From: Steve Grubb <sgrubb@redhat.com>
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: [PATCH] audit: add feature audit_lost reset
Date: Thu, 12 Jan 2017 09:56:55 -0500 [thread overview]
Message-ID: <2501778.eMGYSR6R8B@x2> (raw)
In-Reply-To: <20170112041247.GP7816@madcap2.tricolour.ca>
On Wednesday, January 11, 2017 11:12:47 PM EST Richard Guy Briggs wrote:
> On 2017-01-11 13:56, Steve Grubb wrote:
> Slotting it in to CONFIG_CHANGE does make sense to me.
>
> > These changes are on the logging side. This won't affect integration with
> > auditctl. If you do want to keep LOST_RESET, then it affects all searching
> > and reporting utilities.
>
> Can you define "on the logging side" and what implications that has?
There's 2 parts to this. Resolving the set command and resetting the count and
logging that this was done. What I'm saying is that the AUDIT_STATUS_LOST gets
me into that block of code so auditctl is all set - except for not being able
to tell if it should even try because the underlying kernel doesn't support
this.
> Do you not want to be able to trigger this from auditctl?
I can. Svn code already does this. The only issue is reporting failure and
logging what happened.
> I agree
> putting this in CONFIG_CHANGE will likely make your job easier. There
> are some minor differences including checking that the feature exists
> either by verifying that the operation succeeded the first time you try
> it or by using the feature bitmap or set feature and actually using the
> positive return code lost value. There is also the question of how to
> respond when it isn't the only flag set in the AUDIT_SET command.
Just like it is is just fine. Auditctl does not send multiple commands because
there's no way to express that from the rules or command line.
> Silently exit having executed the other flags? Return an error before
> processing any of the commands? The latter makes more sense to me.
>
> From a search and reporting perspective CONFIG_CHANGE will make it much
> easier.
Just call audit_log_config_change() from the AUDIT_STATUS_LOST section.
-Steve
> > > > + audit_log_end(ab);
> > > > + return lost;
> > > > + }
> > > >
> > > > break;
> > > >
> > > > }
> > > >
> > > > case AUDIT_GET_FEATURE:
> > > > --
> > > > 1.7.1
> > > >
> > > > --
> > > > Linux-audit mailing list
> > > > Linux-audit@redhat.com
> > > > https://www.redhat.com/mailman/listinfo/linux-audit
>
> - RGB
>
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635
prev parent reply other threads:[~2017-01-12 14:56 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-16 6:59 [PATCH] audit: add feature audit_lost reset Richard Guy Briggs
2016-12-16 22:58 ` Paul Moore
2017-01-11 18:56 ` Steve Grubb
2017-01-11 23:35 ` Steve Grubb
2017-01-12 4:19 ` Richard Guy Briggs
2017-01-12 14:58 ` Steve Grubb
2017-01-12 4:12 ` Richard Guy Briggs
2017-01-12 14:56 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2501778.eMGYSR6R8B@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rgb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.