-
Notifications
You must be signed in to change notification settings - Fork 40
RFE Session ID User Filter
Add the ability to add user rules to filter audit messages based on session ID so that system admins can more precicely restrict desired audit events.
The session ID is in the netlink credentials coming from user space. They just didn't get added to the user filter when they were added to netlink. Add it.
In the kernel, define AUDIT_SESSIONID in the uapi, allow it to user filter rules to pass valid field checks including session ID, store the session ID field with the rule, and add a comparisson with the current task based on the session ID in the user filter.
Define sessionid in userspace based on AUDIT_SESSIONID macro from the uapi.
Develop a test script.
Test that user filter rules can be successfully added based on session ID and that audit user messages can be filtered based on the session ID.
No change to existing audit records.
https://github.com/linux-audit/audit-kernel/issues/4
https://github.com/linux-audit/audit-testsuite/pull/22