[PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set

[PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set

[Richard Guy Briggs]

Add support for sessionid, sessionid_set (first two patches) and
loginuid_set (and auid_set) (third patch) in user filters.  The first
two are directly related to issue "ghak4":
	https://github.com/linux-audit/audit-kernel/issues/4
	https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter

The third is to support a kernel change from 3.10 and 3.19 to avoid
using in-band values to indicate the loginuid is unset.

The last two patches are to add unset flags to sessionid and loginuid
for ausearch and aureport.  These two patches are extras and not
required for basic support.

Richard Guy Briggs (5):
  Add userspace support for session ID user filter.
  Add sessionid_set option from kernel uapi macro AUDIT_SESSIONID_SET
  Add user filter option loginuid_set from uapi macro AUDIT_LOGINUID_SET
  Add sessionid_set option to ausearch and aureport
  Add support for loginuid_set option for event filtering and searches.

 trunk/lib/fieldtab.h         |    4 ++
 trunk/src/aureport-options.c |    4 +-
 trunk/src/ausearch-common.h  |    1 +
 trunk/src/ausearch-match.c   |    3 +
 trunk/src/ausearch-options.c |   85 +++++++++++++++++++++++++++++++++++++++++-
 trunk/src/ausearch-options.h |    1 +
 trunk/src/ausearch-parse.c   |   30 +++++++-------
 7 files changed, 110 insertions(+), 18 deletions(-)

[PATCH 1/5] Add userspace support for session ID user filter.

[Richard Guy Briggs]

Add support for the session ID user filter by adding the field name
"sessionid" using the kernel defined macro value AUDIT_SESSIONID.

https://github.com/linux-audit/audit-kernel/issues/4
RFE: add a session ID filter to the kernel's user filter

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/lib/fieldtab.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index bf48c95..88cf8ea 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -31,6 +31,7 @@ _S(AUDIT_SGID,         "sgid"         )
 _S(AUDIT_FSGID,        "fsgid"        )
 _S(AUDIT_LOGINUID,     "auid"         )
 _S(AUDIT_LOGINUID,     "loginuid"     )
+_S(AUDIT_SESSIONID,    "sessionid"    )
 _S(AUDIT_PERS,         "pers"         )
 _S(AUDIT_ARCH,         "arch"         )
 _S(AUDIT_MSGTYPE,      "msgtype"      )
-- 
1.7.1

[PATCH 2/5] Add sessionid_set option from kernel uapi macro AUDIT_SESSIONID_SET

[Richard Guy Briggs]

Add sessionid_set field option from kernel uapi macro SESSIONID_SET to
enable specifying that sessionID is set or not in user filters.

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/lib/fieldtab.h |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index 88cf8ea..b7b9f51 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -32,6 +32,7 @@ _S(AUDIT_FSGID,        "fsgid"        )
 _S(AUDIT_LOGINUID,     "auid"         )
 _S(AUDIT_LOGINUID,     "loginuid"     )
 _S(AUDIT_SESSIONID,    "sessionid"    )
+_S(AUDIT_SESSIONID_SET,"sessionid_set")
 _S(AUDIT_PERS,         "pers"         )
 _S(AUDIT_ARCH,         "arch"         )
 _S(AUDIT_MSGTYPE,      "msgtype"      )
-- 
1.7.1

[PATCH 3/5] Add user filter option loginuid_set from uapi macro AUDIT_LOGINUID_SET

[Richard Guy Briggs]

See upstream kernel commits:
	780a7654cee8d61819512385e778e4827db4bfbc (3.10.rc1)
		(audit: Make testing for a valid loginuid explicit.)
	041d7b98ffe59c59fdd639931dea7d74f9aa9a59 (3.19.rc2)
		(audit: restore AUDIT_LOGINUID unset ABI)

