On Thursday, August 18, 2016 2:47:33 PM EDT Richard Guy Briggs wrote:
> Add sessionid_set field option from kernel uapi macro SESSIONID_SET to
> enable specifying that sessionID is set or not in user filters.

Is there any compelling reason to support two differents fields that 
essentially 
decide how to audit sessions? I think its a bit clunky to expect that people 
write rules

-a always,exit -S open -F path=/path/file  -F sessionid>0 

but if you want to record daemons, then its not as simple as using -1 which is 
what is in the logs and the intuitive answer. Instead you have to use a new 
field.

-a always,exit -S open -F path=/path/file  -F sessionid_set=0

But then you can also do the first rule as:

-a always,exit -S open -F path=/path/file  -F sessionid_set=1

So, we have 2 ways of doing almost the same thing. I don't really like this.

-Steve


> Signed-off-by: Richard Guy Briggs <r...@redhat.com>
> ---
>  trunk/lib/fieldtab.h |    1 +
>  trunk/lib/libaudit.c |    2 ++
>  trunk/lib/libaudit.h |    4 ++++
>  3 files changed, 7 insertions(+), 0 deletions(-)
> 
> diff --git a/trunk/lib/fieldtab.h b/trunk/lib/fieldtab.h
> index 84acc08..eeb951e 100644
> --- a/trunk/lib/fieldtab.h
> +++ b/trunk/lib/fieldtab.h
> @@ -34,6 +34,7 @@ _S(AUDIT_LOGINUID,     "loginuid"     )
>  _S(AUDIT_LOGINUID_SET, "auid_set"     )
>  _S(AUDIT_LOGINUID_SET, "loginuid_set" )
>  _S(AUDIT_SESSIONID,    "sessionid"    )
> +_S(AUDIT_SESSIONID_SET,"sessionid_set")
>  _S(AUDIT_PERS,         "pers"         )
>  _S(AUDIT_ARCH,         "arch"         )
>  _S(AUDIT_MSGTYPE,      "msgtype"      )
> diff --git a/trunk/lib/libaudit.c b/trunk/lib/libaudit.c
> index 38776f4..5ffb720 100644
> --- a/trunk/lib/libaudit.c
> +++ b/trunk/lib/libaudit.c
> @@ -1650,6 +1650,8 @@ int audit_rule_fieldpair_data(struct audit_rule_data
> **rulep, const char *pair, case AUDIT_LOGINUID_SET:
>                       if(!features)
>                               return -30;
> +                     /* fallthrough */
> +             case AUDIT_SESSIONID_SET:
>                       if (flags != AUDIT_FILTER_EXCLUDE &&
>                           flags != AUDIT_FILTER_USER &&
>                           flags != AUDIT_FILTER_EXIT)
> diff --git a/trunk/lib/libaudit.h b/trunk/lib/libaudit.h
> index 95b7a78..f8007c1 100644
> --- a/trunk/lib/libaudit.h
> +++ b/trunk/lib/libaudit.h
> @@ -381,6 +381,10 @@ extern "C" {
>  #define AUDIT_SESSIONID                      25
>  #endif
> 
> +#ifndef AUDIT_SESSIONID_SET
> +#define AUDIT_SESSIONID_SET          26
> +#endif
> +
>  /* Architectures */
>  #ifndef EM_ARM
>  #define EM_ARM  40


--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to