linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed
* Re: [PATCH v7 0/5] IMA: restrict the accepted digest algorithms for the security.ima xattr
       [not found] <20210811114037.201887-1-simon.thoby@viveris.fr>
@ 2021-08-11 19:40 ` Mimi Zohar
  2021-08-11 23:53   ` Steve Grubb
  0 siblings, 1 reply; 3+ messages in thread
From: Mimi Zohar @ 2021-08-11 19:40 UTC (permalink / raw)
  To: THOBY Simon, dmitry.kasatkin, linux-integrity, BARVAUX Didier; +Cc: linux-audit

[Cc'ing linux-audit]

Hi Simon,

On Wed, 2021-08-11 at 11:40 +0000, THOBY Simon wrote:

Other than the two questions on " IMA: add a policy option to restrict
xattr hash algorithms on appraisal" patch, the patch set is looking
good.

thanks,

Mimi

> Here is also a short description of the new audit messages, but I can
> send it in a followup mail if that is not the proper place:
> 
> When writing the xattr with an algorithm not built in the kernel (here the
> kernel was built with CONFIG_CRYPTO_MD5 unset), e.g. with
> "evmctl ima_hash -a md5 /usr/bin/strace":
> 	audit(1628066120.418:121): pid=1344 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=set_data cause=unavailable-hash-algorithm comm="evmctl" name="/usr/bin/strace" dev="dm-0" ino=2632657 res=0 errno=0
> 
> With the same command and the policy rule
> "appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512", we get:
> 	audit(1628066210.141:127): pid=1362 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=set_data cause=denied-hash-algorithm comm="evmctl" name="/usr/bin/strace" dev="dm-0" ino=2632657 res=0 errno=0
> 
> Note that the cause is now 'denied-hash-algorithm' instead of
> 'unavailable-hash-algorithm'. We get that audit message for any algorithm
> outside of sha256/384/512 (including algorithms not compiled in the kernel
> like MD5). In a sense, 'denied-hash-algorithm' takes predecence over
> 'unavailable-hash-algorithm'.
> 
> When appraising files, e.g. trying to execute a file whose xattr was hashed
> with sha1 while the policy rule
> "appraise func=BPRM_CHECK fowner=0 appraise_algos=sha256" is enabled:
> 	audit(1628066349.230:130): pid=1369 uid=0 auid=0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=collect_data cause=denied-hash-algorithm comm="bash" name="/usr/bin/strace" dev="dm-0" ino=2632657 res=0 errno=0
> 
> 
> This series is based on the following repo/branch:
>  repo: https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.git
>  branch: next-integrity-testing
>  commit e37be5343ae2b9419aea1442b07e5d2428b437b4 ("Merge branch 'ima-buffer-measurement-changes-v4' into next-integrity")


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v7 0/5] IMA: restrict the accepted digest algorithms for the security.ima xattr
  2021-08-11 19:40 ` [PATCH v7 0/5] IMA: restrict the accepted digest algorithms for the security.ima xattr Mimi Zohar
@ 2021-08-11 23:53   ` Steve Grubb
  2021-08-12  0:17     ` Steve Grubb
  0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2021-08-11 23:53 UTC (permalink / raw)
  To: linux-integrity, linux-audit, Mimi Zohar
  Cc: dmitry.kasatkin, BARVAUX Didier, THOBY Simon

Hello,

On Wednesday, August 11, 2021 3:40:51 PM EDT Mimi Zohar wrote:
> On Wed, 2021-08-11 at 11:40 +0000, THOBY Simon wrote:
> Other than the two questions on " IMA: add a policy option to restrict
> xattr hash algorithms on appraisal" patch, the patch set is looking
> good.
> 
> thanks,
> 
> Mimi
> 
> > Here is also a short description of the new audit messages, but I can
> > send it in a followup mail if that is not the proper place:
> > 
> > When writing the xattr with an algorithm not built in the kernel (here
> > the
> > kernel was built with CONFIG_CRYPTO_MD5 unset), e.g. with
> > 
> > "evmctl ima_hash -a md5 /usr/bin/strace":
> > 	audit(1628066120.418:121): pid=1344 uid=0 auid=0 ses=1
> > 	subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=set_data
> > 	cause=unavailable-hash-algorithm comm="evmctl" name="/usr/bin/strace"
> > 	dev="dm-0" ino=2632657 res=0 errno=0> 

Is this audit event accurate? I seem to be seeing name=value=value. I'm 
hoping this is a copy/paste/mail client issue.

-Steve


> > With the same command and the policy rule
> > 
> > "appraise func=SETXATTR_CHECK appraise_algos=sha256,sha384,sha512", we 
get:
> > 	audit(1628066210.141:127): pid=1362 uid=0 auid=0 ses=1
> > 	subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=set_data
> > 	cause=denied-hash-algorithm comm="evmctl" name="/usr/bin/strace"
> > 	dev="dm-0" ino=2632657 res=0 errno=0> 
> > Note that the cause is now 'denied-hash-algorithm' instead of
> > 'unavailable-hash-algorithm'. We get that audit message for any algorithm
> > outside of sha256/384/512 (including algorithms not compiled in the
> > kernel
> > like MD5). In a sense, 'denied-hash-algorithm' takes predecence over
> > 'unavailable-hash-algorithm'.
> > 
> > When appraising files, e.g. trying to execute a file whose xattr was
> > hashed with sha1 while the policy rule
> > 
> > "appraise func=BPRM_CHECK fowner=0 appraise_algos=sha256" is enabled:
> > 	audit(1628066349.230:130): pid=1369 uid=0 auid=0 ses=1
> > 	subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > 	op=collect_data cause=denied-hash-algorithm comm="bash"
> > 	name="/usr/bin/strace" dev="dm-0" ino=2632657 res=0 errno=0> 
> > This series is based on the following repo/branch:
> >  repo:
> >  https://git.kernel.org/pub/scm/linux/kernel/git/zohar/linux-integrity.g
> >  it branch: next-integrity-testing
> >  commit e37be5343ae2b9419aea1442b07e5d2428b437b4 ("Merge branch
> >  'ima-buffer-measurement-changes-v4' into next-integrity")
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://listman.redhat.com/mailman/listinfo/linux-audit




--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v7 0/5] IMA: restrict the accepted digest algorithms for the security.ima xattr
  2021-08-11 23:53   ` Steve Grubb
@ 2021-08-12  0:17     ` Steve Grubb
  0 siblings, 0 replies; 3+ messages in thread
From: Steve Grubb @ 2021-08-12  0:17 UTC (permalink / raw)
  To: linux-integrity, linux-audit, Mimi Zohar
  Cc: dmitry.kasatkin, BARVAUX Didier, THOBY Simon

Hello,

On Wednesday, August 11, 2021 7:53:15 PM EDT Steve Grubb wrote:
> On Wednesday, August 11, 2021 3:40:51 PM EDT Mimi Zohar wrote:
> > On Wed, 2021-08-11 at 11:40 +0000, THOBY Simon wrote:
> > Other than the two questions on " IMA: add a policy option to restrict
> > xattr hash algorithms on appraisal" patch, the patch set is looking
> > good.
> > 
> > thanks,
> > 
> > Mimi
> > 
> > > Here is also a short description of the new audit messages, but I can
> > > send it in a followup mail if that is not the proper place:
> > > 
> > > When writing the xattr with an algorithm not built in the kernel (here
> > > the kernel was built with CONFIG_CRYPTO_MD5 unset), e.g. with
> > > 
> > > "evmctl ima_hash -a md5 /usr/bin/strace":
> > > 	audit(1628066120.418:121): pid=1344 uid=0 auid=0 ses=1
> > > 	subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=set_data
> > > 	cause=unavailable-hash-algorithm comm="evmctl" name="/usr/bin/
strace"
> > > 	dev="dm-0" ino=2632657 res=0 errno=0>
> 
> Is this audit event accurate? I seem to be seeing name=value=value. I'm
> hoping this is a copy/paste/mail client issue.

Sorry for the noise...I see there is a space in there.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-08-12  0:20 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <20210811114037.201887-1-simon.thoby@viveris.fr>
2021-08-11 19:40 ` [PATCH v7 0/5] IMA: restrict the accepted digest algorithms for the security.ima xattr Mimi Zohar
2021-08-11 23:53   ` Steve Grubb
2021-08-12  0:17     ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).