[PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set
Richard Guy Briggs
rgb at redhat.com
Tue Aug 2 12:56:35 UTC 2016
On 2016-08-02 08:16, Steve Grubb wrote:
> On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
> > Add support for sessionid, sessionid_set (first two patches) and
> > loginuid_set (and auid_set) (third patch) in user filters. The first
> > two are directly related to issue "ghak4":
> > https://github.com/linux-audit/audit-kernel/issues/4
> > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User
> > -Filter
> >
> > The third is to support a kernel change from 3.10 and 3.19 to avoid
> > using in-band values to indicate the loginuid is unset.
>
> Have the above three patches been tested on old kernels?
Not yet. How do you usually add new features to userspace to guard
against missing features from old kernels? Time to add a bit to the
kenrel audit status feature field?
> > The last two patches are to add unset flags to sessionid and loginuid
> > for ausearch and aureport. These two patches are extras and not
> > required for basic support.
>
> I don't understand what the point of these last two items are. If the session
> is not set, we have ses=4294967295 in the audit trail. That can already be
> specified in ausearch as --session -1. I also am not sure that session
> information makes any sense for aureport because we have aulast which reports
> on session activity for users.
I was starting to doubt the utility of these last two patches which is
why I tagged them optional. Please use any bits or ideas that might be
useful, otherwise drop them.
> -Steve
- RGB
--
Richard Guy Briggs <rgb at redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
More information about the Linux-audit
mailing list