Re: [PATCH ghak25 v3 3/3] audit: add subj creds to NETFILTER_CFG record to cover async unregister

From: Richard Guy Briggs
Date: Tue Apr 21 2020 - 14:54:44 EST


On 2020-04-21 11:15, Steve Grubb wrote:
> On Friday, April 17, 2020 5:53:47 PM EDT Paul Moore wrote:
> > On Wed, Mar 18, 2020 at 5:33 PM Richard Guy Briggs <rgb@xxxxxxxxxx> wrote:
> > > On 2020-03-18 17:22, Paul Moore wrote:
> > > > On Wed, Mar 18, 2020 at 9:12 AM Richard Guy Briggs <rgb@xxxxxxxxxx>
> wrote:
> > > > > On 2020-03-17 17:30, Richard Guy Briggs wrote:
> > > > > > Some table unregister actions seem to be initiated by the kernel to
> > > > > > garbage collect unused tables that are not initiated by any
> > > > > > userspace actions. It was found to be necessary to add the subject
> > > > > > credentials to cover this case to reveal the source of these
> > > > > > actions. A sample record:
> > > > > > type=NETFILTER_CFG msg=audit(2020-03-11 21:25:21.491:269) :
> > > > > > table=nat family=bridge entries=0 op=unregister pid=153 uid=root
> > > > > > auid=unset tty=(none) ses=unset
> > > > > > subj=system_u:system_r:kernel_t:s0 comm=kworker/u4:2 exe=(null)
>
> If this is the kernel, why is pid not 0? And if pid is 0, then isn't
> exe=/boot/vmlinuz-X.Y.Z-blah?

It isn't PID 0 because it is a kernel thread.

> > > > > Given the precedent set by bpf unload, I'd really rather drop this
> > > > > patch that adds subject credentials.
>
> <snip>
>
> > I'm in the middle of building patches 1/3 and 2/3, assuming all goes
> > well I'll merge them into audit/next (expect mail soon), however I'm
> > going back and forth on this patch. Like you I kinda don't like it,
> > and with both of us not in love with this patch I have to ask if there
> > is certification requirement for this?
>
> Yes, any change to information flow must be auditable.
>
> > I know about the generic
> > subj/obj requirements, but in the case where there is no associated
> > task/syscall/etc. information it isn't like the extra fields supplied
> > in this patch are going to have much information in that regard; it's
> > really the *absence* of that information which is telling.
>
> Exactly. But if someone does a search based on the fields, they need to be
> able to find this record. For example, suppose I want to know what actions
> have been performed by kernel_t, I can run a search and find this event.
>
> > Which brings me to wonder if simply the lack of any associated records in
> > this event is enough? Before when we weren't associating records into
> > a single event it would have been a problem, but the way things
> > currently are, if there are no other records (and you have configured
> > that) then I think you have everything you need to know.
> >
> > Thoughts?
>
> You can't search on the absense of information. There are some fields that
> have meaning. It's OK if they are unset. It happens for daemons, too. But we
> don't remove the fields because of it. It tells part of the story.
>
> -Steve
>
>
> --
> Linux-audit mailing list
> Linux-audit@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/linux-audit

- RGB

--
Richard Guy Briggs <rgb@xxxxxxxxxx>
Sr. S/W Engineer, Kernel Security, Base Operating Systems
Remote, Ottawa, Red Hat Canada
IRC: rgb, SunRaycer
Voice: +1.647.777.2635, Internal: (81) 32635