On Wed, Nov 30, 2016 at 2:26 PM, Steve Grubb <sgr...@redhat.com> wrote: > Log information about programs connecting and disconnecting to the audit > netlink multicast socket. This is needed so that during investigations a > security officer can tell who or what had access to the audit trail. This > helps to meet the FAU_SAR.2 requirement for Common Criteria. > > Signed-off-by: sgrubb <sgr...@redhat.com> > --- > include/uapi/linux/audit.h | 1 + > kernel/audit.c | 31 +++++++++++++++++++++++++++---- > 2 files changed, 28 insertions(+), 4 deletions(-)
This needs an associated test for the audit-testsuite and a RFE page on the wiki. I also created a GH issue since this is a CC issue and something we want to track progress on, link below: * https://github.com/linux-audit/audit-kernel/issues/28 Some more specific comments below ... > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index 82e8aa5..e6dd046 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -111,6 +111,7 @@ > #define AUDIT_PROCTITLE 1327 /* Proctitle emit event */ > #define AUDIT_FEATURE_CHANGE 1328 /* audit log listing feature changes > */ > #define AUDIT_REPLACE 1329 /* Replace auditd if this packet > unanswerd */ > +#define AUDIT_EVENT_LISTENER 1330 /* Task joined multicast read socket > */ > > #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ > #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ > diff --git a/kernel/audit.c b/kernel/audit.c > index 22f8c3d..910a7c1 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -1161,22 +1161,45 @@ void audit_log_task_simple(struct audit_buffer *ab, > struct task_struct *tsk) > } > EXPORT_SYMBOL(audit_log_task_simple); > > +/* Log information about who is connecting to the audit multicast socket */ > +static void audit_log_multicast_bind(int group, const char *op, int err) > +{ A bit of a nit, but it seems odd to call this "..._bind" when we use it to log both bind and unbind events, maybe "..._op"/"..._status" or something? > + struct audit_buffer *ab; > + > + ab = audit_log_start(NULL, GFP_KERNEL, AUDIT_EVENT_LISTENER); > + if (!ab) > + return; > + > + audit_log_task_simple(ab, current); Right now the only call to audit_log_task_simple() is the one above and I'm not a fan of merging code like that, just open code audit_log_task_simple() in the function above. If you need similar functionality for use by other functions in the future you can reintroduce audit_log_task_simple(). > + audit_log_format(ab, " nlnk-grp=%d op=%s res=%d", group, op, !err); > + audit_log_end(ab); > +} > + > /* Run custom bind function on netlink socket group connect or bind requests. > */ > -static int audit_bind(struct net *net, int group) > +static int audit_multicast_bind(struct net *net, int group) > { > + int err = 0; > + > if (!capable(CAP_AUDIT_READ)) > - return -EPERM; > + err = -EPERM; > + audit_log_multicast_bind(group, "connect", err); > > - return 0; > + return err; > +} > + > +static void audit_multicast_unbind(struct net *net, int group) > +{ > + audit_log_multicast_bind(group, "disconnect", 0); > } > > static int __net_init audit_net_init(struct net *net) > { > struct netlink_kernel_cfg cfg = { > .input = audit_receive, > - .bind = audit_bind, > + .bind = audit_multicast_bind, > .flags = NL_CFG_F_NONROOT_RECV, > .groups = AUDIT_NLGRP_MAX, > + .unbind = audit_multicast_unbind, > }; > > struct audit_net *aunet = net_generic(net, audit_net_id); > -- > 2.7.4 > > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit