-
Notifications
You must be signed in to change notification settings - Fork 35
RFE Audit Multicast Socket Join Part
Log information about programs connecting to and disconnecting from the audit netlink multicast socket. This is needed so that during investigations a security officer can tell who or what had access to the audit trail. This helps to meet the FAU_SAR.2 requirement for Common Criteria.
TODO - a technical explanation of what you are changing to achieve this new functionality, it should be possible to write the code using the information in this section. When a program connects to or disconnects from the audit netlink multicast socket, issue an audit record of type AUDIT_EVENT_LISTENER with a nl-mcgrp= field to indicate the group number and op= field to indicate the action along with a res= field to indicate success or failure. If an accompanying syscall record is not reliably included with the audit_context (this can happen with systemd process 1), prefix these fields with subject attributes: pid= uid= auid= tty= ses= subj= comm= exe=
- create the RFE page
- create an audit_testsuite test
- create patch
- post upstream
The test should make provisions for a program to connect to the audit netlink multicast socket and disconnect from it, then check the logs for both messages, formatted as expected, given the example format below.
Issuing the following command can suppress any of these messages: auditctl -a always,exclude -m event_listener
type=EVENT_LISTENER msg=audit(2020-01-07 10:15:05.754:6) : pid=1 uid=root auid=unset tty=(none) ses=unset subj=kernel comm=systemd exe=/usr/lib/systemd/systemd nl-mcgrp=1 op=connect res=yes