[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RFC: AF_ALG auditing



Hello,
attached is an user-space patch that adds support for auditing uses of the AF_ALG protocol family developed by Herbert Xu to provide user-space access to kernel crypto accelerators.  Kernel patches will follow.

One new record is defined: AUDIT_CRYPTO_USERSPACE_OP.  An audited event is always caused by a syscall, and all other syscall-related data (process identity, syscall result) is audited in the usual records.

To disable auditing crypto by default and to allow the users to selectively enable them using filters, a new filter field AUDIT_CRYPTO_OP is defined; auditing of all crypto operations can thus be enabled using (auditctl -a exit,always -F crypto_op!=0).

In addition to the user-space patch, attached are also a few example audit entries.
    Mirek
diff -urN audit/lib/crypto_ops_table.h audit-2.0.5/lib/crypto_ops_table.h
--- audit/lib/crypto_ops_table.h	1970-01-01 01:00:00.000000000 +0100
+++ audit-2.0.5/lib/crypto_ops_table.h	2010-11-23 12:46:30.228156952 +0100
@@ -0,0 +1,28 @@
+/* crypto_ops_table.h --
+ * Copyright 2010 Red Hat Inc., Durham, North Carolina.
+ * All Rights Reserved.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+ *
+ * Authors:
+ *      Miloslav Trmač <mitr redhat com>
+ */
+
+_S(AUDIT_CRYPTO_OP_TFM_NEW,        "tfm_new")
+_S(AUDIT_CRYPTO_OP_TFM_KEY_IMPORT, "tfm_key_import")
+_S(AUDIT_CRYPTO_OP_TFM_DEL,        "tfm_del")
+_S(AUDIT_CRYPTO_OP_CTX_NEW,        "ctx_new")
+_S(AUDIT_CRYPTO_OP_CTX_OP,         "ctx_op")
+_S(AUDIT_CRYPTO_OP_CTX_DEL,        "ctx_del")
diff -urN audit/lib/errormsg.h audit-2.0.5/lib/errormsg.h
--- audit/lib/errormsg.h	2010-09-22 17:02:27.000000000 +0200
+++ audit-2.0.5/lib/errormsg.h	2010-11-23 12:42:32.914851919 +0100
@@ -54,5 +54,6 @@
     { -19,    0,    "Key field needs a watch or syscall given prior to it" },
     { -20,    2,    "-F missing value after operation for" },
     { -21,    2,    "-F value should be number for" },
-    { -22,    2,    "-F missing field name before operator for" }
+    { -22,    2,    "-F missing field name before operator for" },
+    { -23,    2,    "-F unknown crypto_op - " }
 };
diff -urN audit/lib/fieldtab.h audit-2.0.5/lib/fieldtab.h
--- audit/lib/fieldtab.h	2010-09-22 17:02:27.000000000 +0200
+++ audit-2.0.5/lib/fieldtab.h	2010-11-23 12:49:30.583184463 +0100
@@ -55,6 +55,7 @@
 _S(AUDIT_PERM,         "perm"         )
 _S(AUDIT_DIR,          "dir"          )
 _S(AUDIT_FILETYPE,     "filetype"     )
+_S(AUDIT_CRYPTO_OP,    "crypto_op"    )
 
 _S(AUDIT_ARG0,         "a0"           )
 _S(AUDIT_ARG1,         "a1"           )
diff -urN audit/lib/libaudit.c audit-2.0.5/lib/libaudit.c
--- audit/lib/libaudit.c	2010-09-22 17:02:27.000000000 +0200
+++ audit-2.0.5/lib/libaudit.c	2010-11-23 12:42:32.917851911 +0100
@@ -38,6 +38,8 @@
 #include <fcntl.h>	/* O_NOFOLLOW needs gnu defined */
 #include <limits.h>	/* for PATH_MAX */
 
+#include "gen_tables.h"
+#include "crypto_ops.h"
 #include "libaudit.h"
 #include "private.h"
 #include "errormsg.h"
@@ -1109,6 +1111,21 @@
 			else 
 				return -21;
 			break;
+		case AUDIT_CRYPTO_OP:
+			if (flags != AUDIT_FILTER_EXIT)
+				return -7;
+			if (isdigit((unsigned char)*v))
+				rule->values[rule->field_count] =
+					strtoul(v, NULL, 0);
+			else {
+				int op;
+
+				if (crypto_op_s2i(v, &op) != 0)
+					rule->values[rule->field_count] = op;
+				else
+					return -23;
+			}
+			break;
 		case AUDIT_DEVMAJOR...AUDIT_INODE:
 		case AUDIT_SUCCESS:
 			if (flags != AUDIT_FILTER_EXIT)
diff -urN audit/lib/libaudit.h audit-2.0.5/lib/libaudit.h
--- audit/lib/libaudit.h	2010-09-22 17:02:27.000000000 +0200
+++ audit-2.0.5/lib/libaudit.h	2010-11-23 12:45:29.291347010 +0100
@@ -119,6 +119,7 @@
 #endif
 
 #define AUDIT_FIRST_KERN_CRYPTO_MSG	1600
+#define AUDIT_CRYPTO_USERSPACE_OP	1600 /* User-space crypto operation */
 #define AUDIT_LAST_KERN_CRYPTO_MSG	1699
 
 #define AUDIT_FIRST_KERN_ANOM_MSG	1700
@@ -211,6 +212,14 @@
 #define AUDIT_LAST_USER_MSG2   2999
 #endif
 
+#define AUDIT_CRYPTO_OP	109
+
+#define AUDIT_CRYPTO_OP_TFM_NEW		1
+#define AUDIT_CRYPTO_OP_TFM_KEY_IMPORT	2
+#define AUDIT_CRYPTO_OP_TFM_DEL		3
+#define AUDIT_CRYPTO_OP_CTX_NEW		4
+#define AUDIT_CRYPTO_OP_CTX_OP		5
+#define AUDIT_CRYPTO_OP_CTX_DEL		6
 
 /* This is related to the filterkey patch */
 #define AUDIT_KEY_SEPARATOR 0x01
diff -urN audit/lib/Makefile.am audit-2.0.5/lib/Makefile.am
--- audit/lib/Makefile.am	2010-09-22 17:02:27.000000000 +0200
+++ audit-2.0.5/lib/Makefile.am	2010-11-23 12:42:32.921851901 +0100
@@ -37,7 +37,7 @@
 libaudit_la_LDFLAGS = -Wl,-z,relro -version-info $(VERSION_INFO)
 nodist_libaudit_la_SOURCES = $(BUILT_SOURCES)
 
-BUILT_SOURCES = actiontabs.h errtabs.h fieldtabs.h flagtabs.h \
+BUILT_SOURCES = actiontabs.h crypto_ops.h errtabs.h fieldtabs.h flagtabs.h \
 	ftypetabs.h i386_tables.h ia64_tables.h machinetabs.h \
 	msg_typetabs.h optabs.h ppc_tables.h s390_tables.h \
 	s390x_tables.h x86_64_tables.h
@@ -47,8 +47,8 @@
 if USE_ARMEB
 BUILT_SOURCES += armeb_tables.h
 endif
-noinst_PROGRAMS = gen_actiontabs_h gen_errtabs_h gen_fieldtabs_h \
-	gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \
+noinst_PROGRAMS = gen_actiontabs_h gen_crypto_ops_h gen_errtabs_h \
+	gen_fieldtabs_h gen_flagtabs_h gen_ftypetabs_h gen_i386_tables_h \
 	gen_ia64_tables_h gen_machinetabs_h gen_msg_typetabs_h \
 	gen_optabs_h gen_ppc_tables_h gen_s390_tables_h \
 	gen_s390x_tables_h gen_x86_64_tables_h
@@ -77,6 +77,11 @@
 	./gen_armeb_tables_h --lowercase --i2s --s2i armeb_syscall > $@
 endif
 
+gen_crypto_ops_h_SOURCES = gen_tables.c gen_tables.h crypto_ops_table.h
+gen_crypto_ops_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="crypto_ops_table.h"'
+crypto_ops.h: gen_crypto_ops_h Makefile
+	./gen_crypto_ops_h --lowercase --s2i crypto_op > $@
+
 gen_errtabs_h_SOURCES = gen_tables.c gen_tables.h errtab.h
 gen_errtabs_h_CFLAGS = $(AM_CFLAGS) '-DTABLE_H="errtab.h"'
 errtabs.h: gen_errtabs_h Makefile
diff -urN audit/lib/msg_typetab.h audit-2.0.5/lib/msg_typetab.h
--- audit/lib/msg_typetab.h	2010-09-22 17:02:27.000000000 +0200
+++ audit-2.0.5/lib/msg_typetab.h	2010-11-23 12:44:00.963608651 +0100
@@ -122,6 +122,7 @@
 _S(AUDIT_MAC_IPSEC_EVENT,            "MAC_IPSEC_EVENT"               )
 _S(AUDIT_MAC_UNLBL_STCADD,           "MAC_UNLBL_STCADD"              )
 _S(AUDIT_MAC_UNLBL_STCDEL,           "MAC_UNLBL_STCDEL"              )
+_S(AUDIT_CRYPTO_USERSPACE_OP,        "CRYPTO_USERSPACE_OP"           )
 _S(AUDIT_ANOM_PROMISCUOUS,           "ANOM_PROMISCUOUS"              )
 _S(AUDIT_ANOM_ABEND,                 "ANOM_ABEND"                    )
 _S(AUDIT_INTEGRITY_DATA,             "INTEGRITY_DATA"                )
diff -urN audit/src/aureport-output.c audit-2.0.5/src/aureport-output.c
--- audit/src/aureport-output.c	2010-09-22 17:02:21.000000000 +0200
+++ audit-2.0.5/src/aureport-output.c	2010-11-23 12:42:32.910851932 +0100
@@ -600,7 +600,7 @@
 			// auid type success event
 			printf("%s %s %s %lu\n",
 				aulookup_uid(l->s.loginuid, name, sizeof(name)),
-				audit_msg_type_to_name(l->head->type),
+				audit_msg_type_to_name(l->cur->type),
 				aulookup_success(l->s.success),
 				l->e.serial);
 			break;
diff -urN audit/src/aureport-scan.c audit-2.0.5/src/aureport-scan.c
--- audit/src/aureport-scan.c	2010-09-22 17:02:21.000000000 +0200
+++ audit-2.0.5/src/aureport-scan.c	2010-11-23 12:42:32.912851925 +0100
@@ -420,8 +420,12 @@
 		case RPT_CRYPTO:
 			if (list_find_msg_range(l, AUDIT_FIRST_KERN_CRYPTO_MSG,
 						AUDIT_LAST_KERN_CRYPTO_MSG)) {
-				ilist_add_if_uniq(&sd.crypto_list, 
-							l->head->type, 0);
+				do
+					ilist_add_if_uniq(&sd.crypto_list,
+							  l->cur->type, 0);
+				while (list_find_next_msg_range(l,
+						AUDIT_FIRST_KERN_CRYPTO_MSG,
+						AUDIT_LAST_KERN_CRYPTO_MSG));
 			} else {
 				if (list_find_msg_range(l, 
 					AUDIT_FIRST_CRYPTO_MSG,
@@ -663,7 +667,11 @@
 				if (list_find_msg_range(l, 
 						AUDIT_FIRST_KERN_CRYPTO_MSG,
 						AUDIT_LAST_KERN_CRYPTO_MSG)) {
-					print_per_event_item(l);
+					do
+						print_per_event_item(l);
+					while (list_find_next_msg_range(l,
+						AUDIT_FIRST_KERN_CRYPTO_MSG,
+						AUDIT_LAST_KERN_CRYPTO_MSG));
 					rc = 1;
 				} else {
 					if (list_find_msg_range(l, 
diff -urN audit/src/ausearch-llist.c audit-2.0.5/src/ausearch-llist.c
--- audit/src/ausearch-llist.c	2010-09-22 17:02:21.000000000 +0200
+++ audit-2.0.5/src/ausearch-llist.c	2010-11-23 12:42:32.911851928 +0100
@@ -245,3 +245,22 @@
 	return NULL;
 }
 
+
+lnode *list_find_next_msg_range(llist *l, int low, int high)
+{
+        register lnode *window;
+
+	if (high <= low)
+		return NULL;
+
+       	window = l->cur->next;
+	while (window) {
+		if (window->type >= low && window->type <= high) {
+			l->cur = window;
+			return window;
+		} else
+			window = window->next;
+	}
+	return NULL;
+}
+
diff -urN audit/src/ausearch-llist.h audit-2.0.5/src/ausearch-llist.h
--- audit/src/ausearch-llist.h	2010-09-22 17:02:21.000000000 +0200
+++ audit-2.0.5/src/ausearch-llist.h	2010-11-23 12:42:32.913851922 +0100
@@ -107,5 +107,8 @@
 /* Given two message types, find the first matching node */
 lnode *list_find_msg_range(llist *l, int low, int high);
 
+/* Given two message types, find the next matching node */
+lnode *list_find_next_msg_range(llist *l, int low, int high);
+
 #endif
 

Attachment: audit-examples
Description: Binary data


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]