linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* integrity: audit
@ 2009-02-06 12:43 Mimi Zohar
  2009-02-06 15:01 ` Steve Grubb
  0 siblings, 1 reply; 4+ messages in thread
From: Mimi Zohar @ 2009-02-06 12:43 UTC (permalink / raw)
  To: Steve Grubb, Linux Audit; +Cc: linux-kernel, James Morris

integrity: audit

This patch adds support to auditd for integrity messages, which are 
issued as a result of the integrity patchset that was applied to the 
security-testing-2.6/#next tree.

Signed-off-by: Mimi Zohar <zohar@us.ibm.com>

Index: audit-1.7.11/src/ausearch-parse.c
===================================================================
--- audit-1.7.11.orig/src/ausearch-parse.c
+++ audit-1.7.11/src/ausearch-parse.c
@@ -49,6 +49,7 @@ static int parse_login(const lnode *n, s
 static int parse_daemon(const lnode *n, search_items *s);
 static int parse_sockaddr(const lnode *n, search_items *s);
 static int parse_avc(const lnode *n, search_items *s);
+static int parse_integrity(const lnode *n, search_items *s);
 static int parse_kernel_anom(const lnode *n, search_items *s);
 static int parse_simple_message(const lnode *n, search_items *s);
 static int parse_tty(const lnode *n, search_items *s);
@@ -123,6 +124,9 @@ int extract_search_items(llist *l)
 			case AUDIT_MAC_POLICY_LOAD...AUDIT_MAC_UNLBL_STCDEL:
 				ret = parse_simple_message(n, s);
 				break;
+			case AUDIT_INTEGRITY_DATA...AUDIT_INTEGRITY_PCR:
+				ret = parse_integrity(n, s);
+				break;
 			case AUDIT_KERNEL:
 			case AUDIT_IPC:
 			case AUDIT_SELINUX_ERR:
@@ -1150,6 +1154,105 @@ static int parse_sockaddr(const lnode *n
 	return 0;
 }
 
+
+static int parse_integrity(const lnode *n, search_items *s)
+{
+	char *ptr, *str, *term;
+	int rc=0;
+
+	term = n->message;
+	// get integrity:
+	str = strstr(term, "integrity: ");
+	if (str) {
+		ptr = str + 11;
+	}
+
+	// get pid
+	str = strstr(term, "pid=");
+	if (str) {
+		ptr = str + 4;
+		term = strchr(ptr, ' ');
+		if (term == NULL)
+			return 2;
+		*term = 0;
+		errno = 0;
+		s->pid = strtoul(ptr, NULL, 10);
+		if (errno)
+			return 3;
+		*term = ' ';
+	}
+
+	// get uid
+	str = strstr(term, " uid=");
+	if (str) {
+		ptr = str + 4;
+		term = strchr(ptr, ' ');
+		if (term == NULL)
+			return 4;
+		*term = 0;
+		errno = 0;
+		s->uid = strtoul(ptr, NULL, 10);
+		if (errno)
+			return 5;
+		*term = ' ';
+	}
+
+	// get loginuid
+	str = strstr(n->message, "auid=");
+	if (str) {
+		ptr = str + 5;
+		term = strchr(ptr, ' ');
+		if (term == NULL)
+			return 6;
+		*term = 0;
+		errno = 0;
+		s->loginuid = strtoul(ptr, NULL, 10);
+		if (errno)
+			return 7;
+		*term = ' ';
+	}
+
+	str = strstr(term, "comm=");
+	if (str) {
+		str += 5;
+		if (*str == '"') {
+			str++;
+			term = strchr(str, '"');
+			if (term == NULL)
+				return 8;
+			*term = 0;
+			s->comm = strdup(str);
+			*term = '"';
+		} else
+			s->comm = unescape(str);
+	}
+
+	str = strstr(term, " name=");
+	if (str) {
+		str += 6;
+		if (common_path_parser(s, str))
+			return 9;
+	}
+
+	// and results (usually last)
+	str = strstr(term, "res=");
+	if (str != NULL) {
+		ptr = str + 4;
+		term = strchr(ptr, ' ');
+		if (term)
+			*term = 0;
+		errno = 0;
+		s->success = strtoul(ptr, NULL, 10);
+		if (errno)
+			return 10;
+		if (term)
+			*term = ' ';
+	}
+
+	return 0;
+}
+
+
 /* FIXME: If they are in permissive mode or hit an auditallow, there can 
  * be more that 1 avc in the same syscall. For now, we pickup just the first.
  */
Index: audit-1.7.11/lib/libaudit.h
===================================================================
--- audit-1.7.11.orig/lib/libaudit.h
+++ audit-1.7.11/lib/libaudit.h
@@ -174,6 +174,11 @@ extern "C" {
 #ifndef AUDIT_ANOM_ABEND
 #define AUDIT_ANOM_ABEND		1701 /* Process ended abnormally */
 #endif
+#define AUDIT_INTEGRITY_DATA	    1800 /* Data integrity verification */
+#define AUDIT_INTEGRITY_METADATA    1801 /* Metadata integrity verification */
+#define AUDIT_INTEGRITY_STATUS	    1802 /* Integrity enable status */
+#define AUDIT_INTEGRITY_HASH	    1803 /* Integrity HASH type */
+#define AUDIT_INTEGRITY_PCR	    1804 /* PCR invalidation msgs */
 #define AUDIT_FIRST_ANOM_MSG		2100
 #define AUDIT_LAST_ANOM_MSG		2199
 #define AUDIT_ANOM_LOGIN_FAILURES	2100 // Failed login limit reached
Index: audit-1.7.11/lib/msg_typetab.h
===================================================================
--- audit-1.7.11.orig/lib/msg_typetab.h
+++ audit-1.7.11/lib/msg_typetab.h
@@ -122,6 +122,12 @@ _S(AUDIT_MAC_UNLBL_STCADD,           "MA
 _S(AUDIT_MAC_UNLBL_STCDEL,           "MAC_UNLBL_STCDEL"              )
 _S(AUDIT_ANOM_PROMISCUOUS,           "ANOM_PROMISCUOUS"              )
 _S(AUDIT_ANOM_ABEND,                 "ANOM_ABEND"                    )
+_S(AUDIT_INTEGRITY_DATA,             "INTEGRITY_DATA"                )
+_S(AUDIT_INTEGRITY_METADATA,         "INTEGRITY_METADATA"            )
+_S(AUDIT_INTEGRITY_STATUS,           "INTEGRITY_STATUS"              )
+_S(AUDIT_INTEGRITY_HASH,             "INTEGRITY_HASH"                )
+_S(AUDIT_INTEGRITY_PCR,              "INTEGRITY_PCR"                 )
+
 #ifdef WITH_APPARMOR
 _S(AUDIT_AA,                         "APPARMOR"                      )
 _S(AUDIT_APPARMOR_AUDIT,             "APPARMOR_AUDIT"                )
Index: audit-1.7.11/system-config-audit/src/lists.py
===================================================================
--- audit-1.7.11.orig/system-config-audit/src/lists.py
+++ audit-1.7.11/system-config-audit/src/lists.py
@@ -160,6 +160,11 @@ audit.AUDIT_LAST_KERN_ANOM_MSG,
 audit.AUDIT_ANOM_PROMISCUOUS,
 audit.AUDIT_ANOM_ABEND,
 audit.AUDIT_KERNEL,
+audit.AUDIT_INTEGRITY_DATA,
+audit.AUDIT_INTEGRITY_METADATA,
+audit.AUDIT_INTEGRITY_STATUS,
+audit.AUDIT_INTEGRITY_HASH,
+audit.AUDIT_INTEGRITY_PCR,
 )
 
