Re: Clarification Around File System Auditing

2023-03-17 Thread Amjad Gabbar
Also, we would need to have a separate rule for open and openat family with
something like

-S open,openat -F dir=/etc -F perm=wa -k ETC_WATCH.

So 2 syscall rules instead of 1 watch rule but we replace -S all with
specific syscalls.

Or we could combine all these open,openat,write family syscalls into a
single syscall rule but with the permissions flag.

On Wed, Mar 15, 2023 at 3:29 PM Amjad Gabbar 
wrote:

> YupI was able to find the dummy check you are referring to and the
> audit_reset_context() that is called next(which immediately exits in case
> of dummy).
> Thanks for the help folkshave a much better understanding of how the
> audit context is allocated on enabling syscall auditing and the whole flow
> post that.
>
> Had just 1 question wrt watches. IIUC, for watch rules we evaluate all
> syscalls (Snippet from audit-userspace:
> https://github.com/linux-audit/audit-userspace/blob/1482cec74f2d9472f81dd4f0533484bd0c26decd/lib/libaudit.c#L805
> ).
> But based on the permissions in the rule, we evaluate if the syscall
> belongs to a specific Audit Class using audit_match_class() and only log if
> the syscalls match/ are part of the class. This also explains why I see
> audit_filter_rules() called for watches even if the syscall being performed
> is not at all related to file system auditing.
>
>
>1. I was wondering why do we not automatically identify if the syscall
>is of interest or not in audit_in_mask() itself based on the rule
>permissions of the watch? In this way we would avoid the additional
>overhead of each syscall going into audit_filter_rules() and then
>evaluating on the AUDIT_PERM case as well.
>
>
> Currently a watch rule for "wa" permissions for /etc is similar to :
> -a always,exit -F arch=b64 -S all -F dir=/etc -F perm=wa -k ETC_WATCH
>
> We only log if the syscall is part of the WRITE and ATTR permissions set.
> Instead what I was suggesting was something like this:
>
> -a always,exit -F arch=b64 -S  classes> -F dir=/etc  -k ETC_WATCH
>
> Please correct me if my understanding in any of the above is incorrect.
>
> On Fri, Mar 10, 2023 at 3:54 PM Richard Guy Briggs  wrote:
>
>> On 2023-02-17 16:50, Steve Grubb wrote:
>> > Hello,
>> >
>> > On Tuesday, February 14, 2023 3:55:58 PM EST Amjad Gabbar wrote:
>> > > Thanks for the reply.
>> > > I was trying to evaluate the same via Flamegraphs and what I noticed
>> was
>> > > that :
>> > >
>> > > 1. Despite deleting all rules (auditctl -D), there were still calls to
>> > > audit_filter_syscall() on each syscall. I assume this is because
>> syscall
>> > > auditing is enabled and despite no rules, there still will be some
>> > > performance impact and calls to syscall filtering functions on each
>> > > syscall.
>> >
>> > Yes.
>> >
>> > > 2. For a single watch rule as well without any syscall rules, I could
>> see
>> > > calls to audit_filter_syscall() followed by audit_filter_rules() for
>> > > unrelated syscalls such as futex() and recvmsg() - not present in
>> > > include/asm-generic/audit_*.h
>> > > Why would these functions be called for a single watch rule for
>> syscalls
>> > > unrelated to the permissions?
>> >
>> > If auditing is enabled, it will go into the syscall filter for *any*
>> syscall.
>> > It will go into __audit_syscall_exit for every syscall. If there is an
>> audit
>> > context, it will go into audit_filter_syscall. The documentation in the
>> > comments above these functions is informative.
>> >
>> > My guess is that this code path might benefit from adding a list_empty
>> check.
>> > A long time ago, I think we kept a variable that denoted if there were
>> any
>> > rules and short-circuited if none.
>>
>> There is essentially an empty list check in __audit_syscall_exit() with
>> the dummy check, based on the number of syscall (or io_uring) rules in
>> place tracked in audit_n_rules.  Unfortunately, we can't bail from
>> __audit_syscall_entry() right after setting dummy because other
>> hardwired records can cancel the dummy flag.
>>
>> > -Steve
>> >
>> > > On Tue, Feb 14, 2023 at 8:29 AM Steve Grubb 
>> wrote:
>> > > > Hello,
>> > > >
>> > > > On Monday, February 13, 2023 4:24:02 PM EST Amjad Gabbar wrote:
>> > > > > I wanted some help in better understanding the workflow of file
>> system
>> > > > > auditing(watch rules) vs Syscall Auditing(syscall rules). I know
>> in
>> > > >
>> > > > general
>> > > >
>> > > > > file system auditing does not have the same performance impact as
>> > > > > syscall
>> > > > > auditing, even though both make use of syscall exits for their
>> > > >
>> > > > evaluation.
>> > > >
>> > > > > From the manpage - "Unlike most syscall auditing rules, watches
>> do not
>> > > > > impact performance based on the number of rules sent to the
>> kernel."
>> > > > >
>> > > > > From a previous thread, I found this excerpt regarding file watch
>> rules
>> > > >
>> > > > vs
>> > > >
>> > > > > sycall rules -
>> > > > >
>> > > > > "The reason it doesn't have performance impact l

