1:58 p.m.
On Tue, 22 Feb 2005 13:24:34 -0500, Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
On Tue, 2005-02-22 at 10:42 -0600, Timothy R. Chavez wrote:
> - Hooks in vfs_read/write/unlink (please look closely here). The rule
> of thumb I went off of is: I can call my hook iff I have an inode and
> I'm NOT hooking lookup_hash *nudge Stephen* :)
<snip>
> Three hooks for dynamically assigning watches:
> d_splice_alias, d_move, d_instantiate
>
> Five hooks for dynamically adding watches to our context:
> permission, exec_permission_lite, vfs_read, vfs_write, vfs_unlink
Why do you hook vfs_read/vfs_write when you have a hook in permission?
If you are trying to audit actual reads and writes, then there are other
cases to consider, e.g. do_sendfile(), plus fun with AIO. Much easier
if you can just stay with auditing open(2) calls via your permission(9)
hook.
I've only done this because I was under the assumption that every
syscall that can access a watched file system object in some fashion
should be able to generate records. I see what you're saying though,
Stephen. And admitedly, I am also being a little redundant in that
the original code can already provide us with the read() and write()
exit code and the file/directory being read from/written to. However,
if we want to specifically monitor activity in the filesystem
surrounding watched objects, then wouldn't these hooks in read(),
write(), etc be vital? Klaus? How else will we know if a read() or
write() trully succeeded or failed on a watched filesystem object?
If we just rely on the open(), however, we cut out the read/write
hooks, plus whatever else would need be added.
Perhaps there's enough information in just an open(). The record will
give us the filesystem object information, plus it will tell us which
permission was used (READ/WRITE/EXEC/APPEND) provided it allows for
that permission in the mask and the exit code of the open(). However,
will the exit code necessarily be a reflection of a permission
failure?
There is a known race with respect to d_instantiate and file creation,
but it needs to be resolved anyway for SELinux, so I think you can
proceed under the assumption that it will be fixed. Alternatively, you
would need to move your hook call prior to the setting of d_inode in the
dentry and pass in the inode separately to your hook.
Ah yes, I remembering you talking about this earlier. I'll keep this
in mind and work under the assumption that this will be fixed for the
time being.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency
--
- Timothy R. Chavez
1:58 p.m.
New subject: [RFC][PATCH] (#4) auditfs
On Tue, Feb 22, 2005 at 01:58:42PM -0600, Timothy R. Chavez wrote:
And admitedly, I am also being a little redundant in that
the original code can already provide us with the read() and write()
exit code and the file/directory being read from/written to. However,
if we want to specifically monitor activity in the filesystem
surrounding watched objects, then wouldn't these hooks in read(),
write(), etc be vital? Klaus? How else will we know if a read() or
write() trully succeeded or failed on a watched filesystem object?
read() and write() aren't considered security relevant operations since
they don't do any permission checks. From the CC point of view the
interesting call is open(), and if that's properly handled it's enough.
In most real-world scenarios you probably won't want to be auditing read
and write operations individually anyway.
Perhaps there's enough information in just an open(). The record
will
give us the filesystem object information, plus it will tell us which
permission was used (READ/WRITE/EXEC/APPEND) provided it allows for
that permission in the mask and the exit code of the open(). However,
will the exit code necessarily be a reflection of a permission
failure?
The only CAPP requirement is to record success/failure, you'll actually
get a bit more if you audit the errno as reported by the kernel, that way
permission failures should get EACCES as opposed to ENOENT or other error
conditions.
-Klaus
2:02 p.m.
New subject: [RFC][PATCH] (#4) auditfs
* Klaus Weidner (klaus(a)atsec.com) wrote:
On Tue, Feb 22, 2005 at 01:58:42PM -0600, Timothy R. Chavez wrote:
> And admitedly, I am also being a little redundant in that
> the original code can already provide us with the read() and write()
> exit code and the file/directory being read from/written to. However,
> if we want to specifically monitor activity in the filesystem
> surrounding watched objects, then wouldn't these hooks in read(),
> write(), etc be vital? Klaus? How else will we know if a read() or
> write() trully succeeded or failed on a watched filesystem object?
read() and write() aren't considered security relevant operations since
they don't do any permission checks. From the CC point of view the
interesting call is open(), and if that's properly handled it's enough.
Does this potentially change with LSPP? Since LSM (SELinux as an
example) does actually check read/write?
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
3:47 p.m.
