On 2016-10-11 12:40, Steve Grubb wrote: > On Monday, October 10, 2016 5:10:39 PM EDT Paul Moore wrote: > > On Mon, Oct 10, 2016 at 1:24 PM, Steve Grubb <[email protected]> wrote: > > > On Thursday, August 18, 2016 2:18:55 PM EDT Richard Guy Briggs wrote: > > >> loginuid_set support should have been added to userspace when it was > > >> added to the kernel around v3.10. Add it before we do similar for > > >> sessionID and sessionID_set. > > > > > > If this were accepted, how would this change writing rules? IOW, can you > > > give an example rule so we can see what this looks like? > > > > We have a RFE feature page which documents some rule examples: > > > > * > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User-Filter > > OK, thanks. This is helpful. So, what is the difference between these rules? > > -a always,exit -F path=/tmp/sessionid_test -F loginuid=-1 > > -a always,exit -F path=/tmp/sessionid_set_test -F loginuid_set=0
The only difference is one flag in the kernel to indicate how it was invoked to be able to report when queried exactly the same way it was invoked, but there is no difference in the actual behaviour of the filter. This was added because of your report that "f24=0" was reported instead of loginuid_set=0 for backwards compatibility. Going forward, the implementation of the sessionid_set field (which works similarly) will not allow an unset value of sessionid since these are a new addition that didn't need to accomodate backward compatibility. > -Steve - RGB -- Richard Guy Briggs <[email protected]> Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
