Hello, I am resurrecting this old patch. Its been cleaned up by adding a simple task logging function which should, in the future, serve almost all kernel logging needs. The cleaned up bind and unbind functions call it to create the preamble and then finish with specific data items for bind/unbinding.
In essence, this patch logs connecting and unconnecting to the audit netlink multicast socket. This is needed so that during investigations a security officer can tell who or what had access to the audit trail. This helps to meet the FAU_SAR.2 SFR for Common Criteria. Sample output: type=UNKNOWN[1329] msg=audit(1437683193.897:725): pid=10068 uid=0 auid=4325 tty=pts0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm="test" exe="/home/sgrubb/test/multicast/test" nlnk-grp=1 op=connect res=1 type=UNKNOWN[1329] msg=audit(1437683308.055:741): pid=10068 uid=0 auid=4325 tty=pts0 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 comm="test" exe=(null) nlnk-grp=1 op=disconnect res=1 Signed-off-by: Steve Grubb <[email protected]> --- -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
