From: Kees Cook <keescook@chromium.org>
To: Steve Grubb <sgrubb@redhat.com>
Cc: "Paul Moore" <paul@paul-moore.com>,
linux-kernel@vger.kernel.org,
"Jérémie Galarneau" <jeremie.galarneau@efficios.com>,
s.mesoraca16@gmail.com, viro@zeniv.linux.org.uk,
dan.carpenter@oracle.com, akpm@linux-foundation.org,
"Mathieu Desnoyers" <mathieu.desnoyers@efficios.com>,
kernel-hardening@lists.openwall.com, linux-audit@redhat.com,
"Linus Torvalds" <torvalds@linux-foundation.org>
Subject: Re: [PATCH] audit: Report suspicious O_CREAT usage
Date: Mon, 30 Sep 2019 11:29:01 -0700 [thread overview]
Message-ID: <201909301128.5951C390@keescook> (raw)
In-Reply-To: <2065829.xbNJnTdZ4q@x2>
On Mon, Sep 30, 2019 at 09:50:00AM -0400, Steve Grubb wrote:
> On Thursday, September 26, 2019 11:31:32 AM EDT Paul Moore wrote:
> > On Wed, Sep 25, 2019 at 5:02 PM Kees Cook <keescook@chromium.org> wrote:
> > > This renames the very specific audit_log_link_denied() to
> > > audit_log_path_denied() and adds the AUDIT_* type as an argument. This
> > > allows for the creation of the new AUDIT_ANOM_CREAT that can be used to
> > > report the fifo/regular file creation restrictions that were introduced
> > > in commit 30aba6656f61 ("namei: allow restricted O_CREAT of FIFOs and
> > > regular files"). Without this change, discovering that the restriction
> > > is enabled can be very challenging:
> > > https://lore.kernel.org/lkml/CA+jJMxvkqjXHy3DnV5MVhFTL2RUhg0WQ-XVFW3ngDQO
> > > dkFq0PA@mail.gmail.com
> > >
> > > Reported-by: Jérémie Galarneau <jeremie.galarneau@efficios.com>
> > > Signed-off-by: Kees Cook <keescook@chromium.org>
> > > ---
> > > This is not a complete fix because reporting was broken in commit
> > > 15564ff0a16e ("audit: make ANOM_LINK obey audit_enabled and
> > > audit_dummy_context")
> > > which specifically goes against the intention of these records: they
> > > should _always_ be reported. If auditing isn't enabled, they should be
> > > ratelimited.
> > >
> > > Instead of using audit, should this just go back to using
> > > pr_ratelimited()?
> >
> > I'm going to ignore the rename and other aspects of this patch for the
> > moment so we can focus on the topic of if/when/how these records
> > should be emitted by the kernel.
> >
> > Unfortunately, people tend to get very upset if audit emits *any*
> > records when they haven't explicitly enabled audit, the significance
> > of the record doesn't seem to matter, which is why you see patches
> > like 15564ff0a16e ("audit: make ANOM_LINK obey audit_enabled and
> > audit_dummy_context"). We could consider converting some records to
> > printk()s, rate-limited or not, but we need to balance this with the
> > various security certifications which audit was created to satisfy.
> > In some cases a printk() isn't sufficient.
> >
> > Steve is probably the only one who really keeps track of the various
> > auditing requirements of the different security certifications; what
> > say you Steve on this issue with ANOM_CREAT records?
>
> Common Criteria and other security standards I track do not call out for
> anomoly detection. So, there are no requirements on this. That said, we do
> have other anomaly detections because they give early warning that something
> strange is happening. I think adding this event is a nice improvement as long
> as it obeys audit_enabled before emitting an event - for example, look at the
> AUDIT_ANOM_ABEND event.
Okay, so the patch is good as-is? (The "report things always" issue I
will deal with separately. For now I'd just like to gain this anomaly
detection corner case...)
Paul, what do you see as next steps here?
--
Kees Cook
next prev parent reply other threads:[~2019-09-30 18:29 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-25 21:02 [PATCH] audit: Report suspicious O_CREAT usage Kees Cook
2019-09-25 21:40 ` kbuild test robot
2019-09-25 22:02 ` kbuild test robot
2019-09-25 23:14 ` Kees Cook
2019-09-26 15:31 ` Paul Moore
2019-09-30 13:50 ` Steve Grubb
2019-09-30 18:29 ` Kees Cook [this message]
2019-10-01 5:31 ` Paul Moore
2019-10-01 5:37 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201909301128.5951C390@keescook \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=dan.carpenter@oracle.com \
--cc=jeremie.galarneau@efficios.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mathieu.desnoyers@efficios.com \
--cc=paul@paul-moore.com \
--cc=s.mesoraca16@gmail.com \
--cc=sgrubb@redhat.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).