[PATCH 0/2] audit: log binding and unbinding to netlink multicast socket
Paul Moore
paul at paul-moore.com
Fri Jul 24 22:42:29 UTC 2015
On Thu, Jul 23, 2015 at 4:45 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> Hello,
>
> I am resurrecting this old patch. Its been cleaned up by adding a simple task
> logging function which should, in the future, serve almost all kernel logging
> needs. The cleaned up bind and unbind functions call it to create the preamble
> and then finish with specific data items for bind/unbinding.
>
> In essence, this patch logs connecting and unconnecting to the audit netlink
> multicast socket. This is needed so that during investigations a security
> officer can tell who or what had access to the audit trail. This helps to meet
> the FAU_SAR.2 SFR for Common Criteria.
Hi Steve,
I knew we would get you writing kernel patches eventually ;)
A little birdie mentioned to me offlist that there are issues with
application bind/unbind events not being audited based on how they do
the audit, have you run into this in your testing of this patch?
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list