Re: [PATCH 0/5] Add support for sessionid user filters, sessionid_set and loginuid_set

On 2016-08-02 08:16, Steve Grubb wrote: > On Tuesday, August 2, 2016 5:38:56 AM EDT Richard Guy Briggs wrote: > > Add support for sessionid, sessionid_set (first two patches) and > > loginuid_set (and auid_set) (third patch) in user filters. The first > > > > two are directly related to issue "ghak4": > > https://github.com/linux-audit/audit-kernel/issues/4 > > https://github.com/linux-audit/audit-kernel/wiki/RFE-Session-ID-> > > User-Filter > > > > The third is to support a kernel change from 3.10 and 3.19 to avoid > > using in-band values to indicate the loginuid is unset. > > Have the above three patches been tested on old kernels? Not yet. How do you usually add new features to userspace to guard against missing features from old kernels? Time to add a bit to the kenrel audit status feature field?

> > The last two patches are to add unset flags to sessionid and loginuid > > for ausearch and aureport. These two patches are extras and not > > required for basic support. > > I don't understand what the point of these last two items are. If the > session is not set, we have ses=4294967295 in the audit trail. That can > already be specified in ausearch as --session -1. I also am not sure that > session information makes any sense for aureport because we have aulast > which reports on session activity for users. I was starting to doubt the utility of these last two patches which is why I tagged them optional. Please use any bits or ideas that might be useful, otherwise drop them. > -Steve - RGB -- Richard Guy Briggs <rgb(a)redhat.com&gt; Kernel Security Engineering, Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635