From: Steve Grubb <sgrubb@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>, Paul Moore <pmoore@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [userspace PATCH v2 2/3] Add sessionid_set option from kernel uapi macro AUDIT_SESSIONID_SET
Date: Wed, 12 Oct 2016 14:02:32 -0400 [thread overview]
Message-ID: <1893307.IJE51OVXCc@x2> (raw)
In-Reply-To: <1471546054-4536-3-git-send-email-rgb@redhat.com>
On Thursday, August 18, 2016 2:47:33 PM EDT Richard Guy Briggs wrote:
> Add sessionid_set field option from kernel uapi macro SESSIONID_SET to
> enable specifying that sessionID is set or not in user filters.
Is there any compelling reason to support two differents fields that essentially
decide how to audit sessions? I think its a bit clunky to expect that people
write rules
-a always,exit -S open -F path=/path/file -F sessionid>0
but if you want to record daemons, then its not as simple as using -1 which is
what is in the logs and the intuitive answer. Instead you have to use a new
field.
-a always,exit -S open -F path=/path/file -F sessionid_set=0
But then you can also do the first rule as:
-a always,exit -S open -F path=/path/file -F sessionid_set=1
So, we have 2 ways of doing almost the same thing. I don't really like this.
-Steve
> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
> trunk/lib/fieldtab.h | 1 +
> trunk/lib/libaudit.c | 2 ++
> trunk/lib/libaudit.h | 4 ++++
> 3 files changed, 7 insertions(+), 0 deletions(-)
>
> diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
> index 84acc08..eeb951e 100644
> --- a/trunk/lib/fieldtab.h
> +++ b/trunk/lib/fieldtab.h
> @@ -34,6 +34,7 @@ _S(AUDIT_LOGINUID, "loginuid" )
> _S(AUDIT_LOGINUID_SET, "auid_set" )
> _S(AUDIT_LOGINUID_SET, "loginuid_set" )
> _S(AUDIT_SESSIONID, "sessionid" )
> +_S(AUDIT_SESSIONID_SET,"sessionid_set")
> _S(AUDIT_PERS, "pers" )
> _S(AUDIT_ARCH, "arch" )
> _S(AUDIT_MSGTYPE, "msgtype" )
> diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
> index 38776f4..5ffb720 100644
> --- a/trunk/lib/libaudit.c
> +++ b/trunk/lib/libaudit.c
> @@ -1650,6 +1650,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, case AUDIT_LOGINUID_SET:
> if(!features)
> return -30;
> + /* fallthrough */
> + case AUDIT_SESSIONID_SET:
> if (flags != AUDIT_FILTER_EXCLUDE &&
> flags != AUDIT_FILTER_USER &&
> flags != AUDIT_FILTER_EXIT)
> diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
> index 95b7a78..f8007c1 100644
> --- a/trunk/lib/libaudit.h
> +++ b/trunk/lib/libaudit.h
> @@ -381,6 +381,10 @@ extern "C" {
> #define AUDIT_SESSIONID 25
> #endif
>
> +#ifndef AUDIT_SESSIONID_SET
> +#define AUDIT_SESSIONID_SET 26
> +#endif
> +
> /* Architectures */
> #ifndef EM_ARM
> #define EM_ARM 40
next prev parent reply other threads:[~2016-10-12 18:02 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-18 18:47 [userspace PATCH v2 0/3] Add support for sessionid user filters, sessionid_set Richard Guy Briggs
2016-08-18 18:47 ` [userspace PATCH v2 1/3] Add userspace support for session ID user filter Richard Guy Briggs
2016-08-18 18:47 ` [userspace PATCH v2 2/3] Add sessionid_set option from kernel uapi macro AUDIT_SESSIONID_SET Richard Guy Briggs
2016-10-12 18:02 ` Steve Grubb [this message]
2016-10-13 12:32 ` Paul Moore
2016-10-18 12:36 ` Richard Guy Briggs
2016-08-18 18:47 ` [userspace PATCH v2 3/3] Check sessionID* fields available in kernel Richard Guy Briggs
2016-10-19 21:46 ` [userspace PATCH v2 0/3] Add support for sessionid user filters, sessionid_set Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1893307.IJE51OVXCc@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=pmoore@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.