-
Notifications
You must be signed in to change notification settings - Fork 37
RFE Session ID User Filter
Add the ability to add user rules to filter audit messages based on session ID so that system admins can more precicely restrict desired audit events.
The session ID is in the netlink credentials coming from user space. They just didn't get added to the user filter when they were added to netlink. Add it. Similar to loginuid set, we will also need a new sessionID set flag to avoid depending on an in-band value to indicate this.
In the kernel, define AUDIT_SESSIONID in the uapi, allow it to user filter rules to pass valid field checks including session ID, store the session ID field with the rule, and add a comparisson with the current task based on the session ID in the user filter. Define AUDIT_SESSIONID_SET to indicate whether or not the sessionID is set.
Define sessionid and sessionid_set in userspace based on AUDIT_SESSIONID and AUDIT_SESSIONID_SET macros from the uapi.
Develop a test script.
Test that user filter rules can be successfully added based on session ID and that audit user messages can be filtered based on the session ID.
No change to existing audit records.
To create a filter on sessionID or whether or not the sessionID is set, use one of the following: auditctl -a always,exit -F arch=b64 -F path=/tmp/sessionid_test -F sessionid=2 -k sessionid2 auditctl -a always,exit -F arch=b64 -F path=/tmp/sessionid_set_test -F sessionid_set=1 -k sessionid_set
To trigger these examples, use: touch /tmp/sessionid_test /tmp/sessionid_set_test
Then, from the examples above, search for events based on sessionID, use one of: ausearch -i --sessionid 2 ausearch -i -k sessionid2 and to search for whether or not sessionID is set, use one of: ausearch -i --sessionid_set 1 ausearch -i -k sessionid_set
https://github.com/linux-audit/audit-kernel/issues/4
https://github.com/linux-audit/audit-testsuite/pull/22