Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp842423imm; Fri, 29 Jun 2018 07:17:26 -0700 (PDT) X-Google-Smtp-Source: ADUXVKL1636ocZzd67B0da/oCnAbTvx1xDHoG2bZ1mjwtNgnEILoZHkcEpub2ixtC2eq9ShvS1aA X-Received: by 2002:a63:bf43:: with SMTP id i3-v6mr12843636pgo.342.1530281846267; Fri, 29 Jun 2018 07:17:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1530281846; cv=none; d=google.com; s=arc-20160816; b=EuBTCkguVj1fntcIrJqBw3OwaBfmWqUFm+MJiYk5xBeYim53PfoUcTAxoKaRKODk9W A9s40rg1CwoMyhotjR1GZ4ECLRjrGO8BAJ2IJ2MffSMAmv7VbLl2/dPDpjs/hGUHWvp/ pnLBw0THivb68QIMRss1tOAuAxqfoB7sEvLDrREef1HFTn+MnDdKV1w1g/wCXevjDl99 1yn2x5clI40n3DVZMFCT2jRlGQZHqHDiCRCnaGdsx3JODVM3BvSlW4JAgEbH0jSc6iBQ CZlqYvbT6aECZrL3/g4qIPiQFQgHzpCzJAhC+3X9EgFdgpgohQF67NBCXeaiuvKpqr5u Ef/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:organization:message-id:date:subject:cc:to :from:arc-authentication-results; bh=ZMY2hrMsTM5h571JsJD4SdMNPwRw+5qt9SU6Obr+oWA=; b=QwkSumOFklprgT6FQZbWTUK/Q/q6ay4QO8S3+eAmb9+W+zYq/b5A1y6cGWc9G5/sGh NDQp5sVScLu/qWSWr6NoCbK3RZXIIoqkWuBvm7O/H6/l/gyJXvnm8uvTRR1lfUZPnrOJ DMZ55k2g93XZpyRTKl2/2aG4MSFE1cNTKPk0Nh/X3scQirAW0ke8oj/HgSqSY2NQNjpP PzroH1nVsYiI4T/WrIgAo/0PU5gc8z0cngQFt4moVkTygpbz7FM10jXKlAmgE8cS8AXL P7Vckk0YnS940JtSxwwdUNyOfduf9/1GlrP5CGGQyRvMrzZNCI8rrB51Lu18UeGHskkW IW8A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d14-v6si6340166pfo.339.2018.06.29.07.17.11; Fri, 29 Jun 2018 07:17:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755448AbeF2Mbe (ORCPT + 99 others); Fri, 29 Jun 2018 08:31:34 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:41686 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752301AbeF2Mbd (ORCPT ); Fri, 29 Jun 2018 08:31:33 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 668657DAC6; Fri, 29 Jun 2018 12:31:33 +0000 (UTC) Received: from x2.localnet (ovpn-122-27.rdu2.redhat.com [10.10.122.27]) by smtp.corp.redhat.com (Postfix) with ESMTP id C5AE02142F20; Fri, 29 Jun 2018 12:31:32 +0000 (UTC) From: Steve Grubb To: Paul Moore Cc: rgb@redhat.com, linux-audit@redhat.com, linux-kernel@vger.kernel.org, Eric Paris , aviro@redhat.com Subject: Re: [RFC PATCH ghak59 V1 6/6] audit: extend config_change mark/watch/tree rule changes Date: Fri, 29 Jun 2018 08:31:31 -0400 Message-ID: <4353667.qdjHzgu0KO@x2> Organization: Red Hat In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Fri, 29 Jun 2018 12:31:33 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Fri, 29 Jun 2018 12:31:33 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'sgrubb@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thursday, June 28, 2018 6:28:55 PM EDT Paul Moore wrote: > On Thu, Jun 14, 2018 at 4:23 PM Richard Guy Briggs wrote: > > Give a clue as to the source of mark, watch and tree rule changes. > > > > See: https://github.com/linux-audit/audit-kernel/issues/50 > > See: https://github.com/linux-audit/audit-kernel/issues/59 > > Signed-off-by: Richard Guy Briggs > > --- > > kernel/audit.h | 4 ++-- > > kernel/audit_fsnotify.c | 2 +- > > kernel/audit_tree.c | 24 ++++++++++++------------ > > kernel/audit_watch.c | 6 ++++-- > > kernel/auditsc.c | 4 ++-- > > 5 files changed, 21 insertions(+), 19 deletions(-) > > I think having some additional context here would be helpful for > everyone, so I agree with this on principle. However, I think we need > to get clarification from Steve that his parser is able to handle > these richer "op" values. Op fields are not searchable. So, they normally don't matter. But in general, once they are defined, they should not change. For the record, you can generally insert non-searchable fields anywhere and it doesn't matter. Only the searchable fields like loginuid, uid, pid, exe, etc matter to the parser. -Steve