-
Notifications
You must be signed in to change notification settings - Fork 37
RFE Session ID User Filter
Add the ability to add user rules to filter audit messages based on session ID so that system admins can more precicely restrict desired audit events.
The session ID is in the netlink credentials coming from user space. They just didn't get added to the user filter when they were added to netlink. Add it. Similar to loginuid set, we will also need a new sessionID set flag to avoid depending on an in-band value to indicate this.
In the kernel, define AUDIT_SESSIONID in the uapi, allow it to user filter rules to pass valid field checks including session ID, store the session ID field with the rule, and add a comparisson with the current task based on the session ID in the user filter. Define AUDIT_SESSIONID_SET to indicate whether or not the sessionID is set.
Define sessionid and sessionid_set in userspace based on AUDIT_SESSIONID and AUDIT_SESSIONID_SET macros from the uapi.
Develop a test script.
Test that user filter rules can be successfully added based on session ID and that audit user messages can be filtered based on the session ID.
No change to existing audit records.
https://github.com/linux-audit/audit-kernel/issues/4
https://github.com/linux-audit/audit-testsuite/pull/22