Hello, I am resurrecting this old patch. Its been cleaned up by adding a simple task logging function which should, in the future, serve almost all kernel logging needs. The cleaned up bind and unbind functions call it to create the preamble and then finish with specific data items for bind/unbinding.
In essence, this patch logs connecting and disconnecting to the audit netlink multicast socket. This is needed so that during investigations a security officer can tell who or what had access to the audit trail. This helps to meet the FAU_SAR.2 SFR for Common Criteria. Sample output: type=UNKNOWN[1330] audit(1480532106.644:2): pid=1 uid=0 auid=4294967295 tty=(none) ses=4294967295 subj=kernel comm="systemd" exe="/usr/lib/systemd/ systemd" nlnk-grp=1 op=connect res=1 Signed-off-by: Steve Grubb <[email protected]> --- -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
