Re: [PATCH] audit: add feature audit_lost reset
On Wednesday, January 11, 2017 11:12:47 PM EST Richard Guy Briggs wrote:
On 2017-01-11 13:56, Steve Grubb wrote:
Slotting it in to CONFIG_CHANGE does make sense to me.
> These changes are on the logging side. This won't affect integration with
> auditctl. If you do want to keep LOST_RESET, then it affects all searching
> and reporting utilities.
Can you define "on the logging side" and what implications that has?
There's 2 parts to this. Resolving the set command and resetting the count and
logging that this was done. What I'm saying is that the AUDIT_STATUS_LOST gets
me into that block of code so auditctl is all set - except for not being able
to tell if it should even try because the underlying kernel doesn't support
this.
Do you not want to be able to trigger this from auditctl?
I can. Svn code already does this. The only issue is reporting failure and
logging what happened.
I agree
putting this in CONFIG_CHANGE will likely make your job easier. There
are some minor differences including checking that the feature exists
either by verifying that the operation succeeded the first time you try
it or by using the feature bitmap or set feature and actually using the
positive return code lost value. There is also the question of how to
respond when it isn't the only flag set in the AUDIT_SET command.
Just like it is is just fine. Auditctl does not send multiple commands because
there's no way to express that from the rules or command line.
Silently exit having executed the other flags? Return an error
before
processing any of the commands? The latter makes more sense to me.
From a search and reporting perspective CONFIG_CHANGE will make it much
easier.
Just call audit_log_config_change() from the AUDIT_STATUS_LOST section.
-Steve
> > > + audit_log_end(ab);
> > > + return lost;
> > > + }
> > >
> > > break;
> > >
> > > }
> > >
> > > case AUDIT_GET_FEATURE:
> > > --
> > > 1.7.1
> > >
> > > --
> > > Linux-audit mailing list
> > > Linux-audit(a)redhat.com
> > > https://www.redhat.com/mailman/listinfo/linux-audit
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635