[PATCH 1/1] audit: log binding and unbinding to netlink multicast

Paul Moore paul at paul-moore.com
Tue Oct 17 14:51:02 UTC 2017 

On Mon, Oct 16, 2017 at 6:06 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Monday, October 16, 2017 5:35:55 PM EDT Paul Moore wrote:
>> On Fri, Oct 13, 2017 at 3:58 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>> > Log information about programs connecting and disconnecting to the audit
>> > netlink multicast socket. This is needed so that during investigations a
>> > security officer can tell who or what had access to the audit trail. This
>> > helps to meet the FAU_SAR.2 requirement for Common Criteria. Sample
>> > event:
>> >
>> > type=UNKNOWN[1332] msg=audit(1507924331.540:3): pid=1 uid=0
>> > auid=4294967295 tty=(none) ses=4294967295 subj=kernel comm="systemd"
>> > exe="/usr/lib/systemd/systemd" nlnk-grp=1 op=connect res=1
>> >
>> > Signed-off-by: sgrubb <sgrubb at redhat.com>
>> > ---
>> >
>> >  include/uapi/linux/audit.h |  1 +
>> >  kernel/audit.c             | 48
>> >  ++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 45
>> >  insertions(+), 4 deletions(-)
>>
>> Since I think this is going to involve a respin, I just want to
>> mention again "sgrubb" vs "Steve Grubb".  More comments inline ...
>>
>> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
>> > index 0714a66f0e0c..892e63d9f2c1 100644
>> > --- a/include/uapi/linux/audit.h
>> > +++ b/include/uapi/linux/audit.h
>> > @@ -112,6 +112,7 @@
>> >
>> >  #define AUDIT_FEATURE_CHANGE   1328    /* audit log listing feature
>> >  changes */ #define AUDIT_REPLACE          1329    /* Replace auditd if
>> >  this packet unanswerd */ #define AUDIT_KERN_MODULE      1330    /*
>> >  Kernel Module events */
>> >
>> > +#define AUDIT_EVENT_LISTENER   1332    /* Task joined multicast read
>> > socket */
>>
>> What Richard said.  Basically AUDIT_EVENT_LISTENER should be 1331 or
>> have a *really* good explanation as to why it needs to be 1332.
>
> Because 1331 is already assigned and in https://git.kernel.org/pub/scm/linux/
> kernel/git/jack/linux-fs.git/log/?h=for_next as commit
> de8cd83e91bc3ee212b3e6ec6e4283af9e4ab269.
>
> If you want me to assign 1331 which is already assigned to AUDIT_FANOTIFY in
> the user space piece, then it will make your testing...not look right. So, how
> do you want it?

As I said above, I wanted a *really* good explanation, which you
provided.  In the future it's helpful to add a note about things like
this, it saves us all from being annoyed.

I need to think about when this should get merged, but considering we
are are -rc5 right now and this is a new feature with no test (at
least not that I'm seeing on the list, or on GH) it is likely that
this patch will get held until after the upcoming merge window so the
merge conflict will not be a practical issue.

(HINT: in case you haven't been paying attention to audit kernel
development lately, you should work on a test for the audit-testsuite
which tests this new functionality.)

-- 
paul moore
www.paul-moore.com

More information about the Linux-audit mailing list