Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAHC9VhR-3CkARf7mVOCW1vLDgygjspcw_JEcteBBrdpxpdBY7g@mail.gmail.com>
Date: Tue, 1 Oct 2019 01:31:19 -0400
From: Paul Moore <paul@...l-moore.com>
To: Kees Cook <keescook@...omium.org>
Cc: Steve Grubb <sgrubb@...hat.com>, linux-kernel@...r.kernel.org, 
	Jérémie Galarneau <jeremie.galarneau@...icios.com>, 
	s.mesoraca16@...il.com, viro@...iv.linux.org.uk, dan.carpenter@...cle.com, 
	akpm@...ux-foundation.org, Mathieu Desnoyers <mathieu.desnoyers@...icios.com>, 
	kernel-hardening@...ts.openwall.com, linux-audit@...hat.com, 
	Linus Torvalds <torvalds@...ux-foundation.org>
Subject: Re: [PATCH] audit: Report suspicious O_CREAT usage

On Mon, Sep 30, 2019 at 2:29 PM Kees Cook <keescook@...omium.org> wrote:
> On Mon, Sep 30, 2019 at 09:50:00AM -0400, Steve Grubb wrote:
> > On Thursday, September 26, 2019 11:31:32 AM EDT Paul Moore wrote:
> > > On Wed, Sep 25, 2019 at 5:02 PM Kees Cook <keescook@...omium.org> wrote:
> > > > This renames the very specific audit_log_link_denied() to
> > > > audit_log_path_denied() and adds the AUDIT_* type as an argument. This
> > > > allows for the creation of the new AUDIT_ANOM_CREAT that can be used to
> > > > report the fifo/regular file creation restrictions that were introduced
> > > > in commit 30aba6656f61 ("namei: allow restricted O_CREAT of FIFOs and
> > > > regular files"). Without this change, discovering that the restriction
> > > > is enabled can be very challenging:
> > > > https://lore.kernel.org/lkml/CA+jJMxvkqjXHy3DnV5MVhFTL2RUhg0WQ-XVFW3ngDQO
> > > > dkFq0PA@...l.gmail.com
> > > >
> > > > Reported-by: Jérémie Galarneau <jeremie.galarneau@...icios.com>
> > > > Signed-off-by: Kees Cook <keescook@...omium.org>
> > > > ---
> > > > This is not a complete fix because reporting was broken in commit
> > > > 15564ff0a16e ("audit: make ANOM_LINK obey audit_enabled and
> > > > audit_dummy_context")
> > > > which specifically goes against the intention of these records: they
> > > > should _always_ be reported. If auditing isn't enabled, they should be
> > > > ratelimited.
> > > >
> > > > Instead of using audit, should this just go back to using
> > > > pr_ratelimited()?
> > >
> > > I'm going to ignore the rename and other aspects of this patch for the
> > > moment so we can focus on the topic of if/when/how these records
> > > should be emitted by the kernel.
> > >
> > > Unfortunately, people tend to get very upset if audit emits *any*
> > > records when they haven't explicitly enabled audit, the significance
> > > of the record doesn't seem to matter, which is why you see patches
> > > like 15564ff0a16e ("audit: make ANOM_LINK obey audit_enabled and
> > > audit_dummy_context").  We could consider converting some records to
> > > printk()s, rate-limited or not, but we need to balance this with the
> > > various security certifications which audit was created to satisfy.
> > > In some cases a printk() isn't sufficient.
> > >
> > > Steve is probably the only one who really keeps track of the various
> > > auditing requirements of the different security certifications; what
> > > say you Steve on this issue with ANOM_CREAT records?
> >
> > Common Criteria and other security standards I track do not call out for
> > anomoly detection. So, there are no requirements on this. That said, we do
> > have other anomaly detections because they give early warning that something
> > strange is happening. I think adding this event is a nice improvement as long
> > as it obeys audit_enabled before emitting an event - for example, look at the
> > AUDIT_ANOM_ABEND event.
>
> Okay, so the patch is good as-is? (The "report things always" issue I
> will deal with separately. For now I'd just like to gain this anomaly
> detection corner case...)
>
> Paul, what do you see as next steps here?

I'll reply back on the original post so I can more easily comment on
the details of patch.

-- 
paul moore
www.paul-moore.com

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.