[prev in list] [next in list] [prev in thread] [next in thread] 

List:       selinux
Subject:    Re: [RFC]integrity: SELinux patch
From:       Mimi Zohar <zohar () linux ! vnet ! ibm ! com>
Date:       2007-09-04 20:46:50
Message-ID: 1188938810.5595.5.camel () localhost ! localdomain
[Download RAW message or body]

On Wed, 2007-07-18 at 08:05 -0700, Steve G wrote:
> 
> >> No, it isn't being audited, but should be.  The question is what type of audit
> 
> >> message would be appropriate here.  It could be the normal denied/granted 
> >> message, but that would be confusing as this isn't based on a permission or 
> >> capability check, but an integrity error.  Any suggestions how to handle this 
> >> here and in the other places? 
> 
> MRPP places some requirements on intergrity checking. Maybe it tells you more
> information about what's required. More info:
> 
> http://www.niap-ccevs.org/cc-scheme/pp/pp.cfm?id=PP_OS_ML_MR2.0_V1.91
>
> >If integrity is being enforced, then the final AVC denial should include 
> >information that it was because of an integrity failure.
> 
> Might ought to be an integrity audit record type rather than avc. This way
> aureport can separate it out for its summary report. In
> /usr/include/linux/audit.h is this note:
> 
>  * 1800 - 1999 future kernel use (maybe integrity labels and related events)
> 
> So, we could assign the 1800 block to kernel integrity checking. I think we'd
> need information access decision, creation, modification, and deletion of
> integrity information/labels. We also probably need the ability to audit by
> integrity, too. For a detailed audit discussion, I'd recommend linux-audit mail
> list or at least cc'ing it

As a first take, the "integrity: API, hooks, placement and dummy provider" patch
posted on Aug. 28th, adds the following auditing integrity support.  

Added to audit.h:
#define AUDIT_INTEGRITY         1800    /* Integrity verify success/failure */
#define AUDIT_INTEGRITY_ERR     1801    /* Internal integrity errors */
#define AUDIT_INTEGRITY_PCR     1802    /* PCR invalidation errors */

Added to integrity.h:
void integrity_audit(char *function, const unsigned char *fname, char *cause);
void integrity_audit_pcr(const unsigned char *fname, char *cause);
void integrity_audit_err(char *cause);

These functions are defined in security/integrity_audit.c.

Based on Stephen's request, I've removed the kernel integrity logging in 
the selinux integrity patch. I've added audit calls to IMA, which log PCR 
violations.  The integrity_audit() calls would be made from a LIM provider 
that implements integrity_verify_metadata() and integrity_verify_data().

Mimi Zohar




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
[prev in list] [next in list] [prev in thread] [next in thread]