From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: [PATCH] audit: add feature audit_lost reset
Date: Thu, 12 Jan 2017 09:56:55 -0500
Message-ID: <2501778.eMGYSR6R8B@x2>
References: <8c740656caee622c9a9f8642ac48f22e1bf6933c.1481869063.git.rgb@redhat.com>
	<2201277.tpWh2WdoOc@x2>
	<20170112041247.GP7816@madcap2.tricolour.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <20170112041247.GP7816@madcap2.tricolour.ca>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Richard Guy Briggs <rgb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Wednesday, January 11, 2017 11:12:47 PM EST Richard Guy Briggs wrote:
> On 2017-01-11 13:56, Steve Grubb wrote:
> Slotting it in to CONFIG_CHANGE does make sense to me.
> 
> > These changes are on the logging side. This won't affect integration with
> > auditctl. If you do want to keep LOST_RESET, then it affects all searching
> > and reporting utilities.
> 
> Can you define "on the logging side" and what implications that has?

There's 2 parts to this. Resolving the set command and resetting the count and 
logging that this was done. What I'm saying is that the AUDIT_STATUS_LOST gets 
me into that block of code so auditctl is all set - except for not being able 
to tell if it should even try because the underlying kernel doesn't support 
this.

> Do you not want to be able to trigger this from auditctl?

I can. Svn code already does this. The only issue is reporting failure and 
logging what happened.

> I agree
> putting this in CONFIG_CHANGE will likely make your job easier.  There
> are some minor differences including checking that the feature exists
> either by verifying that the operation succeeded the first time you try
> it or by using the feature bitmap or set feature and actually using the
> positive return code lost value.  There is also the question of how to
> respond when it isn't the only flag set in the AUDIT_SET command.

Just like it is is just fine. Auditctl does not send multiple commands because 
there's no way to express that from the rules or command line.

> Silently exit having executed the other flags?  Return an error before
> processing any of the commands?  The latter makes more sense to me.
> 
> From a search and reporting perspective CONFIG_CHANGE will make it much
> easier.

Just call  audit_log_config_change() from the AUDIT_STATUS_LOST section.

 -Steve

 
> > > > +                       audit_log_end(ab);
> > > > +                       return lost;
> > > > +               }
> > > > 
> > > >                 break;
> > > >         
> > > >         }
> > > > 
> > > >         case AUDIT_GET_FEATURE:
> > > > --
> > > > 1.7.1
> > > > 
> > > > --
> > > > Linux-audit mailing list
> > > > Linux-audit@redhat.com
> > > > https://www.redhat.com/mailman/listinfo/linux-audit
> 
> - RGB
> 
> --
> Richard Guy Briggs <rgb@redhat.com>
> Kernel Security Engineering, Base Operating Systems, Red Hat
> Remote, Ottawa, Canada
> Voice: +1.647.777.2635, Internal: (81) 32635