[prev in list] [next in list] [prev in thread] [next in thread]
List: selinux
Subject: Re: [RFC]integrity: SELinux patch
From: Mimi Zohar <zohar () linux ! vnet ! ibm ! com>
Date: 2007-09-04 20:46:50
Message-ID: 1188938810.5595.5.camel () localhost ! localdomain
[Download RAW message or body]
On Wed, 2007-07-18 at 08:05 -0700, Steve G wrote:
>
> >> No, it isn't being audited, but should be. The question is what type of audit
>
> >> message would be appropriate here. It could be the normal denied/granted
> >> message, but that would be confusing as this isn't based on a permission or
> >> capability check, but an integrity error. Any suggestions how to handle this
> >> here and in the other places?
>
> MRPP places some requirements on intergrity checking. Maybe it tells you more
> information about what's required. More info:
>
> http://www.niap-ccevs.org/cc-scheme/pp/pp.cfm?id=PP_OS_ML_MR2.0_V1.91
>
> >If integrity is being enforced, then the final AVC denial should include
> >information that it was because of an integrity failure.
>
> Might ought to be an integrity audit record type rather than avc. This way
> aureport can separate it out for its summary report. In
> /usr/include/linux/audit.h is this note:
>
> * 1800 - 1999 future kernel use (maybe integrity labels and related events)
>
> So, we could assign the 1800 block to kernel integrity checking. I think we'd
> need information access decision, creation, modification, and deletion of
> integrity information/labels. We also probably need the ability to audit by
> integrity, too. For a detailed audit discussion, I'd recommend linux-audit mail
> list or at least cc'ing it
As a first take, the "integrity: API, hooks, placement and dummy provider" patch
posted on Aug. 28th, adds the following auditing integrity support.
Added to audit.h:
#define AUDIT_INTEGRITY 1800 /* Integrity verify success/failure */
#define AUDIT_INTEGRITY_ERR 1801 /* Internal integrity errors */
#define AUDIT_INTEGRITY_PCR 1802 /* PCR invalidation errors */
Added to integrity.h:
void integrity_audit(char *function, const unsigned char *fname, char *cause);
void integrity_audit_pcr(const unsigned char *fname, char *cause);
void integrity_audit_err(char *cause);
These functions are defined in security/integrity_audit.c.
Based on Stephen's request, I've removed the kernel integrity logging in
the selinux integrity patch. I've added audit calls to IMA, which log PCR
violations. The integrity_audit() calls would be made from a LIM provider
that implements integrity_verify_metadata() and integrity_verify_data().
Mimi Zohar
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic