From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Use case not covered by the audit library?
Date: Wed, 16 Dec 2015 09:22:39 -0500 [thread overview]
Message-ID: <27894292.cgSWpRuSAQ@x2> (raw)
In-Reply-To: <B41870ED03633F4092CDF476119204DF561CDE2E@G9W0758.americas.hpqcorp.net>
Hello,
On Tuesday, December 15, 2015 05:13:14 AM Gulland, Scott A wrote:
> I have a fairly common use case that I'm not sure is covered by the audit
> library and I need some advice on how best to handle it. I have a daemon
> running as root that services REST API calls (or a web UI from a browser).
> An external application first establishes a session by authenticating a
> user which returns a token/session ID to the caller. All future REST API
> calls, supplies the token/session ID which allows them authenticated access
> to the requested resource. The token/session ID indicates what user the
> request is associated with. Obviously, there can be many users
> simultaneously issuing requests.
>
> What I need to do is specify the user on each audit log call. For example,
> I need to have a way to specify which user is issuing the request when I
> call audit_log_user_message(). Is this possible? This is a very common
> use case and really needs to be handled.
Would these users be able to interact with the system in any way they please?
If its not an interactive session, then I don't think its a _system_ event.
There are perfectly fine application logging frameworks to choose from. The
main issue is making sure that users cannot influence the records being written
about what they are doing.
But if you feel that you really would like to have this in the audit trail,
then you can use the AUDIT_TRUSTED_APP event type and format the event any way
that you wish. The audit tools sort of ignore those events because there's no
telling what's in them.
-Steve
next prev parent reply other threads:[~2015-12-16 14:22 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-15 5:13 Use case not covered by the audit library? Gulland, Scott A
2015-12-16 14:22 ` Steve Grubb [this message]
2015-12-16 19:55 ` Burn Alting
2015-12-17 4:53 ` Gulland, Scott A
2015-12-17 4:21 ` Gulland, Scott A
2015-12-17 6:10 ` Richard Guy Briggs
2015-12-18 2:51 ` Steve Grubb
2016-01-05 21:59 ` Gulland, Scott A
2016-01-06 16:28 ` Steve Grubb
2016-01-06 18:03 ` Gulland, Scott A
2016-01-06 20:05 ` Steve Grubb
2016-01-06 20:27 ` Gulland, Scott A
2016-01-11 21:12 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=27894292.cgSWpRuSAQ@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).