New subject: [RFC][PATCH] (#4) auditfs
On Wed, 2005-02-23 at 13:58 -0600, Klaus Weidner wrote:
On Tue, Feb 22, 2005 at 01:58:42PM -0600, Timothy R. Chavez wrote:
read() and write() aren't considered security relevant operations since
they don't do any permission checks. From the CC point of view the
interesting call is open(), and if that's properly handled it's enough.
In most real-world scenarios you probably won't want to be auditing read
and write operations individually anyway.
Agree with Klaus here. Although there are conceptually a few areas where
read & write auditing could be useful, practically, you're swamped with
so much useless data, that finding the useful information in amongst all
the other stuff is so much of a challenge that it's not worth turning
on.
Examples of possible positives:
* User accessed /etc/passwd in write mode... but did they actually
CHANGE it?
* Bandwidth hog needs to be identified, so look for bulk reads and
writes on network sockets.
.. but there are other ways of effectively getting the same information,
with much less system and administrator overhead (eg: tripwire, tcpdump)
- so I wouldn't recommend adding this in.
L.
--
Leigh Purdie, Director - InterSect Alliance Pty Ltd
http://www.intersectalliance.com/
5:26 p.m.
New subject: [RFC][PATCH] (#4) auditfs
On Wed, 23 Feb 2005 13:58:57 -0600, Klaus Weidner <klaus(a)atsec.com> wrote:
On Tue, Feb 22, 2005 at 01:58:42PM -0600, Timothy R. Chavez wrote:
> And admitedly, I am also being a little redundant in that
> the original code can already provide us with the read() and write()
> exit code and the file/directory being read from/written to. However,
> if we want to specifically monitor activity in the filesystem
> surrounding watched objects, then wouldn't these hooks in read(),
> write(), etc be vital? Klaus? How else will we know if a read() or
> write() trully succeeded or failed on a watched filesystem object?
read() and write() aren't considered security relevant operations since
they don't do any permission checks. From the CC point of view the
interesting call is open(), and if that's properly handled it's enough.
In most real-world scenarios you probably won't want to be auditing read
and write operations individually anyway.
> Perhaps there's enough information in just an open(). The record will
> give us the filesystem object information, plus it will tell us which
> permission was used (READ/WRITE/EXEC/APPEND) provided it allows for
> that permission in the mask and the exit code of the open(). However,
> will the exit code necessarily be a reflection of a permission
> failure?
The only CAPP requirement is to record success/failure, you'll actually
get a bit more if you audit the errno as reported by the kernel, that way
permission failures should get EACCES as opposed to ENOENT or other error
conditions.
-Klaus
Ok, great. I've removed the hooks. I can also get away with taking
the hooks out of unlink right because I should be hitting permission()
in access(), before I do the unlink()?
--
- Timothy R. Chavez
5:40 p.m.
New subject: [RFC][PATCH] (#4) auditfs
On Wed, 23 Feb 2005 17:26:44 -0600, Timothy R. Chavez <chavezt(a)gmail.com> wrote:
<snip>
Ok, great. I've removed the hooks. I can also get away with
taking
the hooks out of unlink right because I should be hitting permission()
in access(), before I do the unlink()?
--
- Timothy R. Chavez
Of course, to get information about unlink() via access, I have to be
auditing access(). But that's cake.
--
- Timothy R. Chavez
9:06 a.m.
New subject: [RFC][PATCH] (#4) auditfs
On Wed, 2005-02-23 at 17:26 -0600, Timothy R. Chavez wrote:
Ok, great. I've removed the hooks. I can also get away with
taking
the hooks out of unlink right because I should be hitting permission()
in access(), before I do the unlink()?
Not sure what you mean by access() - do you mean permission()?
In any event, you still need a hook in vfs_unlink() if you want to catch
the actual victim inode, as that isn't passed to any permission() call.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency
10:32 a.m.
New subject: [RFC][PATCH] (#4) auditfs
On Thu, 24 Feb 2005 10:06:00 -0500, Stephen Smalley <sds(a)tycho.nsa.gov> wrote:
On Wed, 2005-02-23 at 17:26 -0600, Timothy R. Chavez wrote:
> Ok, great. I've removed the hooks. I can also get away with taking
> the hooks out of unlink right because I should be hitting permission()
> in access(), before I do the unlink()?
Not sure what you mean by access() - do you mean permission()?
In any event, you still need a hook in vfs_unlink() if you want to catch
the actual victim inode, as that isn't passed to any permission() call.
Right. My mistake. I was naively going off strace. Thanks.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency
--
- Timothy R. Chavez
12:13 p.m.
New subject: [RFC][PATCH] (#4) auditfs
Just a heads up.
I've come across several glaring bugs (such as creating a cache with
the wrong struct sizing), a couple bugs in audit_watch(), etc. I've
also reduced redundant code and made some of my helper functions
tighter. I'll be releasing an intermediary patch that has all these
changes, including the elimination of whitespaces and other bogus
information in the patch. I hope this patch will pretty much be patch
#5 without the remaining feature to list all the watch points
currently in the FS.
On a similar note,
I'd like to start getting feedback on linux-fsdevel with a CC directly
to Al Viro about the design itself. What do you all think of this
approach? Or perhaps I should bring it directly to LKML? Should I
wait until the intermediary patch #5 is completed and tested before I
start any dialog? I personally think overlapping the two would be
fine. The reason I think this is because the first major stumbling
block has nothing to do with the implementation itself, but the design
and all the philosophy and politics surrounding it. As soon as I
mention "filesystem auditing" I've noticed that people get antsy and
immediately try to beat it down like a pianta made out of software
patents J/K. Thus I feel a large part of this endeveour is going to
revolve around explanation. Do you agree? I'd appreciate some
feedback.
--
- Timothy R. Chavez
12:31 p.m.
New subject: [RFC][PATCH] (#4) auditfs
On Thu, 2005-02-24 at 12:13 -0600, Timothy R. Chavez wrote:
I'd like to start getting feedback on linux-fsdevel with a CC
directly
to Al Viro about the design itself. What do you all think of this
approach? Or perhaps I should bring it directly to LKML? Should I
wait until the intermediary patch #5 is completed and tested before I
start any dialog? I personally think overlapping the two would be
fine. The reason I think this is because the first major stumbling
block has nothing to do with the implementation itself, but the design
and all the philosophy and politics surrounding it. As soon as I
mention "filesystem auditing" I've noticed that people get antsy and
immediately try to beat it down like a pianta made out of software
patents J/K. Thus I feel a large part of this endeveour is going to
revolve around explanation. Do you agree? I'd appreciate some
feedback.
I think taking it to linux-fsdevel soon is a good idea, but not before
you have code that you can show to demonstrate concretely what you are
trying to achieve, i.e. I'd wait until you have a fixed up version of
your patch. And you'll need a clear description of what your real goals
are, e.g. what events do we truly need to be able to enable object
identity-based auditing for? Seems to be some confusion on this point,
e.g. the discussion on read/write vs. open, unlink hook, etc.
--
Stephen Smalley <sds(a)tycho.nsa.gov>
National Security Agency
12:39 p.m.
New subject: [RFC][PATCH] (#4) auditfs
* Timothy R. Chavez (chavezt(a)gmail.com) wrote:
Just a heads up.
I've come across several glaring bugs (such as creating a cache with
the wrong struct sizing), a couple bugs in audit_watch(), etc. I've
also reduced redundant code and made some of my helper functions
tighter. I'll be releasing an intermediary patch that has all these
changes, including the elimination of whitespaces and other bogus
information in the patch. I hope this patch will pretty much be patch
#5 without the remaining feature to list all the watch points
currently in the FS.
On a similar note,
I'd like to start getting feedback on linux-fsdevel with a CC directly
to Al Viro about the design itself. What do you all think of this
approach? Or perhaps I should bring it directly to LKML? Should I
wait until the intermediary patch #5 is completed and tested before I
start any dialog? I personally think overlapping the two would be
fine. The reason I think this is because the first major stumbling
block has nothing to do with the implementation itself, but the design
and all the philosophy and politics surrounding it. As soon as I
mention "filesystem auditing" I've noticed that people get antsy and
immediately try to beat it down like a pianta made out of software
patents J/K. Thus I feel a large part of this endeveour is going to
revolve around explanation. Do you agree? I'd appreciate some
feedback.
I'd not submit something with known glaring issues, so whether it's
the fixed #4 (intermdiary or whatever), or #5, at least make sure it's
as clean as possible. I'd also make sure that locking is correct, and
that you've cared for refcounting things properly in the case of umount,
for example (IOW, look out for the things that inotify got wrong).
Perhaps one thing that would help is a succinct explanation of why
inotify is insufficient, because with dnotify being marginal functional
yet merged, inotify being worked on and this, all overlapping, the
obvious questions will be around consolidating work. In fact, something
that clearly states the requirements would be a good starting point.
Sorry I haven't had much time to review this lately ;-(
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
1:33 p.m.