Re: [RFC PATCH v9 11/16] ipe: add support for dm-verity as a trust provider

2023-03-17 Thread Fan Wu
On Thu, Mar 02, 2023 at 02:08:04PM -0500, Paul Moore wrote:
> 
> If you had both IPE and dm-verity enabled in your kernel build, is
> there ever a case where you wouldn't want IPE_PROP_DM_VERITY?  I
> suspect you can just have IPE and dm-verity select IPE_PROP_DM_VERITY
> and not bother the user/admin with the additional Kconfig knob.
> 
Sorry for the late reply, I was relocating to a new country and it
took me some time to settle down.

I have read your comments and I will try to answer some questions
that I can answer right now. For the remaining questions, I need more
time to get more context and information. I will get back to you
as soon as possible.

For this one I agree just have IPE and dm-verity select IPE_PROP_DM_VERITY
is better, I will update this in the next version.

> 
> --
> paul-moore.com

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit



Re: [RFC PATCH v9 07/16] uapi|audit|ipe: add ipe auditing support

2023-03-17 Thread Fan Wu
On Thu, Mar 02, 2023 at 02:05:33PM -0500, Paul Moore wrote:
> On Tue, Jan 31, 2023 at 12:11???PM Steve Grubb  wrote:
> >
> > Hello,
> >
> > On Monday, January 30, 2023 5:57:22 PM EST Fan Wu wrote:
> > > From: Deven Bowers 
> > >
> > > Users of IPE require a way to identify when and why an operation fails,
> > > allowing them to both respond to violations of policy and be notified
> > > of potentially malicious actions on their systens with respect to IPE
> > > itself.
> > >
> > > The new 1420 audit, AUDIT_IPE_ACCESS indicates the result of a policy
> > > evaulation of a resource. The other two events, AUDIT_MAC_POLICY_LOAD,
> > > and AUDIT_MAC_CONFIG_CHANGE represent a new policy was loaded into the
> > > kernel and the currently active policy changed, respectively.
> >
> > Typically when you reuse an existing record type, it is expected to maintain
> > the same fields in the same order. Also, it is expect that fields that are
> > common across diferent records have the same meaning. To aid in this, we 
> > have
> > a field dictionary here:
> >
> > https://github.com/linux-audit/audit-documentation/blob/main/specs/fields/
> > field-dictionary.csv
> >
> > For example, dev is expected to be 2 hex numbers separated by a colon which
> > are the device major and minor numbers. But down a couple lines from here, 
> > we
> > find dev="tmpfs". But isn't that a filesystem type?
> 
> What Steve said.
> 
> I'll also add an administrative note, we just moved upstream Linux
> audit development to a new mailing list, au...@vger.kernel.org, please
> use that in future patch submissions.  As a positive, it's a fully
> open list so you won't run into moderation delays/notifications/etc.
> 
Thanks for the info, I will update the address.

> > > This patch also adds support for success auditing, allowing users to
> > > identify how a resource passed policy. It is recommended to use this
> > > option with caution, as it is quite noisy.
> > >
> > > This patch adds the following audit records:
> > >
> > >   audit: AUDIT1420 path="/tmp/tmpwxmam366/deny/bin/hello" dev="tmpfs"
> > > ino=72 rule="DEFAULT op=EXECUTE action=DENY"
> >
> > Do we really need to log the whole rule?
> 
> Fan, would it be reasonable to list the properties which caused the
> access denial?  That seems like it might be more helpful than the
> specific rule, or am I missing something?
> 
Audit the whole rule can let the user find the reason of a policy decision.
We need the whole rule because an allow/block is not caused by a specific
property, but the combination of all property conditions in a rule.

We could also add a verbose switch such that we only audit
the whole rule when a user turned the verbose switch on. 

-Fan

> paul-moore.com

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit



Re: audit userspace problems with io_uring async ops

2023-03-17 Thread Paul Moore
On Tue, Mar 7, 2023 at 4:17 PM Steve Grubb  wrote:
>
> Hello Paul,
>
> On Tuesday, February 28, 2023 5:04:04 PM EST Paul Moore wrote:
> > ... if you look closely you'll notice that the #289 event (the async
> > URINGOP) is missing from the ausearch output.
>
> Thanks for the bug report. Let me know if you see anything else.
>
> Upstream commit 7d35e14 should fix parsing URINGOP and DM_CTRL records.

Finally got a chance to try the fix, and it looks like it solves the
problem for me.  Thanks.

In case anyone wants a hacky patched source RPM, I put the copy I'm
using at the link below:

* https://drop.paul-moore.com/120.OH1C/audit-3.1-2.1.secnext.fc39.src.rpm

[The link above should work for the next 120 days]

-- 
paul-moore.com

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit