-
Notifications
You must be signed in to change notification settings - Fork 21
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revocation severity levels and context #48
Labels
Comments
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Aug 2, 2021
Currently Keylime operates in a binary state when it comes failures that cause revocations and does not collect information where and why that revocation happened. This commit introduces the tagging and collection infrastructure and configuration for revocation events and adding context to them. SeverityLabel Has a name that can be set in the keylime.conf and a severity that is dynamically calculated based on the order in the configuration. Components Is a enumeration that contains the main components of Keylime that can cause events. Must be specified when creating a Failure object. Event Holds a revocation event. An event can be identified by their event_id which has the format: "component.[sub_component].event" The severity is automatically assigned based on the event_id. The event contains a context which is string encoded JSON object. An event must be marked irrecoverable if other validation steps are skipped by early returning. Failure Holds a collection of events and provides add_event(...) for adding new events to it and merge(...) to merge it with another Failure object. Is False if no events are currently in the Failure object and is otherwise True. Future changes that cause a revocation must extend and return a Failure object instead of returning a boolean value. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Aug 2, 2021
Currently Keylime operates in a binary state when it comes failures that cause revocations and does not collect information where and why that revocation happened. This commit introduces the tagging and collection infrastructure and configuration for revocation events and adding context to them. SeverityLabel Has a name that can be set in the keylime.conf and a severity that is dynamically calculated based on the order in the configuration. Components Is a enumeration that contains the main components of Keylime that can cause events. Must be specified when creating a Failure object. Event Holds a revocation event. An event can be identified by their event_id which has the format: "component.[sub_component].event" The severity is automatically assigned based on the event_id. The event contains a context which is string encoded JSON object. An event must be marked irrecoverable if other validation steps are skipped by early returning. Failure Holds a collection of events and provides add_event(...) for adding new events to it and merge(...) to merge it with another Failure object. Is False if no events are currently in the Failure object and is otherwise True. Future changes that cause a revocation must extend and return a Failure object instead of returning a boolean value. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Aug 10, 2021
Currently Keylime operates in a binary state when it comes failures that cause revocations and does not collect information where and why that revocation happened. This commit introduces the tagging and collection infrastructure and configuration for revocation events and adding context to them. SeverityLabel Has a name that can be set in the keylime.conf and a severity that is dynamically calculated based on the order in the configuration. Components Is a enumeration that contains the main components of Keylime that can cause events. Must be specified when creating a Failure object. Event Holds a revocation event. An event can be identified by their event_id which has the format: "component.[sub_component].event" The severity is automatically assigned based on the event_id. The event contains a context which is string encoded JSON object. An event must be marked irrecoverable if other validation steps are skipped by early returning. Failure Holds a collection of events and provides add_event(...) for adding new events to it and merge(...) to merge it with another Failure object. Is False if no events are currently in the Failure object and is otherwise True. Future changes that cause a revocation must extend and return a Failure object instead of returning a boolean value. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Aug 30, 2021
…eylime Currently Keylime operates in a binary state when it comes failures that cause revocations and does not collect information where and why that revocation happened. This commit introduces the tagging and collection infrastructure and configuration for revocation events and adding context to them. SeverityLabel Has a name that can be set in the keylime.conf and a severity that is dynamically calculated based on the order in the configuration. Components Is a enumeration that contains the main components of Keylime that can cause events. Must be specified when creating a Failure object. Event Holds a revocation event. An event can be identified by their event_id which has the format: "component.[sub_component].event" The severity is automatically assigned based on the event_id. The event contains a context which is string encoded JSON object. An event must be marked irrecoverable if other validation steps are skipped by early returning. Failure Holds a collection of events and provides add_event(...) for adding new events to it and merge(...) to merge it with another Failure object. Is False if no events are currently in the Failure object and is otherwise True. Future changes that cause a revocation must extend and return a Failure object instead of returning a boolean value. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Aug 30, 2021
Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Aug 30, 2021
Currently only has one event id. If necessary can be extended such that policies can generate their own event ids. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Aug 30, 2021
Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Aug 30, 2021
We only send notifications if a event with a higher severity level was generated and save the severity level (as integer) and the first event id that generated the failure with that level in the database. The current design assumes that when a device is added no failures should occur on the first validation to mark the device as in use to recive revocation notifcations. If a failure is generated that is irrecoverable we stop polling the agent. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Aug 30, 2021