New subject: [RFC][PATCH] (#4) auditfs
On Thu, 24 Feb 2005 10:39:59 -0800, Chris Wright <chrisw(a)osdl.org> wrote:
<snip>
I'd not submit something with known glaring issues, so whether
it's
the fixed #4 (intermdiary or whatever), or #5, at least make sure it's
as clean as possible. I'd also make sure that locking is correct, and
that you've cared for refcounting things properly in the case of umount,
for example (IOW, look out for the things that inotify got wrong).
Perhaps one thing that would help is a succinct explanation of why
inotify is insufficient, because with dnotify being marginal functional
yet merged, inotify being worked on and this, all overlapping, the
obvious questions will be around consolidating work. In fact, something
that clearly states the requirements would be a good starting point.
Sorry I haven't had much time to review this lately ;-(
Right. So I'll hold off on the last feature and just continue with
what I'm currently doing. I'll also spend some time writing an
abstract that incorporates your's and Stephen's suggestions. I'll
submit the patch and abstract for review to linux-audit. Thanks
thanks,
-chris
--
Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
--
- Timothy R. Chavez
8:33 a.m.
New subject: [RFC][PATCH] (#4) auditfs
On Thu, 2005-02-24 at 12:13 -0600, Timothy R. Chavez wrote:
I'd like to start getting feedback on linux-fsdevel with a CC
directly
to Al Viro about the design itself. What do you all think of this
approach? Or perhaps I should bring it directly to LKML? Should I
wait until the intermediary patch #5 is completed and tested before I
start any dialog? I personally think overlapping the two would be
fine. The reason I think this is because the first major stumbling
block has nothing to do with the implementation itself, but the design
and all the philosophy and politics surrounding it. As soon as I
mention "filesystem auditing" I've noticed that people get antsy and
immediately try to beat it down like a pianta made out of software
patents J/K. Thus I feel a large part of this endeveour is going to
revolve around explanation. Do you agree? I'd appreciate some
feedback.
I agree. Take it to linux-fsdevel. Outline the design and the reason for
it, and show that you're keeping it as unintrusive as it can be.
I don't think you have to have a complete and perfect implementation
before you do so, as long as you don't present your patch as such.
There's not a lot of point in completely finishing it before we show
anything, if we're going to have to make significant changes.
--
dwmw2
10:06 a.m.
New subject: [RFC][PATCH] (#4) auditfs
Mounir Bsaibes
Linux Security
Tel: (512) 838-1301
Cell: (512) 762-9957
Fax: (512) 838-8858
e-mail: bsaibes(a)us.ibm.com
linux-audit-bounces(a)redhat.com wrote on 02/25/2005 08:33:01 AM:
On Thu, 2005-02-24 at 12:13 -0600, Timothy R. Chavez wrote:
>I'd like to start getting feedback on linux-fsdevel with a CC directly
>to Al Viro about the design itself. What do you all think of this
>approach? Or perhaps I should bring it directly to LKML? Should I
>wait until the intermediary patch #5 is completed and tested before I
>start any dialog? I personally think overlapping the two would be
>fine. The reason I think this is because the first major stumbling
>block has nothing to do with the implementation itself, but the design
>and all the philosophy and politics surrounding it. As soon as I
>mention "filesystem auditing" I've noticed that people get antsy and
>immediately try to beat it down like a pianta made out of software
>patents J/K. Thus I feel a large part of this endeveour is going to
>revolve around explanation. Do you agree? I'd appreciate some
>feedback.
I agree. Take it to linux-fsdevel. Outline the design and the reason for
it, and show that you're keeping it as unintrusive as it can be.
I don't think you have to have a complete and perfect implementation
before you do so, as long as you don't present your patch as such.
There's not a lot of point in completely finishing it before we show
anything, if we're going to have to make significant changes.
I agree that you don't have to have the perfect implementation before you
present it.
I also agree that a good word about the design and how unintrusive it is
will go a
long way. However, I think it may be better to complete the intermediary
patch #5 first.
So you will be available to answer any concern and not be overwhelmed. (my
2 cents)
--
dwmw2
--
Linux-audit mailing list
Linux-audit(a)redhat.com
http://www.redhat.com/mailman/listinfo/linux-audit
7239
days inactive
7242
days old
linux-audit@lists.linux-audit.osci.io
13 comments
7 participants
participants (7)
-
Chris Wright -
David Woodhouse -
Klaus Weidner -
Leigh Purdie -
Mounir Bsaibes -
Stephen Smalley -
Timothy R. Chavez