6.303048] audit: type=1804 audit(1592506281.627:2): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=kernel op=measuring_key cause=ENOMEM
comm="swapper/0" name=".builtin_trusted_keys" res=0 errno=-12
Signed-off-by: Lakshmi Ramasubramanian
---
specs/fields/field-dictiona
On 6/23/20 12:58 PM, Mimi Zohar wrote:
Hi Steve\Paul,
Sample audit messages:
[6.303048] audit: type=1804 audit(1592506281.627:2): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=kernel op=measuring_key
cause=ENOMEM comm="swapper/0" name=".builtin_trusted_keys" res=0
errno=-12
My only
4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
op=measuring_kexec_cmdline cause=hashing_error comm="systemd"
name="kexec-cmdline" res=0 errno=-22
Signed-off-by: Lakshmi Ramasubramanian
Suggested-by: Mimi Zohar
---
security/integrity/ima/ima.h| 48 ++
_r:init_t:s0
op=measuring_kexec_cmdline cause=hashing_error comm="systemd"
name="kexec-cmdline" res=0 errno=-22
Signed-off-by: Lakshmi Ramasubramanian
Suggested-by: Steve Grubb
Suggested-by: Mimi Zohar
---
security/integrity/integrity.h | 13 +
security/in
On 6/18/20 10:41 AM, Mimi Zohar wrote:
For the reasons that I mentioned previously, unless others are willing
to add their Reviewed-by tag not for the audit aspect in particular,
but IMA itself, I'm not comfortable making this change all at once.
Previously I suggested making the existing
The value passed in "result" parameter to integrity_audit_msg() is
not an error code in some instances. Update these instances so that
"result" parameter always contains an error code.
Signed-off-by: Lakshmi Ramasubramanian
---
security/integrity/ima
d=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
op=policy_update cause=completed comm="systemd" res=1 errno=0
Signed-off-by: Lakshmi Ramasubramanian
Suggested-by: Steve Grubb
---
security/integrity/integrity_audit.c | 2 +-
1 file changed, 1 insertion(
4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
op=measuring_key cause=hashing_error comm="systemd"
name=".builtin_trusted_keys" res=0
Signed-off-by: Lakshmi Ramasubramanian
Suggested-by: Mimi Zohar
---
security/integrity/ima/ima.h| 48 -
On 6/16/20 8:29 AM, Steve Grubb wrote:
The idea is a good idea, but you're assuming that "result" is always
errno. That was probably true originally, but isn't now. For
example, ima_appraise_measurement() calls xattr_verify(), which
compares the security.ima hash with the calculated file
cause=hashing_error comm="systemd"
name=".builtin_trusted_keys" res=0 result=-22
Signed-off-by: Lakshmi Ramasubramanian
Suggested-by: Mimi Zohar
---
security/integrity/ima/ima.h| 48 -
security/integrity/ima/ima_main.c | 18 +++---
security/in
On 6/12/20 12:25 PM, Mimi Zohar wrote:
The idea is a good idea, but you're assuming that "result" is always
errno. That was probably true originally, but isn't now. For
example, ima_appraise_measurement() calls xattr_verify(), which
compares the security.ima hash with the calculated file
d=0
auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
op=policy_update cause=completed comm="systemd" res=1 result=0
Signed-off-by: Lakshmi Ramasubramanian
Suggested-by: Steve Grubb
---
security/integrity/integrity_audit.c | 2 +-
1 file changed, 1 insertion(
On 6/10/20 6:45 PM, Paul Moore wrote:
Hi Paul,
I'm sorry I didn't get a chance to mention this before you posted this
patch, but for the past several years we have been sticking with a
policy of only adding new fields to the end of existing records;
please adjust this patch accordingly.
dit: type=1804 audit(1591756723.627:2): pid=1 uid=0
auid=4294967295 ses=4294967295 subj=kernel op=add_boot_aggregate
cause=alloc_entry errno=-12 comm="swapper/0" name="boot_aggregate" res=0
Signed-off-by: Lakshmi Ramasubramanian
Suggested-by: Steve Grubb
---
security/integrity/i
errno=-22 comm="systemd"
name=".builtin_trusted_keys" res=0
Signed-off-by: Lakshmi Ramasubramanian
Suggested-by: Mimi Zohar
---
security/integrity/ima/ima.h| 48 -
security/integrity/ima/ima_main.c | 18 +++---
security/integrit
On 6/9/20 10:35 AM, Steve Grubb wrote:
If it is added, it should be appended to the end of the record since it
is an existing record format, then in the case of res=1, errno= should
still be present (not swing in and out) and just contain zero. (Or
another value if there is a non-fatal
On 6/9/20 9:43 AM, Steve Grubb wrote:
The number in parenthesis is the error code (such as ENOMEM, EINVAL,
etc.) IMA uses this format for reporting TPM errors in one of the audit
messages (In ima_add_template_entry()). I followed the same pattern.
Would it be better if the value for "cause" is
On 6/9/20 8:40 AM, Steve Grubb wrote:
On Monday, June 8, 2020 5:53:43 PM EDT Lakshmi Ramasubramanian wrote:
The final log statement in process_buffer_measurement() for failure
condition is at debug level. This does not log the message unless
the system log level is raised which would
lloc_entry(-12) comm="systemd"
name="kexec-cmdline" res=0
Signed-off-by: Lakshmi Ramasubramanian
---
security/integrity/ima/ima.h| 2 ++
security/integrity/ima/ima_main.c | 37 +
security/integrity/ima/ima_queue.c | 2 --
secu
On 6/6/20 6:51 PM, Mimi Zohar wrote:
Hi Lakshmi,
The commit message provides an explanation. Look at b0d5de4d5880 ("IMA: fix
audit res field to indicate 1 for success and 0 for failure").
Thanks for the info Mimi.
If this function logs the "result" parameter as passed by the caller,
the
failures in the function.
ima_alloc_key_entry() does not log a message for failure condition.
Add an audit message for failure condition in this function.
Signed-off-by: Lakshmi Ramasubramanian
---
security/integrity/ima/ima_main.c | 17 -
security/integrity/ima
Hi Mimi,
In integrity audit message function the inverse of "result" is being
logged for "res=". Please see below. Is this intentional?
void integrity_audit_msg(int audit_msgno, struct inode *inode,
const unsigned char *fname, const char *op,
On 6/5/20 1:49 PM, Paul Moore wrote:
Since a pr_xyz() call was already present, I just wanted to change the
log level to keep the code change to the minimum. But if audit log is
the right approach for this case, I'll update.
Generally we reserve audit for things that are required for
On 6/5/20 2:34 PM, Mimi Zohar wrote:
Maybe I can use the audit_msgno "AUDIT_INTEGRITY_PCR" with appropriate
strings for "op" and "cause".
Mimi - please let me know if you think this audit_msgno would be ok to
use. I see this code used, for instance, for boot aggregate measurement.
On 6/5/20 12:37 PM, Paul Moore wrote:
If it's audit related, it's generally best to CC the linux-audit list,
not just me (fixed).
It's not clear to me what this pr_err() is trying to indicate other
than *something* failed. Can someone provide some more background on
this message?
25 matches
Mail list logo
