On Thu, Jul 23, 2015 at 4:45 PM, Steve Grubb <[email protected]> wrote: > Hello, > > I am resurrecting this old patch. Its been cleaned up by adding a simple task > logging function which should, in the future, serve almost all kernel logging > needs. The cleaned up bind and unbind functions call it to create the preamble > and then finish with specific data items for bind/unbinding. > > In essence, this patch logs connecting and unconnecting to the audit netlink > multicast socket. This is needed so that during investigations a security > officer can tell who or what had access to the audit trail. This helps to meet > the FAU_SAR.2 SFR for Common Criteria.
Hi Steve, I knew we would get you writing kernel patches eventually ;) A little birdie mentioned to me offlist that there are issues with application bind/unbind events not being audited based on how they do the audit, have you run into this in your testing of this patch? -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