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/lib/fieldtab.h |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
index b7b9f51..eeb951e 100644
--- a/trunk/lib/fieldtab.h
+++ b/trunk/lib/fieldtab.h
@@ -31,6 +31,8 @@ _S(AUDIT_SGID,         "sgid"         )
 _S(AUDIT_FSGID,        "fsgid"        )
 _S(AUDIT_LOGINUID,     "auid"         )
 _S(AUDIT_LOGINUID,     "loginuid"     )
+_S(AUDIT_LOGINUID_SET, "auid_set"     )
+_S(AUDIT_LOGINUID_SET, "loginuid_set" )
 _S(AUDIT_SESSIONID,    "sessionid"    )
 _S(AUDIT_SESSIONID_SET,"sessionid_set")
 _S(AUDIT_PERS,         "pers"         )
-- 
1.7.1

[PATCH 4/5] Add sessionid_set option to ausearch and aureport

[Richard Guy Briggs]

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/src/aureport-options.c |    3 ++-
 trunk/src/ausearch-match.c   |    3 +++
 trunk/src/ausearch-options.c |   42 +++++++++++++++++++++++++++++++++++++++++-
 trunk/src/ausearch-options.h |    1 +
 trunk/src/ausearch-parse.c   |   14 +++++++-------
 5 files changed, 54 insertions(+), 9 deletions(-)

diff --git a/trunk/src/aureport-options.c b/trunk/src/aureport-options.c
index 9a0fc18..b15cbb5 100644
--- a/trunk/src/aureport-options.c
+++ b/trunk/src/aureport-options.c
@@ -59,7 +59,7 @@ const char *event_uuid = NULL;
 const char *event_vmname = NULL;
 long long event_exit = 0;
 int event_exit_is_set = 0;
-int event_ppid = -1, event_session_id = -2;
+int event_ppid = -1, event_session_id = -2, event_session_id_set = -1;
 int event_debug = 0, event_machine = -1;
 
 /* These are used by aureport */
@@ -565,6 +565,7 @@ int check_params(int count, char *vars[])
 			else {
 				set_detail(D_DETAILED);
 				event_session_id = 1;
+				event_session_id_set = 1;
 				event_loginuid = 1;
 				event_tauid = dummy;
 				event_terminal = dummy;
diff --git a/trunk/src/ausearch-match.c b/trunk/src/ausearch-match.c
index ec8a582..bff7e24 100644
--- a/trunk/src/ausearch-match.c
+++ b/trunk/src/ausearch-match.c
@@ -112,6 +112,9 @@ int match(llist *l)
 				if ((event_session_id != -2) &&
 					(event_session_id != l->s.session_id))
 					return 0;
+				if ((event_session_id_set != -1) &&
+					(event_session_id_set != (l->s.session_id != -1)))
+					return 0;
 				if (event_exit_is_set) {
 					if (l->s.exit_is_set == 0)
 						return 0;
diff --git a/trunk/src/ausearch-options.c b/trunk/src/ausearch-options.c
index 521748d..f970c76 100644
--- a/trunk/src/ausearch-options.c
+++ b/trunk/src/ausearch-options.c
@@ -54,6 +54,7 @@ int event_syscall = -1, event_machine = -1;
 int event_ua = 0, event_ga = 0, event_se = 0;
 int just_one = 0;
 uint32_t event_session_id = -2;
+uint32_t event_session_id_set = -1;
 long long event_exit = 0;
 int event_exit_is_set = 0;
 int line_buffered = 0;
@@ -85,7 +86,7 @@ enum { S_EVENT, S_COMM, S_FILENAME, S_ALL_GID, S_EFF_GID, S_GID, S_HELP,
 S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAGE_TYPE, S_PID, S_SYSCALL, S_OSUCCESS,
 S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
 S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
-S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_EXIT,
+S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_SESSIONID_SET, S_EXIT,
 S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH };
 
