%u dst=%u.%u.%u.%u",
- NIPQUAD(saddr), NIPQUAD(daddr));
- }
- break;
- case AF_INET6:
- {
- struct in6_addr saddr6, daddr6;
- if (xp) {
- memcpy(&saddr6, xp->selector.saddr.a6,
- sizeof(struct in6_addr));
- memcpy(&daddr6, xp->selector.daddr.a6,
- sizeof(struct in6_addr));
- } else {
- memcpy(&saddr6, x->props.saddr.a6,
- sizeof(struct in6_addr));
- memcpy(&daddr6, x->id.daddr.a6,
- sizeof(struct in6_addr));
- }
- audit_log_format(audit_buf,
- " src=" NIP6_FMT " dst=" NIP6_FMT,
- NIP6(saddr6), NIP6(daddr6));
- }
- break;
- }
-
- if (x)
- audit_log_format(audit_buf, " spi=%lu(0x%lx) protocol=%s",
- (unsigned long)ntohl(x->id.spi),
- (unsigned long)ntohl(x->id.spi),
- x->id.proto == IPPROTO_AH ? "AH" :
- (x->id.proto == IPPROTO_ESP ?
- "ESP" : "IPCOMP"));
-
- audit_log_format(audit_buf, " res=%u", result);
- audit_log_end(audit_buf);
-}
-
-EXPORT_SYMBOL(xfrm_audit_log);
-#endif /* CONFIG_AUDITSYSCALL */
-
int xfrm_policy_register_afinfo(struct xfrm_policy_afinfo *afinfo)
{
int err = 0;
@@ -2412,6 +2290,70 @@ void __init xfrm_init(void)
xfrm_input_init();
}
+#ifdef CONFIG_AUDITSYSCALL
+static inline void xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
+ struct audit_buffer *audit_buf)
+{
+ if (xp->security)
+ audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
+ xp->security->ctx_alg, xp->security->ctx_doi,
+ xp->security->ctx_str);
+
+ switch(xp->selector.family) {
+ case AF_INET:
+ audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u",
+ NIPQUAD(xp->selector.saddr.a4),
+ NIPQUAD(xp->selector.daddr.a4));
+ break;
+ case AF_INET6:
+ {
+ struct in6_addr saddr6, daddr6;
+
+ memcpy(&saddr6, xp->selector.saddr.a6,
+ sizeof(struct in6_addr));
+ memcpy(&daddr6, xp->selector.daddr.a6,
+ sizeof(struct in6_addr));
+ audit_log_format(audit_buf,
+ " src=" NIP6_FMT " dst=" NIP6_FMT,
+ NIP6(saddr6), NIP6(daddr6));
+ }
+ break;
+ }
+}
+
+void
+xfrm_audit_policy_add(struct xfrm_policy *xp, int result, u32 auid, u32 sid)
+{
+ struct audit_buffer *audit_buf;
+ extern int audit_enabled;
+
+ if (audit_enabled == 0)
+ return;
+ audit_buf = xfrm_audit_start(sid, auid);
+ if (audit_buf == NULL)
+ return;
+ audit_log_format(audit_buf, " op=SPD-add res=%u", result);
+ xfrm_audit_common_policyinfo(xp, audit_buf);
+ audit_log_end(audit_buf);
+}
+
+void
+xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, u32 auid, u32 sid)
+{
+ struct audit_buffer *audit_buf;
+ extern int audit_enabled;
+
+ if (audit_enabled == 0)
+ return;
+ audit_buf = xfrm_audit_start(sid, auid);
+ if (audit_buf == NULL)
+ return;
+ audit_log_format(audit_buf, " op=SPD-delete res=%u", result);
+ xfrm_audit_common_policyinfo(xp, audit_buf);
+ audit_log_end(audit_buf);
+}
+#endif
+
#ifdef CONFIG_XFRM_MIGRATE
static int xfrm_migrate_selector_match(struct xfrm_selector *sel_cmp,
struct xfrm_selector *sel_tgt)
diff -urpN linux-2.6.22/net/xfrm/xfrm_state.c linux-2.6.22-rc6/net/xfrm/xfrm_state.c
--- linux-2.6.22/net/xfrm/xfrm_state.c 2007-09-11 13:59:52.000000000 -0500
+++ linux-2.6.22-rc6/net/xfrm/xfrm_state.c 2007-09-11 14:12:37.000000000 -0500
@@ -19,7 +19,6 @@
#include <linux/ipsec.h>
#include <linux/module.h>
#include <linux/cache.h>
-#include <linux/audit.h>
#include <asm/uaccess.h>
#include "xfrm_hash.h"
@@ -301,8 +300,8 @@ expired:
if (!err && x->id.spi)
km_state_expired(x, 1, 0);
- xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
- AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+ xfrm_audit_state_delete(x, err ? 0 : 1,
+ audit_get_loginuid(current->audit_context), 0);
out:
spin_unlock(&x->lock);
@@ -403,11 +402,9 @@ xfrm_state_flush_secctx_check(u8 proto,
hlist_for_each_entry(x, entry, xfrm_state_bydst+i, bydst) {
if (xfrm_id_proto_match(x->id.proto, proto) &&
(err = security_xfrm_state_delete(x)) != 0) {
- xfrm_audit_log(audit_info->loginuid,
- audit_info->secid,
- AUDIT_MAC_IPSEC_DELSA,
- 0, NULL, x);
-
+ xfrm_audit_state_delete(x, 0,
+ audit_info->loginuid,
+ audit_info->secid);
return err;
}
}
@@ -443,10 +440,9 @@ restart:
spin_unlock_bh(&xfrm_state_lock);
err = xfrm_state_delete(x);
- xfrm_audit_log(audit_info->loginuid,
- audit_info->secid,
- AUDIT_MAC_IPSEC_DELSA,
- err ? 0 : 1, NULL, x);
+ xfrm_audit_state_delete(x, err ? 0 : 1,
+ audit_info->loginuid,
+ audit_info->secid);
xfrm_state_put(x);
spin_lock_bh(&xfrm_state_lock);
@@ -1821,3 +1817,70 @@ void __init xfrm_state_init(void)
INIT_WORK(&xfrm_state_gc_work, xfrm_state_gc_task);
}
+#ifdef CONFIG_AUDITSYSCALL
+static inline void xfrm_audit_common_stateinfo(struct xfrm_state *x,
+ struct audit_buffer *audit_buf)
+{
+ if (x->security)
+ audit_log_format(audit_buf, " sec_alg=%u sec_doi=%u sec_obj=%s",
+ x->security->ctx_alg, x->security->ctx_doi,
+ x->security->ctx_str);
+
+ switch(x->props.family) {
+ case AF_INET:
+ audit_log_format(audit_buf, " src=%u.%u.%u.%u dst=%u.%u.%u.%u",
+ NIPQUAD(x->props.saddr.a4),
+ NIPQUAD(x->id.daddr.a4));
+ break;
+ case AF_INET6:
+ {
+ struct in6_addr saddr6, daddr6;
+
+ memcpy(&saddr6, x->props.saddr.a6,
+ sizeof(struct in6_addr));
+ memcpy(&daddr6, x->id.daddr.a6,
+ sizeof(struct in6_addr));
+ audit_log_format(audit_buf,
+ " src=" NIP6_FMT " dst=" NIP6_FMT,
+ NIP6(saddr6), NIP6(daddr6));
+ }
+ break;
+ }
+}
+
+void
+xfrm_audit_state_add(struct xfrm_state *x, int result, u32 auid, u32 sid)
+{
+ struct audit_buffer *audit_buf;
+ extern int audit_enabled;
+
+ if (audit_enabled == 0)
+ return;
+ audit_buf = xfrm_audit_start(sid, auid);
+ if (audit_buf == NULL)
+ return;
+ audit_log_format(audit_buf, " op=SAD-add res=%u",result);
+ xfrm_audit_common_stateinfo(x, audit_buf);
+ audit_log_format(audit_buf, " spi=%lu(0x%lx)",
+ (unsigned long)x->id.spi, (unsigned long)x->id.spi);
+ audit_log_end(audit_buf);
+}
+
+void
+xfrm_audit_state_delete(struct xfrm_state *x, int result, u32 auid, u32 sid)
+{
+ struct audit_buffer *audit_buf;
+ extern int audit_enabled;
+
+ if (audit_enabled == 0)
+ return;
+ audit_buf = xfrm_audit_start(sid, auid);
+ if (audit_buf == NULL)
+ return;
+ audit_log_format(audit_buf, " op=SAD-delete res=%u",result);
+ xfrm_audit_common_stateinfo(x, audit_buf);
+ audit_log_format(audit_buf, " spi=%lu(0x%lx)",
+ (unsigned long)x->id.spi, (unsigned long)x->id.spi);
+ audit_log_end(audit_buf);
+}
+#endif /* CONFIG_AUDITSYSCALL */
diff -urpN linux-2.6.22/net/xfrm/xfrm_user.c linux-2.6.22-rc6/net/xfrm/xfrm_user.c
--- linux-2.6.22/net/xfrm/xfrm_user.c 2007-09-11 13:59:52.000000000 -0500
+++ linux-2.6.22-rc6/net/xfrm/xfrm_user.c 2007-09-11 14:10:58.000000000 -0500
@@ -31,7 +31,6 @@
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
#include <linux/in6.h>
#endif
-#include <linux/audit.h>
static int verify_one_alg(struct rtattr **xfrma, enum xfrm_attr_type_t type)
{
@@ -462,8 +461,8 @@ static int xfrm_add_sa(struct sk_buff *s
else
err = xfrm_state_update(x);
- xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
- AUDIT_MAC_IPSEC_ADDSA, err ? 0 : 1, NULL, x);
+ xfrm_audit_state_add(x, err ? 0 : 1, NETLINK_CB(skb).loginuid,
+ NETLINK_CB(skb).sid);
if (err < 0) {
x->km.state = XFRM_STATE_DEAD;
@@ -545,8 +544,8 @@ static int xfrm_del_sa(struct sk_buff *s
km_state_notify(x, &c);
out:
- xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
- AUDIT_MAC_IPSEC_DELSA, err ? 0 : 1, NULL, x);
+ xfrm_audit_state_delete(x, err ? 0 : 1, NETLINK_CB(skb).loginuid,
+ NETLINK_CB(skb).sid);
xfrm_state_put(x);
return err;
}
@@ -1155,8 +1154,8 @@ static int xfrm_add_policy(struct sk_buf
* a type XFRM_MSG_UPDPOLICY - JHS */
excl = nlh->nlmsg_type == XFRM_MSG_NEWPOLICY;
err = xfrm_policy_insert(p->dir, xp, excl);
- xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
- AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+ xfrm_audit_policy_add(xp, err ? 0 : 1, NETLINK_CB(skb).loginuid,
+ NETLINK_CB(skb).sid);
if (err) {
security_xfrm_policy_free(xp);
@@ -1401,8 +1400,9 @@ static int xfrm_get_policy(struct sk_buf
MSG_DONTWAIT);
}
} else {
- xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
- AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+ xfrm_audit_policy_delete(xp, err ? 0 : 1,
+ NETLINK_CB(skb).loginuid,
+ NETLINK_CB(skb).sid);
if (err != 0)
goto out;
@@ -1650,8 +1650,8 @@ static int xfrm_add_pol_expire(struct sk
err = 0;
if (up->hard) {
xfrm_policy_delete(xp, p->dir);
- xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
- AUDIT_MAC_IPSEC_DELSPD, 1, xp, NULL);
+ xfrm_audit_policy_delete(xp, 1, NETLINK_CB(skb).loginuid,
+ NETLINK_CB(skb).sid);
} else {
// reset the timers here?
@@ -1686,8 +1686,8 @@ static int xfrm_add_sa_expire(struct sk_
if (ue->hard) {
__xfrm_state_delete(x);
- xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
- AUDIT_MAC_IPSEC_DELSA, 1, NULL, x);
+ xfrm_audit_state_delete(x, 1, NETLINK_CB(skb).loginuid,
+ NETLINK_CB(skb).sid);
}
err = 0;
out:
17 years, 3 months
Expanding PATH records to be absolute paths
by Matthew Booth
As I mentioned in my austream email, I need to be able to rewrite
outgoing PATH records to have absolute paths. I can obviously do this
from scratch, and if there's no better way then this is what I will do.
However, I'm aware that work has gone on in the userspace message
parsing area, and I'd like to avoid reinventing the wheel. I have a few
constraints, though:
* Must work on libraries shipped with RHEL 4.5
If necessary, I will import bits of code from later versions into
austream, however I'm not prepared to require updating from the shipped
audit-libs. If I need to do this, how can I minimise maintenance pain?
Maybe separate parsing libraries into a separate package and depend on
it?
* Must work on a stream
I don't write anything to disk. It must work on messages as read from
the audit netlink socket.
* It must be fast
I need to remain sure that I can put the tool into a performance
critical environment with confidence that I won't kill it.
If I were going to do this from scratch, I'd cache CWD records and
rewrite PATH records on the way through. I don't believe any other
record requires this. AVC paths are already absolute, and I don't think
there are any other paths. Is this right?
Thanks,
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
17 years, 3 months
Announcing austream
by Matthew Booth
austream is a utility to stream audit logs to a remote hosts via syslog.
Its features are:
* Works on both auditd and laus (on laus it's a dispatcher)
* Messages sent immediately off-node
* Sends syslog packets directly, without going through syslogd
* Very low overhead, even at extreme volume (8,000 events/sec)
Tested platforms are RHEL 4 U4+ and RHEL 3 U8+.
There are a few caveats, though. Foremost is the fact that it's not a
dispatcher: it replaces auditd. This is because, to date, development
has been tightly focused on a single set of requirements.
It's still under development. Some bigger items on my todo list are:
* Message inspection to turn PATH records into absolute paths
* Limited output buffering
* Option to run as a dispatcher
* Host it somewhere
The git repository is available at git://heisenbug.com/austream.git.
Please have a look. Patches welcome.
To build:
./configure TARGET=(laus|auditd)
make
or
make rpm
If you build the auditd rpm, when it installs it will add itself
to /etc/inittab. Make sure you configure the destination
in /etc/sysconfig/austream before doing 'telinit q'.
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat, Global Professional Services
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490
17 years, 3 months
Re: Integrity auditing
by Steve Grubb
On Wednesday 05 September 2007 09:46:06 Mimi Zohar wrote:
> On Wed, 2007-07-18 at 08:05 -0700, Steve G wrote:
> > MRPP places some requirements on intergrity checking. Maybe it tells you
> > more information about what's required. More info:
> >
> > http://www.niap-ccevs.org/cc-scheme/pp/pp.cfm?id=PP_OS_ML_MR2.0_V1.91
This ^^^ spells out some requirements for INTEGRITY checks.
> > Might ought to be an integrity audit record type rather than avc. This
> > way aureport can separate it out for its summary report. In
> > /usr/include/linux/audit.h is this note:
> >
> > * 1800 - 1999 future kernel use (maybe integrity labels and related
> > events)
> >
> > So, we could assign the 1800 block to kernel integrity checking. I think
> > we'd need information access decision, creation, modification, and
> > deletion of integrity information/labels. We also probably need the
> > ability to audit by integrity, too. For a detailed audit discussion, I'd
> > recommend linux-audit mail list or at least cc'ing it
>
> I would assume that the integrity label would be managed by the LIM
> provider itself. In which case, does it make sense to audit the LIM
> provider's creation, modification or deletion of the integrity label stored
> as an xattr?
Yes. That is required per section FMT_MSA.1(4), assuming this hardware
assisted integrity checking code needs to go through any kind of
certification.
> IMA, a LIM provider, implements integrity_measure, which does not require
> an integrity label. It is, however, important to log/audit PCR invalidation
> errors. I propose adding the following audit numbers for integrity.
>
> Add to audit.h:
> #define AUDIT_INTEGRITY 1800 /* Integrity verify success/failure
> */ #define AUDIT_INTEGRITY_ERR 1801 /* Internal integrity errors */
> #define AUDIT_INTEGRITY_PCR 1802 /* PCR invalidation errors */
What about configuration changes to it? Can you select the hash algorithm
used? What about enable/disable of checking? Does this integrity scheme cover
only objects or does it also cover subjects? What does a typical integrity
label look like? Is there anything like a mass relabel after installation?
Are there any self-tests for the hardware or keys stored within it?
> Add to integrity.h:
> void integrity_audit(char *function, const unsigned char *fname, char
> *cause); void integrity_audit_pcr(const unsigned char *fname, char *cause);
> void integrity_audit_err(char *cause);
Actually, it would be nice to see the messages being generated to see if they
have everything needed and that they conform to audit system specs.
Thanks,
-Steve
17 years, 3 months