…eylime Currently Keylime operates in a binary state when it comes failures that cause revocations and does not collect information where and why that revocation happened. This commit introduces the tagging and collection infrastructure and configuration for revocation events and adding context to them. SeverityLabel Has a name that can be set in the keylime.conf and a severity that is dynamically calculated based on the order in the configuration. Components Is a enumeration that contains the main components of Keylime that can cause events. Must be specified when creating a Failure object. Event Holds a revocation event. An event can be identified by their event_id which has the format: "component.[sub_component].event" The severity is automatically assigned based on the event_id. The event contains a context which is string encoded JSON object. An event must be marked irrecoverable if other validation steps are skipped by early returning. Failure Holds a collection of events and provides add_event(...) for adding new events to it and merge(...) to merge it with another Failure object. Is False if no events are currently in the Failure object and is otherwise True. Future changes that cause a revocation must extend and return a Failure object instead of returning a boolean value. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Aug 30, 2021
Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Aug 30, 2021
Currently only has one event id. If necessary can be extended such that policies can generate their own event ids. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Aug 30, 2021
Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Aug 30, 2021
We only send notifications if a event with a higher severity level was generated and save the severity level (as integer) and the first event id that generated the failure with that level in the database. The current design assumes that when a device is added no failures should occur on the first validation to mark the device as in use to recive revocation notifcations. If a failure is generated that is irrecoverable we stop polling the agent. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 8, 2021
…eylime Currently Keylime operates in a binary state when it comes failures that cause revocations and does not collect information where and why that revocation happened. This commit introduces the tagging and collection infrastructure and configuration for revocation events and adding context to them. SeverityLabel Has a name that can be set in the keylime.conf and a severity that is dynamically calculated based on the order in the configuration. Components Is a enumeration that contains the main components of Keylime that can cause events. Must be specified when creating a Failure object. Event Holds a revocation event. An event can be identified by their event_id which has the format: "component.[sub_component].event" The severity is automatically assigned based on the event_id. The event contains a context which is string encoded JSON object. An event must be marked irrecoverable if other validation steps are skipped by early returning. Failure Holds a collection of events and provides add_event(...) for adding new events to it and merge(...) to merge it with another Failure object. Is False if no events are currently in the Failure object and is otherwise True. Future changes that cause a revocation must extend and return a Failure object instead of returning a boolean value. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 8, 2021
Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 8, 2021
Currently only has one event id. If necessary can be extended such that policies can generate their own event ids. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 8, 2021
Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 8, 2021
We only send notifications if a event with a higher severity level was generated and save the severity level (as integer) and the first event id that generated the failure with that level in the database. The current design assumes that when a device is added no failures should occur on the first validation to mark the device as in use to recive revocation notifcations. If a failure is generated that is irrecoverable we stop polling the agent. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 8, 2021
…eylime Currently Keylime operates in a binary state when it comes failures that cause revocations and does not collect information where and why that revocation happened. This commit introduces the tagging and collection infrastructure and configuration for revocation events and adding context to them. SeverityLabel Has a name that can be set in the keylime.conf and a severity that is dynamically calculated based on the order in the configuration. Components Is a enumeration that contains the main components of Keylime that can cause events. Must be specified when creating a Failure object. Event Holds a revocation event. An event can be identified by their event_id which has the format: "component.[sub_component].event" The severity is automatically assigned based on the event_id. The event contains a context which is string encoded JSON object. An event must be marked irrecoverable if other validation steps are skipped by early returning. Failure Holds a collection of events and provides add_event(...) for adding new events to it and merge(...) to merge it with another Failure object. Is False if no events are currently in the Failure object and is otherwise True. Future changes that cause a revocation must extend and return a Failure object instead of returning a boolean value. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 8, 2021
Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 8, 2021
Currently only has one event id. If necessary can be extended such that policies can generate their own event ids. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 8, 2021
Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 8, 2021
We only send notifications if a event with a higher severity level was generated and save the severity level (as integer) and the first event id that generated the failure with that level in the database. The current design assumes that when a device is added no failures should occur on the first validation to mark the device as in use to recive revocation notifcations. If a failure is generated that is irrecoverable we stop polling the agent. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 13, 2021