 static struct nv_pair optiontab[] = {
@@ -137,6 +138,7 @@ static struct nv_pair optiontab[] = {
 	{ S_CONTEXT, "-se" },
 	{ S_CONTEXT, "--context" },
 	{ S_SESSION, "--session" },
+	{ S_SESSIONID_SET, "--sessionid_set" },
 	{ S_SUBJECT, "-su" },
 	{ S_SUBJECT, "--subject" },
 	{ S_OSUCCESS, "-sv" },
@@ -209,6 +211,7 @@ static void usage(void)
 	"\t-sc,--syscall <SysCall name>\tsearch based on syscall name or number\n"
 	"\t-se,--context <SE Linux context> search based on either subject or\n\t\t\t\t\t object\n"
 	"\t--session <login session id>\tsearch based on login session id\n"
+	"\t--sessionid_set <0/1>\tsearch based on login session id set or unset\n"
 	"\t-su,--subject <SE Linux context> search based on context of the Subject\n"
 	"\t-sv,--success <Success Value>\tsearch based on syscall or event\n\t\t\t\t\tsuccess value\n"
 	"\t-te,--end [end date] [end time]\tending date & time for search\n"
@@ -767,6 +770,43 @@ int check_params(int count, char *vars[])
 			}
 			}
 			break;
+		case S_SESSIONID_SET:
+			if (!optarg) {
+				if ((c+1 < count) && vars[c+1])
+					optarg = vars[c+1];
+				else {
+					fprintf(stderr,
+						"Argument is required for %s\n",
+						vars[c]);
+					retval = -1;
+					break;
+				}
+			}
+			{ 
+			size_t len = strlen(optarg);
+			if (isdigit(optarg[0])) {
+				errno = 0;
+				event_session_id_set = strtoul(optarg,NULL,10);
+				if (errno) {
+					fprintf(stderr, "Error converting %s\n",
+						optarg);
+					retval = -1;
+				}
+				if (event_session_id_set > 1) {
+					fprintf(stderr, 
+					"Session id set must be a boolean value, was %s\n",
+						optarg);
+					retval = -1;
+				}
+				c++;
+                        } else {
+				fprintf(stderr, 
+				"Session id must be a boolean value, was %s\n",
+					optarg);
+				retval = -1;
+			}
+			}
+			break;
 		case S_EXIT:
 			if (!optarg) {
 				if ((c+1 < count) && vars[c+1])
diff --git a/trunk/src/ausearch-options.h b/trunk/src/ausearch-options.h
index 1372762..947f5d6 100644
--- a/trunk/src/ausearch-options.h
+++ b/trunk/src/ausearch-options.h
@@ -40,6 +40,7 @@ extern int line_buffered;
 extern int event_debug;
 extern pid_t event_ppid;
 extern uint32_t event_session_id;
+extern uint32_t event_session_id_set;
 extern ilist *event_type;
 
 /* Data type to govern output format */
diff --git a/trunk/src/ausearch-parse.c b/trunk/src/ausearch-parse.c
index 3047925..c45d54e 100644
--- a/trunk/src/ausearch-parse.c
+++ b/trunk/src/ausearch-parse.c
@@ -357,7 +357,7 @@ static int parse_task_info(lnode *n, search_items *s)
 		}
 	}
 	// ses
-	if (event_session_id != -2 ) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		str = strstr(term, "ses=");
 		if (str) {
 			ptr = str + 4;
@@ -845,7 +845,7 @@ static int parse_user(const lnode *n, search_items *s)
 		s->tauid = lookup_uid("auid", s->loginuid);
 	}
 	// ses
-	if (event_session_id != -2 ) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		str = strstr(term, "ses=");
 		if (str) {
 			ptr = str + 4;
@@ -1317,7 +1317,7 @@ static int parse_login(const lnode *n, search_items *s)
 			s->success = S_SUCCESS; 
 	}
 	// ses
-	if (event_session_id != -2 ) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		if (term == NULL)
 			term = n->message;
 		str = strstr(term, "new ses=");
@@ -1631,7 +1631,7 @@ static int parse_integrity(const lnode *n, search_items *s)
 	}
 
 	// ses
-	if (event_session_id != -2 ) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		str = strstr(term, "ses=");
 		if (str) {
 			ptr = str + 4;
@@ -1944,7 +1944,7 @@ static int parse_kernel_anom(const lnode *n, search_items *s)
 		}
 	}
 
-	if (event_session_id != -2) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		str = strstr(term, "ses=");
 		if (str) {
 			ptr = str + 4;
@@ -2100,7 +2100,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
 	}
 
 	// ses
-	if (event_session_id != -2 ) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		str = strstr(term, "ses=");
 		if (str) {
 			ptr = str + 4;
@@ -2277,7 +2277,7 @@ static int parse_tty(const lnode *n, search_items *s)
 	}
 
 	// ses
-	if (event_session_id != -2 ) {
+	if (event_session_id != -2 || event_session_id_set != -1) {
 		str = strstr(term, "ses=");
 		if (str) {
 			ptr = str + 4;
-- 
1.7.1

[PATCH 5/5] Add support for loginuid_set option for event filtering and searches.

[Richard Guy Briggs]

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 trunk/src/aureport-options.c |    1 +
 trunk/src/ausearch-common.h  |    1 +
 trunk/src/ausearch-options.c |   43 +++++++++++++++++++++++++++++++++++++++++-
 trunk/src/ausearch-parse.c   |   16 +++++++-------
 4 files changed, 52 insertions(+), 9 deletions(-)

diff --git a/trunk/src/aureport-options.c b/trunk/src/aureport-options.c
index b15cbb5..a0c78ea 100644
--- a/trunk/src/aureport-options.c
+++ b/trunk/src/aureport-options.c
@@ -44,6 +44,7 @@ int no_config = 0;
 /* These are for compatibility with parser */
 unsigned int event_id = -1;
 uid_t event_uid = -1, event_loginuid = -2, event_euid = -1;
+int event_loginuid_set = -1;
 const char *event_tuid = NULL, *event_teuid = NULL, *event_tauid = NULL;
 gid_t event_gid = -1, event_egid = -1;
 slist *event_node_list = NULL;
diff --git a/trunk/src/ausearch-common.h b/trunk/src/ausearch-common.h
index d60ea5f..cdb51e9 100644
--- a/trunk/src/ausearch-common.h
+++ b/trunk/src/ausearch-common.h
@@ -48,6 +48,7 @@ extern gid_t event_gid, event_egid;
 extern pid_t event_pid;
 extern int event_exact_match;
 extern uid_t event_uid, event_euid, event_loginuid;
+extern int event_loginuid_set;
 extern const char *event_tuid, *event_teuid, *event_tauid;
 slist *event_node_list;
 extern const char *event_comm;
diff --git a/trunk/src/ausearch-options.c b/trunk/src/ausearch-options.c
index f970c76..143a26f 100644
--- a/trunk/src/ausearch-options.c
+++ b/trunk/src/ausearch-options.c
@@ -50,6 +50,7 @@ success_t event_success = S_UNSET;
 int event_exact_match = 0;
 uid_t event_uid = -1, event_euid = -1, event_loginuid = -2;
 const char *event_tuid = NULL, *event_teuid = NULL, *event_tauid = NULL;
+int event_loginuid_set = -1;
 int event_syscall = -1, event_machine = -1;
 int event_ua = 0, event_ga = 0, event_se = 0;
 int just_one = 0;
@@ -84,7 +85,7 @@ struct nv_pair {
 
 enum { S_EVENT, S_COMM, S_FILENAME, S_ALL_GID, S_EFF_GID, S_GID, S_HELP,
 S_HOSTNAME, S_INTERP, S_INFILE, S_MESSAGE_TYPE, S_PID, S_SYSCALL, S_OSUCCESS,
-S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID,
+S_TIME_END, S_TIME_START, S_TERMINAL, S_ALL_UID, S_EFF_UID, S_UID, S_LOGINID, S_LOGINUID_SET,
 S_VERSION, S_EXACT_MATCH, S_EXECUTABLE, S_CONTEXT, S_SUBJECT, S_OBJECT,
 S_PPID, S_KEY, S_RAW, S_NODE, S_IN_LOGS, S_JUST_ONE, S_SESSION, S_SESSIONID_SET, S_EXIT,
 S_LINEBUFFERED, S_UUID, S_VMNAME, S_DEBUG, S_CHECKPOINT, S_ARCH };
@@ -159,6 +160,7 @@ static struct nv_pair optiontab[] = {
 	{ S_UUID, "--uuid" },
 	{ S_LOGINID, "-ul" },
 	{ S_LOGINID, "--loginuid" },
+	{ S_LOGINUID_SET, "--loginuid_set" },
 	{ S_VERSION, "-v" },
 	{ S_VERSION, "--version" },
 	{ S_VMNAME, "-vm" },
@@ -221,6 +223,7 @@ static void usage(void)
 	"\t-ue,--uid-effective <effective User id>  search based on Effective\n\t\t\t\t\tuser id\n"
 	"\t-ui,--uid <User Id>\t\tsearch based on user id\n"
 	"\t-ul,--loginuid <login id>\tsearch based on the User's Login id\n"
+	"\t--loginuid_set <0/1>\tsearch based on the User's Login id set or unset\n"
 	"\t-uu,--uuid <guest UUID>\t\tsearch for events related to the virtual\n"
 	"\t\t\t\t\tmachine with the given UUID.\n"
 	"\t-v,--version\t\t\tversion\n"
@@ -1107,6 +1110,44 @@ int check_params(int count, char *vars[])
 			}
 			c++;
 			break;
+		case S_LOGINUID_SET:
+			if (!optarg) {
+				if ((c+1 < count) && vars[c+1])
+					optarg = vars[c+1];
+				else {
+					fprintf(stderr,
+						"Argument is required for %s\n",
+						vars[c]);
+					retval = -1;
+					break;
+				}
+			}
+			{
+			size_t len = strlen(optarg);
+                        if (isdigit(optarg[0])) {
+				errno = 0;
+                        	event_loginuid = strtoul(optarg,NULL,10);
+				if (errno) {
+                        		fprintf(stderr, 
+						"Error (%s) converting %s\n",
+						strerror(errno), optarg);
+                                        retval = -1;
+				}
+				if (event_loginuid_set > 1) {
+					fprintf(stderr, 
+					"Loginuid_set must be a boolean value, was %s\n",
+						optarg);
+					retval = -1;
+				}
+                        } else {
+				fprintf(stderr, 
+				"Loginuid_set must be a boolean value, was %s\n",
+					optarg);
+				retval = -1;
+                        }
+			}
+			c++;
+			break;
 		case S_UUID:
 			if (!optarg) {
 				fprintf(stderr,
diff --git a/trunk/src/ausearch-parse.c b/trunk/src/ausearch-parse.c
index c45d54e..a489d25 100644
--- a/trunk/src/ausearch-parse.c
+++ b/trunk/src/ausearch-parse.c
@@ -251,7 +251,7 @@ static int parse_task_info(lnode *n, search_items *s)
 		*term = ' ';
 	}
 	// optionally get loginuid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(term, "auid=");
 		if (str == NULL) {
 			str = strstr(term, "loginuid=");
@@ -823,7 +823,7 @@ static int parse_user(const lnode *n, search_items *s)
 		s->tuid = lookup_uid("uid", s->uid);
 	}
 	// optionally get loginuid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		*term = ' ';
 		str = strstr(term, "auid=");
 		if (str == NULL) { // Try the older one
@@ -1271,7 +1271,7 @@ static int parse_login(const lnode *n, search_items *s)
 		}
 	}
 	// optionally get loginuid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(term, "new auid=");
 		if (str == NULL) {
 			// 3.14 kernel changed it to the next line
@@ -1354,7 +1354,7 @@ static int parse_daemon1(const lnode *n, search_items *s)
 	term = mptr;
 
 	// optionally get auid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(mptr, "auid=");
 		if (str == NULL)
 			return 1;
@@ -1613,7 +1613,7 @@ static int parse_integrity(const lnode *n, search_items *s)
 	}
 
