From: Steve Grubb <sgrubb@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set
Date: Tue, 02 Aug 2016 09:25:44 -0400 [thread overview]
Message-ID: <1631071.bJV1sPFgiU@x2> (raw)
In-Reply-To: <20160802125635.GX10734@madcap2.tricolour.ca>
On Tuesday, August 2, 2016 8:56:35 AM EDT Richard Guy Briggs wrote:
> On 2016-08-02 08:16, Steve Grubb wrote:
> > On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> > > Add support for sessionid, sessionid_set (first two patches) and
> > > loginuid_set (and auid_set) (third patch) in user filters. The first
> > >
> > > two are directly related to issue "ghak4":
> > > https://github.com/linux-audit/audit-kernel/issues/4
> > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-> > > User-Filter
> > >
> > > The third is to support a kernel change from 3.10 and 3.19 to avoid
> > > using in-band values to indicate the loginuid is unset.
> >
> > Have the above three patches been tested on old kernels?
>
> Not yet. How do you usually add new features to userspace to guard
> against missing features from old kernels? Time to add a bit to the
> kenrel audit status feature field?
Yes. Otherwise you get EINVAL which doesn't let you explain what exactly is
wrong with the rule.
Thanks,
-Steve
> > > The last two patches are to add unset flags to sessionid and loginuid
> > > for ausearch and aureport. These two patches are extras and not
> > > required for basic support.
> >
> > I don't understand what the point of these last two items are. If the
> > session is not set, we have ses=4294967295 in the audit trail. That can
> > already be specified in ausearch as --session -1. I also am not sure that
> > session information makes any sense for aureport because we have aulast
> > which reports on session activity for users.
>
> I was starting to doubt the utility of these last two patches which is
> why I tagged them optional. Please use any bits or ideas that might be
> useful, otherwise drop them.
>
> > -Steve
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635
next prev parent reply other threads:[~2016-08-02 13:25 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-02 9:38 [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set Richard Guy Briggs
2016-08-02 9:38 ` [PATCH 1/5] Add userspace support for session ID user filter Richard Guy Briggs
2016-08-02 9:38 ` [PATCH 2/5] Add sessionid_set option from kernel uapi macro AUDIT_SESSIONID_SET Richard Guy Briggs
2016-08-02 9:38 ` [PATCH 3/5] Add user filter option loginuid_set from uapi macro AUDIT_LOGINUID_SET Richard Guy Briggs
2016-08-02 9:39 ` [PATCH 4/5] Add sessionid_set option to ausearch and aureport Richard Guy Briggs
2016-08-02 9:39 ` [PATCH 5/5] Add support for loginuid_set option for event filtering and searches Richard Guy Briggs
2016-08-02 12:16 ` [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set Steve Grubb
2016-08-02 12:56 ` Richard Guy Briggs
2016-08-02 13:25 ` Steve Grubb [this message]
2016-08-02 13:58 ` Steve Grubb
2016-08-02 16:30 ` Richard Guy Briggs
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1631071.bJV1sPFgiU@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.