Re: [RFC PATCH v9 07/16] uapi|audit|ipe: add ipe auditing support
From: Paul Moore
Date: Tue Apr 11 2023 - 19:08:21 EST
On Thu, Mar 16, 2023 at 6:53 PM Fan Wu <wufan@xxxxxxxxxxxxxxxxxxx> wrote:
> On Thu, Mar 02, 2023 at 02:05:33PM -0500, Paul Moore wrote:
> > On Tue, Jan 31, 2023 at 12:11???PM Steve Grubb <sgrubb@xxxxxxxxxx> wrote:
> > >
> > > Hello,
> > >
> > > On Monday, January 30, 2023 5:57:22 PM EST Fan Wu wrote:
> > > > From: Deven Bowers <deven.desai@xxxxxxxxxxxxxxxxxxx>
> > > >
> > > > Users of IPE require a way to identify when and why an operation fails,
> > > > allowing them to both respond to violations of policy and be notified
> > > > of potentially malicious actions on their systens with respect to IPE
> > > > itself.
> > > >
> > > > The new 1420 audit, AUDIT_IPE_ACCESS indicates the result of a policy
> > > > evaulation of a resource. The other two events, AUDIT_MAC_POLICY_LOAD,
> > > > and AUDIT_MAC_CONFIG_CHANGE represent a new policy was loaded into the
> > > > kernel and the currently active policy changed, respectively.
> > >
> > > Typically when you reuse an existing record type, it is expected to maintain
> > > the same fields in the same order. Also, it is expect that fields that are
> > > common across diferent records have the same meaning. To aid in this, we have
> > > a field dictionary here:
> > >
> > > https://github.com/linux-audit/audit-documentation/blob/main/specs/fields/
> > > field-dictionary.csv
> > >
> > > For example, dev is expected to be 2 hex numbers separated by a colon which
> > > are the device major and minor numbers. But down a couple lines from here, we
> > > find dev="tmpfs". But isn't that a filesystem type?
> >
> > What Steve said.
> >
> > I'll also add an administrative note, we just moved upstream Linux
> > audit development to a new mailing list, audit@xxxxxxxxxxxxxxx, please
> > use that in future patch submissions. As a positive, it's a fully
> > open list so you won't run into moderation delays/notifications/etc.
> >
> Thanks for the info, I will update the address.
>
> > > > This patch also adds support for success auditing, allowing users to
> > > > identify how a resource passed policy. It is recommended to use this
> > > > option with caution, as it is quite noisy.
> > > >
> > > > This patch adds the following audit records:
> > > >
> > > > audit: AUDIT1420 path="/tmp/tmpwxmam366/deny/bin/hello" dev="tmpfs"
> > > > ino=72 rule="DEFAULT op=EXECUTE action=DENY"
> > >
> > > Do we really need to log the whole rule?
> >
> > Fan, would it be reasonable to list the properties which caused the
> > access denial? That seems like it might be more helpful than the
> > specific rule, or am I missing something?
>
> Audit the whole rule can let the user find the reason of a policy decision.
> We need the whole rule because an allow/block is not caused by a specific
> property, but the combination of all property conditions in a rule.
Okay, that's a reasonable argument for logging the rule along with the
decision. I think it helps that the IPE policy rules are not
particularly long.
> We could also add a verbose switch such that we only audit
> the whole rule when a user turned the verbose switch on.
I'm not sure that's necessary, and honestly it might be annoying as we
would still need to output a 'rule="?"' field in the audit record as
it is considered good practice to not have fields magically appear and
disappear from the record format. However, if there are concerns
about record sizes, that could be a potential mitigation.
--
paul-moore.com