 	// optionally get loginuid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(n->message, "auid=");
 		if (str) {
 			ptr = str + 5;
@@ -1890,7 +1890,7 @@ static int parse_kernel_anom(const lnode *n, search_items *s)
 	char *str, *ptr, *term = n->message;
 
 	// optionally get loginuid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(term, "auid=");
 		if (str == NULL)
 			return 1;
@@ -2078,7 +2078,7 @@ static int parse_simple_message(const lnode *n, search_items *s)
 	char *str, *ptr, *term = n->message;
 
 	// optionally get loginuid - old kernels skip auid for CONFIG_CHANGE
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(term, "auid=");
 		if (str == NULL && n->type != AUDIT_CONFIG_CHANGE)
 			return 1;
@@ -2257,7 +2257,7 @@ static int parse_tty(const lnode *n, search_items *s)
 	}
 
 	// optionally get loginuid
-	if (event_loginuid != -2 || event_tauid) {
+	if (event_loginuid != -2 || event_tauid || event_loginuid_set != -1) {
 		str = strstr(term, "auid=");
 		if (str == NULL)
 			return 5;
-- 
1.7.1

Re: [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set

[Steve Grubb]

On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> Add support for sessionid, sessionid_set (first two patches) and
> loginuid_set (and auid_set) (third patch) in user filters.  The first
> two are directly related to issue "ghak4":
>         https://github.com/linux-audit/audit-kernel/issues/4
>         https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User
> -Filter
> 
> The third is to support a kernel change from 3.10 and 3.19 to avoid
> using in-band values to indicate the loginuid is unset.

Have the above three patches been tested on old kernels?

> The last two patches are to add unset flags to sessionid and loginuid
> for ausearch and aureport.  These two patches are extras and not
> required for basic support.

I don't understand what the point of these last two items are. If the session 
is not set, we have ses=4294967295 in the audit trail. That can already be 
specified in ausearch as --session -1. I also am not sure that session 
information makes any sense for aureport because we have aulast which reports 
on session activity for users.

-Steve

Re: [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set

[Richard Guy Briggs]

On 2016-08-02 08:16, Steve Grubb wrote:
> On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> > Add support for sessionid, sessionid_set (first two patches) and
> > loginuid_set (and auid_set) (third patch) in user filters.  The first
> > two are directly related to issue "ghak4":
> >         https://github.com/linux-audit/audit-kernel/issues/4
> >         https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User
> > -Filter
> > 
> > The third is to support a kernel change from 3.10 and 3.19 to avoid
> > using in-band values to indicate the loginuid is unset.
> 
> Have the above three patches been tested on old kernels?

Not yet.  How do you usually add new features to userspace to guard
against missing features from old kernels?  Time to add a bit to the
kenrel audit status feature field?

> > The last two patches are to add unset flags to sessionid and loginuid
> > for ausearch and aureport.  These two patches are extras and not
> > required for basic support.
> 
> I don't understand what the point of these last two items are. If the session 
> is not set, we have ses=4294967295 in the audit trail. That can already be 
> specified in ausearch as --session -1. I also am not sure that session 
> information makes any sense for aureport because we have aulast which reports 
> on session activity for users.

I was starting to doubt the utility of these last two patches which is
why I tagged them optional.  Please use any bits or ideas that might be
useful, otherwise drop them.

> -Steve

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

Re: [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set

[Steve Grubb]

On Tuesday, August 2, 2016 8:56:35 AM EDT Richard Guy Briggs wrote:
> On 2016-08-02 08:16, Steve Grubb wrote:
> > On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> > > Add support for sessionid, sessionid_set (first two patches) and
> > > loginuid_set (and auid_set) (third patch) in user filters.  The first
> > > 
> > > two are directly related to issue "ghak4":
> > >         https://github.com/linux-audit/audit-kernel/issues/4
> > >         https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-> > >         User-Filter
> > > 
> > > The third is to support a kernel change from 3.10 and 3.19 to avoid
> > > using in-band values to indicate the loginuid is unset.
> > 
> > Have the above three patches been tested on old kernels?
> 
> Not yet.  How do you usually add new features to userspace to guard
> against missing features from old kernels?  Time to add a bit to the
> kenrel audit status feature field?

