| Message ID | 20210812145748.4460-1-michael.weiss@aisec.fraunhofer.de (mailing list archive) |
|---|---|
| Headers | show
Return-Path: <SRS0=J1Yh=NE=redhat.com=dm-devel-bounces@kernel.org> X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6320EC4338F for <dm-devel@archiver.kernel.org>; Fri, 13 Aug 2021 06:41:02 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 8FF12610CD for <dm-devel@archiver.kernel.org>; Fri, 13 Aug 2021 06:41:01 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 8FF12610CD Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=aisec.fraunhofer.de Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-447-LlrkPLA0PN2Z5UvAIx_JxQ-1; Fri, 13 Aug 2021 02:40:58 -0400 X-MC-Unique: LlrkPLA0PN2Z5UvAIx_JxQ-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4F77A80124F; Fri, 13 Aug 2021 06:40:52 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 97EC9908E; Fri, 13 Aug 2021 06:40:51 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 00AB24BB7C; Fri, 13 Aug 2021 06:40:47 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 17CF3YS4011452 for <dm-devel@listman.util.phx.redhat.com>; Thu, 12 Aug 2021 11:03:34 -0400 Received: by smtp.corp.redhat.com (Postfix) id AAF88200B68B; Thu, 12 Aug 2021 15:03:35 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast05.extmail.prod.ext.rdu2.redhat.com [10.11.55.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id A5FA1209A50B for <dm-devel@redhat.com>; Thu, 12 Aug 2021 15:03:33 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1024F8D1382 for <dm-devel@redhat.com>; Thu, 12 Aug 2021 15:03:33 +0000 (UTC) Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.134]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-70-XVJaCniQNIK71OoIKp9i8Q-1; Thu, 12 Aug 2021 11:03:27 -0400 X-MC-Unique: XVJaCniQNIK71OoIKp9i8Q-1 Received: from weisslap.aisec.fraunhofer.de ([178.27.102.95]) by mrelayeu.kundenserver.de (mreue009 [212.227.15.167]) with ESMTPSA (Nemesis) id 1MQMm9-1mRAbi44UT-00MJ0W; Thu, 12 Aug 2021 16:58:12 +0200 From: =?utf-8?q?Michael_Wei=C3=9F?= <michael.weiss@aisec.fraunhofer.de> To: michael.weiss@aisec.fraunhofer.de Date: Thu, 12 Aug 2021 16:57:41 +0200 Message-Id: <20210812145748.4460-1-michael.weiss@aisec.fraunhofer.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:E1yluKd3qSTn/LHmKKMFbuZnMtW/v47VwlVPW92Z/ltMRz2knBo LUQyCYEC2nBrlG4SmrbzjHjDS+Fd9D8OehmDmOZsqJTjivtsonN6npkNg2hb0DLCrbWKdMe vP+JeClAaWg4eL3AUzJ82BiSyzvh/upNN3Nu1JcQuCiX16YxsbS3NKsO4T3mVfUaolBaR93 bRYbvp64iIhA48Q+iXc/g== X-UI-Out-Filterresults: notjunk:1;V03:K0:wtYB+dUr/+0=:9cDTj2TGS4hk9WjFWhojsY t4FCMsouLLdkjYe/GQ/Vsi50oiDOeBYX5JxaFn62Lj+2TYhlYDQKpx+YOxRJp7UWBIivEC+tm 6zJb3oiDgjiUczlualrmYoswchlyD5O87ST7tw3qC4SthjDgP+9GW6QvyQ4C93YozxkbsN/lI kJ/Dcm3bZO6aPoG+LAX86pe+UbsgKuTpMmh/En3JdPvGOp/Ue8phxIV9IKsIS1h3tz4aF5/YT UUA2aUTCcW3kHDz3MEUcjaeuk2j951PAKYGAAAVK+leK/au5GKtK03Yhztml6ErpD6IkvkscM URTFjGdBybMA0hQEQVyy8sL5YD4jKs9LToiaZVCGR+JI1NZOxsNARSUbfQfW7tRa9sR6+1KmX vFscIuiWBRIpwih8SEMfI4Ebjwj38vZ7cHnuqbtzACsBw6/6uHRL7N+Oc+8qy7nFwiS23gAI9 7v8Y8eqxhk5e0qZZ40nZkF3RenHhRdSmMYveZi0sU8fLid6RInoIz7uX/nokCz8mmB6Gb/W/X VGbu6g8YsqmdruuxRXfJ6v5RTOgQ/qZDbhyoCpBCfG9Z9cnpO7xO2NRFFKcZ2p/oi5FIpbntm B2/9oIGcQwPwhymNwyLwWPHQAp42U7oBAhjHQZzzWxWhsrO1PbsAq8cfaavEwXIWdZWFMjZX+ mSdkW2sdvBDzZ0lzAbOLUZ6vedMomqoUnI0fiyS7WN9b4ntcr+e0vMr0w49I2q9D3J2nOUQfN nyl//g5zZaZXR4wSdaDVkbKOtQIltbh0ogScsBgngVl4vd3XpBQIpMH4BVRn3IaM9XbaplUkO 3QwwyhOeuiiHoBc2xlo6VKFxDmyTZOPM6C5PnX+ykUSbXkXBuJBydNsvxgsrGzpoXie5rFsuJ uMMybh23vFCU/t3ce3XA== X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-loop: dm-devel@redhat.com X-Mailman-Approved-At: Fri, 13 Aug 2021 02:36:56 -0400 Cc: Paul Moore <paul@paul-moore.com>, Mike Snitzer <snitzer@redhat.com>, linux-kernel@vger.kernel.org, Eric Paris <eparis@redhat.com>, linux-raid@vger.kernel.org, Song Liu <song@kernel.org>, dm-devel@redhat.com, linux-audit@redhat.com, Alasdair Kergon <agk@redhat.com> Subject: [dm-devel] [PATCH 0/3] dm: audit event logging X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: device-mapper development <dm-devel.redhat.com> List-Unsubscribe: <https://listman.redhat.com/mailman/options/dm-devel>, <mailto:dm-devel-request@redhat.com?subject=unsubscribe> List-Archive: <https://listman.redhat.com/archives/dm-devel> List-Post: <mailto:dm-devel@redhat.com> List-Help: <mailto:dm-devel-request@redhat.com?subject=help> List-Subscribe: <https://listman.redhat.com/mailman/listinfo/dm-devel>, <mailto:dm-devel-request@redhat.com?subject=subscribe> Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dm-devel-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 |
| Series | dm: audit event logging | expand |
dm integrity and also stacked dm crypt devices track integrity violations internally. Thus, integrity violations could be polled from user space, e.g., by 'integritysetup status'. >From an auditing perspective, we only could see that there were a number of integrity violations, but not when and where the violation exactly was taking place. The current error log to the kernel ring buffer, contains those information, time stamp and sector on device. However, for auditing the audit subsystem provides a separate logging mechanism which meets certain criteria for secure audit logging. With this small series we make use of the kernel audit framework and extend the dm driver to log audit events in case of such integrity violations. Further, we also log construction and destruction of the device mappings. We focus on dm-integrity and stacked dm-crypt devices for now. However, the helper functions to log audit messages should be applicable to dm verity too. The first patch introduce generic audit wrapper functions. The second patch makes use of the audit wrapper functions in the dm-integrity.c. The third patch uses the wrapper functions in dm-crypt.c. The audit logs look like this if executing the following simple test: # dd if=/dev/zero of=test.img bs=1M count=1024 # losetup -f test.img # integritysetup -vD format --integrity sha256 -t 32 /dev/loop0 # integritysetup open -D /dev/loop0 --integrity sha256 integritytest # integritysetup status integritytest # integritysetup close integritytest # integritysetup open -D /dev/loop0 --integrity sha256 integritytest # integritysetup status integritytest # dd if=/dev/urandom of=/dev/loop0 bs=512 count=1 seek=100000 # dd if=/dev/mapper/integritytest of=/dev/null ------------------------- audit.log from auditd type=UNKNOWN[1336] msg=audit(1628692862.187:409): module=integrity dev=254:3 op=ctr res=1 type=UNKNOWN[1336] msg=audit(1628692862.443:410): module=integrity dev=254:3 op=dtr res=1 type=UNKNOWN[1336] msg=audit(1628692862.543:411): module=integrity dev=254:3 op=ctr res=1 type=UNKNOWN[1336] msg=audit(1628692877.943:412): module=integrity dev=254:3 op=dtr res=1 type=UNKNOWN[1336] msg=audit(1628692887.287:413): module=integrity dev=254:3 op=ctr res=1 type=UNKNOWN[1336] msg=audit(1628692925.156:417): module=integrity dev=254:3 op=dtr res=1 type=UNKNOWN[1336] msg=audit(1628692930.720:418): module=integrity dev=254:3 op=ctr res=1 type=UNKNOWN[1336] msg=audit(1628692989.344:419): module=integrity dev=254:3 op=integrity-checksum sector=77480 res=0 type=UNKNOWN[1336] msg=audit(1628692989.348:420): module=integrity dev=254:3 op=integrity-checksum sector=77480 res=0 type=UNKNOWN[1336] msg=audit(1628692989.348:421): module=integrity dev=254:3 op=integrity-checksum sector=77480 res=0 type=UNKNOWN[1336] msg=audit(1628692989.348:422): module=integrity dev=254:3 op=integrity-checksum sector=77480 res=0 type=UNKNOWN[1336] msg=audit(1628692989.348:423): module=integrity dev=254:3 op=integrity-checksum sector=77480 res=0 type=UNKNOWN[1336] msg=audit(1628692989.348:424): module=integrity dev=254:3 op=integrity-checksum sector=77480 res=0 type=UNKNOWN[1336] msg=audit(1628692989.348:425): module=integrity dev=254:3 op=integrity-checksum sector=77480 res=0 type=UNKNOWN[1336] msg=audit(1628692989.348:426): module=integrity dev=254:3 op=integrity-checksum sector=77480 res=0 type=UNKNOWN[1336] msg=audit(1628692989.348:427): module=integrity dev=254:3 op=integrity-checksum sector=77480 res=0 type=UNKNOWN[1336] msg=audit(1628692989.348:428): module=integrity dev=254:3 op=integrity-checksum sector=77480 res=0 Michael Weiß (3): dm: introduce audit event module for device mapper dm integrity: log audit events for dm-integrity target dm crypt: log aead integrity violations to audit subsystem drivers/md/Kconfig | 10 +++++++ drivers/md/Makefile | 4 +++ drivers/md/dm-audit.c | 59 ++++++++++++++++++++++++++++++++++++++ drivers/md/dm-audit.h | 33 +++++++++++++++++++++ drivers/md/dm-crypt.c | 23 ++++++++++++--- drivers/md/dm-integrity.c | 25 +++++++++++++--- include/uapi/linux/audit.h | 2 ++ 7 files changed, 148 insertions(+), 8 deletions(-) create mode 100644 drivers/md/dm-audit.c create mode 100644 drivers/md/dm-audit.h