From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [userspace PATCH v2 2/3] Add sessionid_set option from kernel
	uapi macro AUDIT_SESSIONID_SET
Date: Wed, 12 Oct 2016 14:02:32 -0400
Message-ID: <1893307.IJE51OVXCc@x2>
References: <1471546054-4536-1-git-send-email-rgb@redhat.com>
	<1471546054-4536-3-git-send-email-rgb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1471546054-4536-3-git-send-email-rgb@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Richard Guy Briggs <rgb@redhat.com>, Paul Moore <pmoore@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday, August 18, 2016 2:47:33 PM EDT Richard Guy Briggs wrote:
> Add sessionid_set field option from kernel uapi macro SESSIONID_SET to
> enable specifying that sessionID is set or not in user filters.

Is there any compelling reason to support two differents fields that essentially 
decide how to audit sessions? I think its a bit clunky to expect that people 
write rules

-a always,exit -S open -F path=/path/file  -F sessionid>0 

but if you want to record daemons, then its not as simple as using -1 which is 
what is in the logs and the intuitive answer. Instead you have to use a new 
field.

-a always,exit -S open -F path=/path/file  -F sessionid_set=0

But then you can also do the first rule as:

-a always,exit -S open -F path=/path/file  -F sessionid_set=1

So, we have 2 ways of doing almost the same thing. I don't really like this.

-Steve


> Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
> ---
>  trunk/lib/fieldtab.h |    1 +
>  trunk/lib/libaudit.c |    2 ++
>  trunk/lib/libaudit.h |    4 ++++
>  3 files changed, 7 insertions(+), 0 deletions(-)
> 
> diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
> index 84acc08..eeb951e 100644
> --- a/trunk/lib/fieldtab.h
> +++ b/trunk/lib/fieldtab.h
> @@ -34,6 +34,7 @@ _S(AUDIT_LOGINUID,     "loginuid"     )
>  _S(AUDIT_LOGINUID_SET, "auid_set"     )
>  _S(AUDIT_LOGINUID_SET, "loginuid_set" )
>  _S(AUDIT_SESSIONID,    "sessionid"    )
> +_S(AUDIT_SESSIONID_SET,"sessionid_set")
>  _S(AUDIT_PERS,         "pers"         )
>  _S(AUDIT_ARCH,         "arch"         )
>  _S(AUDIT_MSGTYPE,      "msgtype"      )
> diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
> index 38776f4..5ffb720 100644
> --- a/trunk/lib/libaudit.c
> +++ b/trunk/lib/libaudit.c
> @@ -1650,6 +1650,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, case AUDIT_LOGINUID_SET:
>  			if(!features)
>  				return -30;
> +			/* fallthrough */
> +		case AUDIT_SESSIONID_SET:
>  			if (flags != AUDIT_FILTER_EXCLUDE &&
>  			    flags != AUDIT_FILTER_USER &&
>  			    flags != AUDIT_FILTER_EXIT)
> diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
> index 95b7a78..f8007c1 100644
> --- a/trunk/lib/libaudit.h
> +++ b/trunk/lib/libaudit.h
> @@ -381,6 +381,10 @@ extern "C" {
>  #define AUDIT_SESSIONID			25
>  #endif
> 
> +#ifndef AUDIT_SESSIONID_SET
> +#define AUDIT_SESSIONID_SET		26
> +#endif
> +
>  /* Architectures */
>  #ifndef EM_ARM
>  #define EM_ARM  40