Yes. Otherwise you get EINVAL which doesn't let you explain what exactly is 
wrong with the rule.

Thanks,
-Steve

> > > The last two patches are to add unset flags to sessionid and loginuid
> > > for ausearch and aureport.  These two patches are extras and not
> > > required for basic support.
> > 
> > I don't understand what the point of these last two items are. If the
> > session is not set, we have ses=4294967295 in the audit trail. That can
> > already be specified in ausearch as --session -1. I also am not sure that
> > session information makes any sense for aureport because we have aulast
> > which reports on session activity for users.
> 
> I was starting to doubt the utility of these last two patches which is
> why I tagged them optional.  Please use any bits or ideas that might be
> useful, otherwise drop them.
> 
> > -Steve
> 
> - RGB
> 
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635

Re: [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set

[Steve Grubb]

On Tuesday, August 2, 2016 9:25:44 AM EDT Steve Grubb wrote:
> On Tuesday, August 2, 2016 8:56:35 AM EDT Richard Guy Briggs wrote:
> > On 2016-08-02 08:16, Steve Grubb wrote:
> > > On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> > > > Add support for sessionid, sessionid_set (first two patches) and
> > > > loginuid_set (and auid_set) (third patch) in user filters.  The first
> > > > 
> > > > two are directly related to issue "ghak4":
> > > > https://github.com/linux-audit/audit-kernel/issues/4
> > > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-> >
> > > > >         User-Filter
> > > > 
> > > > The third is to support a kernel change from 3.10 and 3.19 to avoid
> > > > using in-band values to indicate the loginuid is unset.
> > > 
> > > Have the above three patches been tested on old kernels?
> > 
> > Not yet.  How do you usually add new features to userspace to guard
> > against missing features from old kernels?  Time to add a bit to the
> > kenrel audit status feature field?
> 
> Yes. Otherwise you get EINVAL which doesn't let you explain what exactly is 
> wrong with the rule.

Before you get too far...I just looked at the support being added in the first 
three patches. There is no code changing auditctl. Is there something missing?

-Steve

Re: [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set

[Richard Guy Briggs]

On 2016-08-02 09:58, Steve Grubb wrote:
> On Tuesday, August 2, 2016 9:25:44 AM EDT Steve Grubb wrote:
> > On Tuesday, August 2, 2016 8:56:35 AM EDT Richard Guy Briggs wrote:
> > > On 2016-08-02 08:16, Steve Grubb wrote:
> > > > On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> > > > > Add support for sessionid, sessionid_set (first two patches) and
> > > > > loginuid_set (and auid_set) (third patch) in user filters.  The first
> > > > > 
> > > > > two are directly related to issue "ghak4":
> > > > > https://github.com/linux-audit/audit-kernel/issues/4
> > > > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-> >
> > > > > >         User-Filter
> > > > > 
> > > > > The third is to support a kernel change from 3.10 and 3.19 to avoid
> > > > > using in-band values to indicate the loginuid is unset.
> > > > 
> > > > Have the above three patches been tested on old kernels?
> > > 
> > > Not yet.  How do you usually add new features to userspace to guard
> > > against missing features from old kernels?  Time to add a bit to the
> > > kenrel audit status feature field?
> > 
> > Yes. Otherwise you get EINVAL which doesn't let you explain what exactly is 
> > wrong with the rule.
> 
> Before you get too far...I just looked at the support being added in the first 
> three patches. There is no code changing auditctl. Is there something missing?

I am pretty sure I looked through auditctl and in the three cases things
were simple enough that the fallthrough case was sufficient.  Now that I
think about it, to avoid the ambiguity of -EINVAL, restricting the first
to a positive value and the 2nd and 3rd to true or false would remove
that ambiguity.

> -Steve

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635