…eylime Currently Keylime operates in a binary state when it comes failures that cause revocations and does not collect information where and why that revocation happened. This commit introduces the tagging and collection infrastructure and configuration for revocation events and adding context to them. SeverityLabel Has a name that can be set in the keylime.conf and a severity that is dynamically calculated based on the order in the configuration. Components Is a enumeration that contains the main components of Keylime that can cause events. Must be specified when creating a Failure object. Event Holds a revocation event. An event can be identified by their event_id which has the format: "component.[sub_component].event" The severity is automatically assigned based on the event_id. The event contains a context which is string encoded JSON object. An event must be marked irrecoverable if other validation steps are skipped by early returning. Failure Holds a collection of events and provides add_event(...) for adding new events to it and merge(...) to merge it with another Failure object. Is False if no events are currently in the Failure object and is otherwise True. Future changes that cause a revocation must extend and return a Failure object instead of returning a boolean value. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 13, 2021
Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 13, 2021
Currently only has one event id. If necessary can be extended such that policies can generate their own event ids. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 13, 2021
Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 13, 2021
We only send notifications if a event with a higher severity level was generated and save the severity level (as integer) and the first event id that generated the failure with that level in the database. The current design assumes that when a device is added no failures should occur on the first validation to mark the device as in use to recive revocation notifcations. If a failure is generated that is irrecoverable we stop polling the agent. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 13, 2021
…eylime Currently Keylime operates in a binary state when it comes failures that cause revocations and does not collect information where and why that revocation happened. This commit introduces the tagging and collection infrastructure and configuration for revocation events and adding context to them. SeverityLabel Has a name that can be set in the keylime.conf and a severity that is dynamically calculated based on the order in the configuration. Components Is a enumeration that contains the main components of Keylime that can cause events. Must be specified when creating a Failure object. Event Holds a revocation event. An event can be identified by their event_id which has the format: "component.[sub_component].event" The severity is automatically assigned based on the event_id. The event contains a context which is string encoded JSON object. An event must be marked irrecoverable if other validation steps are skipped by early returning. Failure Holds a collection of events and provides add_event(...) for adding new events to it and merge(...) to merge it with another Failure object. Is False if no events are currently in the Failure object and is otherwise True. Future changes that cause a revocation must extend and return a Failure object instead of returning a boolean value. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 13, 2021
Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 13, 2021
Currently only has one event id. If necessary can be extended such that policies can generate their own event ids. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 13, 2021
Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
THS-on
added a commit
to THS-on/keylime
that referenced
this issue
Sep 13, 2021
We only send notifications if a event with a higher severity level was generated and save the severity level (as integer) and the first event id that generated the failure with that level in the database. The current design assumes that when a device is added no failures should occur on the first validation to mark the device as in use to recive revocation notifcations. If a failure is generated that is irrecoverable we stop polling the agent. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
mpeters
pushed a commit
to keylime/keylime
that referenced
this issue
Sep 13, 2021
…eylime Currently Keylime operates in a binary state when it comes failures that cause revocations and does not collect information where and why that revocation happened. This commit introduces the tagging and collection infrastructure and configuration for revocation events and adding context to them. SeverityLabel Has a name that can be set in the keylime.conf and a severity that is dynamically calculated based on the order in the configuration. Components Is a enumeration that contains the main components of Keylime that can cause events. Must be specified when creating a Failure object. Event Holds a revocation event. An event can be identified by their event_id which has the format: "component.[sub_component].event" The severity is automatically assigned based on the event_id. The event contains a context which is string encoded JSON object. An event must be marked irrecoverable if other validation steps are skipped by early returning. Failure Holds a collection of events and provides add_event(...) for adding new events to it and merge(...) to merge it with another Failure object. Is False if no events are currently in the Failure object and is otherwise True. Future changes that cause a revocation must extend and return a Failure object instead of returning a boolean value. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
mpeters
pushed a commit
to keylime/keylime
that referenced
this issue
Sep 13, 2021
Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
mpeters
pushed a commit
to keylime/keylime
that referenced
this issue
Sep 13, 2021
Currently only has one event id. If necessary can be extended such that policies can generate their own event ids. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
mpeters
pushed a commit
to keylime/keylime
that referenced
this issue
Sep 13, 2021
Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
mpeters
pushed a commit
to keylime/keylime
that referenced
this issue
Sep 13, 2021
We only send notifications if a event with a higher severity level was generated and save the severity level (as integer) and the first event id that generated the failure with that level in the database. The current design assumes that when a device is added no failures should occur on the first validation to mark the device as in use to recive revocation notifcations. If a failure is generated that is irrecoverable we stop polling the agent. Part of enhancement proposal keylime/enhancements#48 Signed-off-by: Thore Sommer <[email protected]>
@THS-on I believe this enhancement issue can be closed, correct? |
I like to keep this open till we tested that feature in more production and added better documentation. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Enhancement Description
Please to keep this description up to date.
The text was updated successfully, but these errors were encountered: