From: THOBY Simon <Simon.THOBY@viveris.fr>
To: J Freyensee <why2jjj.linux@gmail.com>,
Igor Zhbanov <i.zhbanov@omp.ru>,
linux-integrity <linux-integrity@vger.kernel.org>,
linux-security-module <linux-security-module@vger.kernel.org>
Cc: Igor Zhbanov <izh1979@gmail.com>, Mimi Zohar <zohar@linux.ibm.com>
Subject: Re: [PATCH 1/1] NAX LSM: Add initial support support
Date: Thu, 12 Aug 2021 14:47:08 +0000 [thread overview]
Message-ID: <335a7571-be4b-c56a-dfdc-15673410c8d7@viveris.fr> (raw)
In-Reply-To: <98408368-119a-b00c-97eb-8ea9fd1d5244@gmail.com>
On 8/10/21 6:52 AM, J Freyensee wrote:
[snip]
>> Have you considered writing to the audit log instead of the kernel messages directly?
>> (not saying that this is necessarily better, but is there a reasoning to prefer one or
>> the other here? Audit logs are often consumed by automated tools and it may be more pratical
>> for people to detect and treat violations if the messages were pushed to the audit log
>> - but conversely, that requires defining and maintaining a stable log format for consumers)
>
> It's a good idea to writing to the audit log, HOWEVER I'd want to know
> what all the rest of the LSMs are doing in a case like this. If all of
> them just write kernel messages, I'd want this module to also write just
> kernel messages for consistency sake for use with say, log harvesters
> for a SIEM/XDR system solution.
Right, after taking a quick look through the SafeSetID, YAMA and the future BRUTE
LSM, it looks like they all use pr_warn/pr_notice. Only the MACs seem to make use of
the audit log, so you can forget what I said about writing to the audit log, this
shouldn't be necessary, and is probably a bad idea for consistency, as Jay said.
Simon
>
> Just in general I like the thought of this LSM. I used to work for a
> security company in which their cloud "watched" situations where
> mmap()/mprotect() would use anonymous executable pages for possible
> "dodgy" behavior.
>
> Jay
>
next prev parent reply other threads:[~2021-08-12 14:47 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-07 1:03 [PATCH 1/1] NAX LSM: Add initial support support Igor Zhbanov
2021-07-28 10:19 ` THOBY Simon
2021-08-10 4:52 ` J Freyensee
2021-08-12 14:47 ` THOBY Simon [this message]
2021-08-12 16:43 ` Igor Zhbanov
2021-08-13 8:08 ` THOBY Simon
2021-08-14 13:39 ` Igor Zhbanov
2021-08-16 7:39 ` THOBY Simon
2021-08-12 20:24 ` Igor Zhbanov
2021-08-13 7:47 ` THOBY Simon
2021-08-13 8:05 ` Igor Zhbanov
2021-08-13 8:23 ` THOBY Simon
2021-08-13 20:10 ` Igor Zhbanov
2021-08-16 7:31 ` THOBY Simon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=335a7571-be4b-c56a-dfdc-15673410c8d7@viveris.fr \
--to=simon.thoby@viveris.fr \
--cc=i.zhbanov@omp.ru \
--cc=izh1979@gmail.com \
--cc=linux-integrity@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=why2jjj.linux@gmail.com \
--cc=zohar@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).