 # From code in src/auditctl.c
Index: audit-1.7.11/lib/netlink.c
===================================================================
--- audit-1.7.11.orig/lib/netlink.c
+++ audit-1.7.11/lib/netlink.c
@@ -182,7 +182,8 @@ static int adjust_reply(struct audit_rep
 		case AUDIT_FIRST_USER_MSG...AUDIT_LAST_USER_MSG:
 		case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2:
 		case AUDIT_FIRST_EVENT...AUDIT_LAST_KERN_ANOM_MSG:
-			rep->message = NLMSG_DATA(rep->nlh); 
+		case AUDIT_INTEGRITY_DATA...AUDIT_INTEGRITY_PCR:
+			rep->message = NLMSG_DATA(rep->nlh);
 			break;
 		case AUDIT_SIGNAL_INFO:
 			rep->signal_info = NLMSG_DATA(rep->nlh);



^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: integrity: audit
  2009-02-06 12:43 integrity: audit Mimi Zohar
@ 2009-02-06 15:01 ` Steve Grubb
  2009-02-06 16:15   ` Mimi Zohar
  0 siblings, 1 reply; 4+ messages in thread
From: Steve Grubb @ 2009-02-06 15:01 UTC (permalink / raw)
  To: Mimi Zohar; +Cc: Linux Audit, linux-kernel, James Morris

On Friday 06 February 2009 07:43:50 am Mimi Zohar wrote:
> This patch adds support to auditd for integrity messages, which are
> issued as a result of the integrity patchset that was applied to the
> security-testing-2.6/#next tree.
>
> Signed-off-by: Mimi Zohar <zohar@us.ibm.com>

NACK to anything around this. So far, no integrity patches have been reviewed 
by the audit folks.

-Steve

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: integrity: audit
  2009-02-06 15:01 ` Steve Grubb
@ 2009-02-06 16:15   ` Mimi Zohar
  2009-02-06 16:33     ` Steve Grubb
  0 siblings, 1 reply; 4+ messages in thread
From: Mimi Zohar @ 2009-02-06 16:15 UTC (permalink / raw)
  To: Steve Grubb
  Cc: Linux Audit, linux-kernel, Andrew Morton, James Morris,
	David Safford, Serge Hallyn

On Fri, 2009-02-06 at 10:01 -0500, Steve Grubb wrote:
> On Friday 06 February 2009 07:43:50 am Mimi Zohar wrote:
> > This patch adds support to auditd for integrity messages, which are
> > issued as a result of the integrity patchset that was applied to the
> > security-testing-2.6/#next tree.
> >
> > Signed-off-by: Mimi Zohar <zohar@us.ibm.com>
> 
> NACK to anything around this. So far, no integrity patches have been reviewed 
> by the audit folks.
> 
> -Steve

The integrity auditing discussions took place a while ago in August 2007
(http://osdir.com/ml/linux.redhat.security.audit/2007-09/msg00007.html).
The integrity patches are in security-testing-2.6/#next and the auditd
patch I just posted to linux-audit. How do you suggest we go forward?

Thanks!

Mimi


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: integrity: audit
  2009-02-06 16:15   ` Mimi Zohar
@ 2009-02-06 16:33     ` Steve Grubb
  0 siblings, 0 replies; 4+ messages in thread
From: Steve Grubb @ 2009-02-06 16:33 UTC (permalink / raw)
  To: Mimi Zohar
  Cc: Linux Audit, linux-kernel, Andrew Morton, James Morris,
	David Safford, Serge Hallyn

On Friday 06 February 2009 11:15:14 am Mimi Zohar wrote:
> The integrity auditing discussions took place a while ago in August 2007
> (http://osdir.com/ml/linux.redhat.security.audit/2007-09/msg00007.html).

Thanks for the refresh. Its been so long, I forgot about this. :)  Re-reading 
the thread, we never had closure on the audit event format.


> The integrity patches are in security-testing-2.6/#next and the auditd
> patch I just posted to linux-audit. How do you suggest we go forward?

We need to go over the event format and make sure its got everything we need 
in it. We also need to review the code that touches the audit system and make 
sure its using the audit API the way we intended. I'd like to do this on the 
linux-audit mail list so there is a record of it in the audit archives.

Thanks,
-Steve

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-02-06 16:34 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-02-06 12:43 integrity: audit Mimi Zohar
2009-02-06 15:01 ` Steve Grubb
2009-02-06 16:15   ` Mimi Zohar
2009-02-06 16:33     ` Steve Grubb

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).