Re: [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set
On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote:
Add support for sessionid, sessionid_set (first two patches) and
loginuid_set (and auid_set) (third patch) in user filters. The first
two are directly related to issue "ghak4":
https://github.com/linux-audit/audit-kernel/issues/4
https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-User
-Filter
The third is to support a kernel change from 3.10 and 3.19 to avoid
using in-band values to indicate the loginuid is unset.
Have the above three patches been tested on old kernels?
The last two patches are to add unset flags to sessionid and
loginuid
for ausearch and aureport. These two patches are extras and not
required for basic support.
I don't understand what the point of these last two items are. If the session
is not set, we have ses=4294967295 in the audit trail. That can already be
specified in ausearch as --session -1. I also am not sure that session
information makes any sense for aureport because we have aulast which reports
on session activity for users.
-Steve