-
Notifications
You must be signed in to change notification settings - Fork 37
RFE Session ID User Filter
Add the ability to add user rules to filter audit messages based on session ID so that system admins can more precicely restrict desired audit events.
The session ID is in the netlink credentials coming from user space. They just didn't get added to the user filter when they were added to netlink. Add it.
In the kernel, define AUDIT_SESSIONID in the uapi, allow it to user filter rules to pass valid field checks including session ID, store the session ID field with the rule, and add a comparisson with the current task based on the session ID in the user filter.
Define sessionid in userspace based on AUDIT_SESSIONID macro from the uapi.
Develop a test script.
Test that user filter rules can be successfully added based on session ID and that audit user messages can be filtered based on the session ID.
To create a filter on sessionID, use the following:
auditctl -a always,exit -F arch=b64 -F path=/tmp/sessionid_test -F sessionid=2 \
-k sessionid2
To check that the rule was accepted, issuing:
auditctl -l
should give you back the following:
-a always,exit -F arch=b64 -S all -F path=/tmp/sessionid_test -F sessionid=2 -F key=sessionid2
To trigger this example, use:
touch /tmp/sessionid_test
Then, from the example above, search for events based on sessionID, use:
ausearch -i --session 2
which should find one event with 5 records (assuming your current test session is sessionid 2):
type=PROCTITLE msg=audit(07/09/16 11:53:43.217:430) : proctitle=touch
/tmp/sessionid_test /tmp/sessionid_set_test
type=PATH msg=audit(07/09/16 11:53:43.217:430) : item=1 name=/tmp/sessionid_test
inode=21320 dev=00:23 mode=file,644 ouid=root ogid=root rdev=00:00
obj=unconfined_u:object_r:user_tmp_t:s0 nametype=NORMAL
type=PATH msg=audit(07/09/16 11:53:43.217:430) : item=0 name=/tmp/ inode=10183
dev=00:23 mode=dir,sticky,777 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:tmp_t:s0 nametype=PARENT
type=CWD msg=audit(07/09/16 11:53:43.217:430) : cwd=/root
type=SYSCALL msg=audit(07/09/16 11:53:43.217:430) : arch=x86_64 syscall=open
success=yes exit=3 a0=0x7ffc9d075e0e a1=O_WRONLY|O_CREAT|O_NOCTTY|O_NONBLOCK
a2=0666 a3=0x691 items=2 ppid=1267 pid=1292 auid=root uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=ttyS0 ses=2
comm=touch exe=/usr/bin/touch
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=sessionid2
No change to existing audit records.
https://github.com/linux-audit/audit-kernel/issues/4
https://github.com/linux-audit/audit-testsuite/pull/22